From owner-freebsd-bugs@FreeBSD.ORG Tue Apr 9 15:00:04 2013 Return-Path: Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id BA1DD4D5 for ; Tue, 9 Apr 2013 15:00:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 93776FCE for ; Tue, 9 Apr 2013 15:00:04 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r39F03ZU078941 for ; Tue, 9 Apr 2013 15:00:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r39F03lC078940; Tue, 9 Apr 2013 15:00:03 GMT (envelope-from gnats) Date: Tue, 9 Apr 2013 15:00:03 GMT Message-Id: <201304091500.r39F03lC078940@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: "Charbon, Julien" Subject: Re: kern/172963: Kernel panic in udp_input() X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: "Charbon, Julien" List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Apr 2013 15:00:04 -0000 The following reply was made to PR kern/172963; it has been noted by GNATS. From: "Charbon, Julien" To: bug-followup@FreeBSD.org Cc: rwatson@FreeBSD.org, "De La Gueronniere, Marc" Subject: Re: kern/172963: Kernel panic in udp_input() Date: Tue, 09 Apr 2013 16:51:41 +0200 This is a multi-part message in MIME format. --------------000809060905090504090109 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit I confirm this issue is still reproducible in FreeBSD 8.4-BETA1. Joined a smaller patch wrote my Marc to fix it. -- Julien --------------000809060905090504090109 Content-Type: text/plain; charset=UTF-8; x-mac-type="0"; x-mac-creator="0"; name="udp_input_panic_minimal.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="udp_input_panic_minimal.patch" diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index b720364..25c741a 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -493,7 +493,14 @@ udp_input(struct mbuf *m, int off) continue; INP_RLOCK(inp); - + /* + * detached PCBs can linger in the list if + * someone holds a reference. (e.g. udp_pcblist) + */ + if (inp->inp_socket == NULL) { + INP_RUNLOCK(inp); + continue; + } /* * Handle socket delivery policy for any-source * and source-specific multicast. [RFC3678] @@ -620,6 +627,14 @@ udp_input(struct mbuf *m, int off) */ INP_RLOCK(inp); INP_INFO_RUNLOCK(&V_udbinfo); + /* + * detached PCBs can linger in the hash table if + * someone holds a reference. (e.g. udp_pcblist) + */ + if (inp->inp_socket == NULL) { + INP_RUNLOCK(inp); + goto badunlocked; + } if (inp->inp_ip_minttl && inp->inp_ip_minttl > ip->ip_ttl) { INP_RUNLOCK(inp); goto badunlocked; diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c index 22ddde4..78b4b84 100644 --- a/sys/netinet6/udp6_usrreq.c +++ b/sys/netinet6/udp6_usrreq.c @@ -271,7 +271,13 @@ udp6_input(struct mbuf **mp, int *offp, int proto) inp->inp_fport != uh->uh_sport) continue; } - + /* + * detached PCBs can linger in the list if + * someone holds a reference. (e.g. udp_pcblist) + */ + if (inp->inp_socket == NULL) { + continue; + } /* * Handle socket delivery policy for any-source * and source-specific multicast. [RFC3678] @@ -396,6 +402,14 @@ udp6_input(struct mbuf **mp, int *offp, int proto) } INP_RLOCK(inp); INP_INFO_RUNLOCK(&V_udbinfo); + /* + * detached PCBs can linger in the hash table if + * someone holds a reference. (e.g. udp_pcblist) + */ + if (inp->inp_socket == NULL) { + INP_RUNLOCK(inp); + goto badunlocked; + } up = intoudpcb(inp); if (up->u_tun_func == NULL) { udp6_append(inp, m, off, &fromsa); --------------000809060905090504090109--