Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 26 Jun 2010 17:11:13 +0200
From:      Michael Tuexen <tuexen@freebsd.org>
To:        netch@netch.kiev.ua
Cc:        rrs@freebsd.org, net@freebsd.org
Subject:   Re: SCTP panic with sctp_send()
Message-ID:  <9B01BACA-B0A6-4D89-8BE4-437002D7CE8E@freebsd.org>
In-Reply-To: <20100626130013.GA1502@netch.kiev.ua>
References:  <20100626130013.GA1502@netch.kiev.ua>

next in thread | previous in thread | raw e-mail | index | archive | help
On Jun 26, 2010, at 3:00 PM, Valentin Nechayev wrote:

> Hi,
>=20
> FreeBSD 7.3-RELEASE i386
>=20
> Fatal trap 12: page fault while in kernel mode
> fault virtual address   =3D 0x0
> fault code              =3D supervisor read, page not present
> instruction pointer     =3D 0x20:0xc05955ca
> stack pointer           =3D 0x28:0xe783bb94
> frame pointer           =3D 0x28:0xe783bc80
> code segment            =3D base 0x0, limit 0xfffff, type 0x1b
>                        =3D DPL 0, pres 1, def32 1, gran 1
> processor eflags        =3D interrupt enabled, resume, IOPL =3D 0
> current process         =3D 7751 (spc)
> trap number             =3D 12
> panic: page fault
> Uptime: 20d6h25m18s
> Physical memory: 1910 MB
> Dumping 265 MB: 250 234 218 202 186 170 154 138 122 106 90 74 58 42 26 =
10
>=20
> (kgdb) bt
> #0  doadump () at pcpu.h:196
> #1  0xc053a730 in boot (howto=3D260) at =
/usr/BSD/src/sys/kern/kern_shutdown.c:418
> #2  0xc053a931 in panic (fmt=3DVariable "fmt" is not available.
> ) at /usr/BSD/src/sys/kern/kern_shutdown.c:574
> #3  0xc0762e4c in trap_fatal (frame=3D0xe783bb54, eva=3D0)
>    at /usr/BSD/src/sys/i386/i386/trap.c:950
> #4  0xc07630b0 in trap_pfault (frame=3D0xe783bb54, usermode=3D0, =
eva=3D0)
>    at /usr/BSD/src/sys/i386/i386/trap.c:863
> #5  0xc0763a92 in trap (frame=3D0xe783bb54)
>    at /usr/BSD/src/sys/i386/i386/trap.c:541
> #6  0xc074f81b in calltrap () at =
/usr/BSD/src/sys/i386/i386/exception.s:166
> #7  0xc05955ca in sctp_generic_sendmsg (td=3D0xcafb7d80, =
uap=3D0xe783bcfc)
>    at /usr/BSD/src/sys/kern/uipc_syscalls.c:2386
> #8  0xc0763405 in syscall (frame=3D0xe783bd38)
>    at /usr/BSD/src/sys/i386/i386/trap.c:1101
> #9  0xc074f880 in Xint0x80_syscall ()
>    at /usr/BSD/src/sys/i386/i386/exception.s:262
> #10 0x00000033 in ?? ()
> Previous frame inner to this frame (corrupt stack?)
>=20
> (kgdb) f 7
> #7  0xc05955ca in sctp_generic_sendmsg (td=3D0xcafb7d80, =
uap=3D0xe783bcfc)
>    at /usr/BSD/src/sys/kern/uipc_syscalls.c:2386
> 2386                    ktrsockaddr(to);
> (kgdb) p to
> $1 =3D (struct sockaddr *) 0x0
> (kgdb) l
> 2381            error =3D getsock(td->td_proc->p_fd, uap->sd, &fp, =
NULL);
> 2382            if (error)
> 2383                    goto sctp_bad;
> 2384    #ifdef KTRACE
> 2385            if (KTRPOINT(td, KTR_STRUCT))
> 2386                    ktrsockaddr(to);
> 2387    #endif
> 2388
> 2389            iov[0].iov_base =3D uap->msg;
> 2390            iov[0].iov_len =3D uap->mlen;
>=20
> As seen from code, if uap->tolen is zero, `to' isn't initialized and =
remains
> NULL. This error is identical to -CURRENT.
How can the crash be reproduced? Can you provide a small test program?

Best regards
Michael
>=20
> Seems this zero originates from libc code for sctp_send():
>=20
> =3D=3D=3D
> #ifdef SYS_sctp_generic_sendmsg
>        struct sockaddr *to =3D NULL;
>=20
>        return (syscall(SYS_sctp_generic_sendmsg, sd,
>            data, len, to, 0, sinfo, flags));
> #else
> =3D=3D=3D
>=20
> why after `to'?
>=20
>=20
> -netch-
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>=20




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9B01BACA-B0A6-4D89-8BE4-437002D7CE8E>