Date: Mon, 26 Jun 2006 10:38:24 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: Michiel Boland <michiel@boland.org> Cc: freebsd-current@freebsd.org Subject: Re: crash in tcp6_usr_accept Message-ID: <20060626103804.A24406@fledge.watson.org> In-Reply-To: <Pine.GSO.4.64.0606260910000.1832@brakkenstein.nijmegen.internl.net> References: <Pine.GSO.4.64.0606260910000.1832@brakkenstein.nijmegen.internl.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--0-1779895857-1151314704=:24406
Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE
On Mon, 26 Jun 2006, Michiel Boland wrote:
> Hi. I returned from holidays only to find my work machine had crashed. Lo=
oks=20
> like the following line is the culprit.
Indeed -- committed your patch, thanks!
Robert N M Watson
Computer Laboratory
University of Cambridge
>
> static int
> tcp6_usr_accept(struct socket *so, struct sockaddr **nam)
> {
> [...]
> if (so->so_state & SS_ISDISCONNECTED) {
> error =3D ECONNABORTED;
> goto out;
> }
> [...]
> out:
> [...]
> INP_UNLOCK(inp);
>
> ^^^ inp has not been initialized at this stage
>
>
> quick fix:
>
> --- netinet/tcp_usrreq.c.orig=09Thu Jun 8 17:28:23 2006
> +++ netinet/tcp_usrreq.c=09Mon Jun 26 10:29:00 2006
> @@ -647,10 +647,8 @@
> =09int v4 =3D 0;
> =09TCPDEBUG0;
>
> -=09if (so->so_state & SS_ISDISCONNECTED) {
> -=09=09error =3D ECONNABORTED;
> -=09=09goto out;
> -=09}
> +=09if (so->so_state & SS_ISDISCONNECTED)
> +=09=09return ECONNABORTED;
>
> =09inp =3D sotoinpcb(so);
> =09KASSERT(inp !=3D NULL, ("tcp6_usr_accept: inp =3D=3D NULL"));
>
>
> FreeBSD 7.0-CURRENT #1: Fri Jun 16 00:19:30 CEST 2006
> root@leefnet.office.internl.net:/usr/obj/usr/src/sys/LEEFNET
>
> Fatal trap 12: page fault while in kernel mode
> fault virtual address=09=3D 0xa0
> fault code=09=09=3D supervisor write, page not present
> instruction pointer=09=3D 0x20:0xc0573d7e
> stack pointer=09 =3D 0x28:0xd6ec7c08
> frame pointer=09 =3D 0x28:0xd6ec7c2c
> code segment=09=09=3D base 0x0, limit 0xfffff, type 0x1b
> =09=09=09=3D DPL 0, pres 1, def32 1, gran 1
> processor eflags=09=3D interrupt enabled, resume, IOPL =3D 0
> current process=09=09=3D 766 (httpd)
> trap number=09=09=3D 12
> panic: page fault
> KDB: stack backtrace:
> kdb_backtrace(100,c215dd80,28,d6ec7bc8,c) at kdb_backtrace+0x29
> panic(c063640e,c0644b03,0,fffff,c226e69b) at panic+0xa8
> trap_fatal(d6ec7bc8,a0,c215dd80,0,2) at trap_fatal+0x2a6
> trap_pfault(d6ec7bc8,0,a0) at trap_pfault+0x1eb
> trap(c04b0008,c25a0028,c2150028,0,35) at trap+0x3b5
> calltrap() at calltrap+0x5
> --- trap 0xc, eip =3D 0xc0573d7e, esp =3D 0xd6ec7c08, ebp =3D 0xd6ec7c2c =
---
> tcp6_usr_accept(c25d1bac,d6ec7c54,d6ec7c58,d6ec7c7c,c0522193) at=20
> tcp6_usr_accept+0xc2
> soaccept(c25d1bac,d6ec7c54,c25ac900,0,0) at soaccept+0x7d
> accept1(c215dd80,d6ec7d04,0,d6ec7d30,c0612946) at accept1+0x42f
> accept(c215dd80,d6ec7d04,3,206,c0670028) at accept+0x10
> syscall(3b,3b,3b,82063b0,83dc050) at syscall+0x2ee
> Xint0x80_syscall() at Xint0x80_syscall+0x1f
> --- syscall (30, FreeBSD ELF32, accept), eip =3D 0x283c37ff, esp =3D 0xbf=
bfec0c,=20
> ebp =3D 0xbfbfec38 ---
> Uptime: 7d11h16m47s
> Physical memory: 505 MB
> Dumping 127 MB: 112 96 80 64 48 32 16
>
> (kgdb) f 7
> #7 0xc0573d7e in tcp6_usr_accept (so=3D0xc215dd80, nam=3D0xd6ec7c54)
> at atomic.h:149
> 149 __asm __volatile (
> (kgdb) info locals
> inp =3D (struct inpcb *) 0x0
> error =3D 53
> addr =3D {s_addr =3D 3256212864}
> addr6 =3D {__u6_addr =3D {__u6_addr8 =3D "\000\000\000\0004|=EC=D6\232kN=
=C0N=E92=C2",
> __u6_addr16 =3D {0, 0, 31796, 55020, 27546, 49230, 59726, 49714},
> __u6_addr32 =3D {0, 3605822516, 3226364826, 3258116430}}}
> port =3D 0
> v4 =3D 0
--0-1779895857-1151314704=:24406--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060626103804.A24406>