From owner-freebsd-bugs@FreeBSD.ORG Sat Jul 29 20:30:27 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4302D16A501 for ; Sat, 29 Jul 2006 20:30:27 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E749943D45 for ; Sat, 29 Jul 2006 20:30:26 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k6TKUQn6035399 for ; Sat, 29 Jul 2006 20:30:26 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k6TKUQED035396; Sat, 29 Jul 2006 20:30:26 GMT (envelope-from gnats) Date: Sat, 29 Jul 2006 20:30:26 GMT Message-Id: <200607292030.k6TKUQED035396@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Maxim Konovalov Cc: Subject: Re: kern/100940: passing file descriptor over datagram UNIX domain socket crashes kernel X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Maxim Konovalov List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jul 2006 20:30:27 -0000 The following reply was made to PR kern/100940; it has been noted by GNATS. From: Maxim Konovalov To: Young Hyun Cc: bug-followup@freebsd.org Subject: Re: kern/100940: passing file descriptor over datagram UNIX domain socket crashes kernel Date: Sun, 30 Jul 2006 00:21:32 +0400 (MSD) Hello, [...] > >Release: FreeBSD 6.1-STABLE-200607 i386 > >Organization: > CAIDA/UCSD > >Environment: > System: FreeBSD brak.caida.org 6.1-STABLE-200607 FreeBSD > 6.1-STABLE-200607 #0: Wed Jul 26 18:32:47 PDT 2006 > root@brak.caida.org:/usr/src/sys/i386/compile/SMP i386 > > > > >Description: > > Passing file descriptors over a SOCK_DGRAM UNIX domain socket crashes > the kernel with "Fatal trap 12: page fault while in kernel mode". > This bug is probably closely related to (but not identical with) > PR kern/93914. In PR 93914, the sample code passes file descriptors > over a SOCK_STREAM socket, and it no longer causes a kernel crash under > 6.1-STABLE. My own SOCK_STREAM-based test program that crashes the 5.4 > kernel also fails to crash the 6.1 kernel. In the present case, the > kernel crashes in code specific to the handling of SOCK_DGRAM sockets > (though, of course, that doesn't exclude the possibility of the same > underlying problem behind this and PR 93914 and which somehow only got > masked for the SOCK_STREAM case in 6.1-STABLE). > > #0 doadump () at pcpu.h:165 > #1 0xc06632ca in boot (howto=260) at ../../../kern/kern_shutdown.c:409 > #2 0xc0663621 in panic (fmt=0xc08913da "%s") > at ../../../kern/kern_shutdown.c:565 > #3 0xc085bfd6 in trap_fatal (frame=0xde946b54, eva=8) > at ../../../i386/i386/trap.c:836 > #4 0xc085bcdf in trap_pfault (frame=0xde946b54, usermode=0, eva=8) > at ../../../i386/i386/trap.c:744 > #5 0xc085b8d5 in trap (frame= > {tf_fs = -1017839608, tf_es = -1014300632, tf_ds = 40, tf_edi = -1016513388, tf_esi = -1017187284, tf_ebp = -560698452, tf_isp = -560698496, tf_ebx = 0, tf_edx = 0, tf_ecx = 0, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1066768486, tf_cs = 32, tf_eflags = 66118, tf_esp = -560698440, tf_ss = -1065577831}) > at ../../../i386/i386/trap.c:434 > #6 0xc08484da in calltrap () at ../../../i386/i386/exception.s:139 > #7 0xc06a679a in uipc_send (so=0xc35ef42c, flags=0, m=0xc38f3500, > nam=0xc35474f0, control=0xc351b900, td=0xc3552900) > at ../../../kern/uipc_usrreq.c:432 > #8 0xc069dc8f in sosend (so=0xc35ef42c, addr=0xc35474f0, uio=0xde946c3c, > top=0xc38f3500, control=0xc351d600, flags=0, td=0xc3552900) > at ../../../kern/uipc_socket.c:836 > #9 0xc06a36a5 in kern_sendit (td=0xc3552900, s=3, mp=0xde946cb4, flags=0, > control=0xc351d600, segflg=UIO_USERSPACE) > at ../../../kern/uipc_syscalls.c:772 > #10 0xc06a355f in sendit (td=0xc3552900, s=3, mp=0xde946cb4, flags=0) > at ../../../kern/uipc_syscalls.c:712 > #11 0xc06a3976 in sendmsg (td=0xc3552900, uap=0xde946d04) > at ../../../kern/uipc_syscalls.c:920 > #12 0xc085c31b in syscall (frame= > {tf_fs = 671350843, tf_es = -1078001605, tf_ds = -1078001605, tf_edi = 671410632, tf_esi = -1077940984, tf_ebp = -1077941096, tf_isp = -560698012, tf_ebx = 1, tf_edx = 17, tf_ecx = 17, tf_eax = 28, tf_trapno = 32, tf_err = 2, tf_eip = 672073267, tf_cs = 51, tf_eflags = 658, tf_esp = -1077941300, tf_ss = 59}) > at ../../../i386/i386/trap.c:981 > #13 0xc084852f in Xint0x80_syscall () at ../../../i386/i386/exception.s:200 > #14 0x00000033 in ?? () > Previous frame inner to this frame (corrupt stack?) > (kgdb) up 7 > #7 0xc06a679a in uipc_send (so=0xc35ef42c, flags=0, m=0xc38f3500, > nam=0xc35474f0, control=0xc351b900, td=0xc3552900) > at ../../../kern/uipc_usrreq.c:432 > 432 so2 = unp->unp_conn->unp_socket; > (kgdb) p unp->unp_conn > $1 = (struct unpcb *) 0x0 > (kgdb) p *unp > $2 = {unp_link = {le_next = 0xc3693a64, le_prev = 0xc09a7098}, > unp_socket = 0xc35ef42c, unp_vnode = 0xc38d2660, unp_ino = 0, > unp_conn = 0x0, unp_refs = {lh_first = 0x0}, unp_reflink = {le_next = 0x0, > le_prev = 0xc36938d8}, unp_addr = 0xc3547390, unp_cc = 0, unp_mbcnt = 0, > unp_gencnt = 100, unp_flags = 0, unp_peercred = {cr_version = 0, cr_uid = 0, > cr_ngroups = 0, cr_groups = {0 }, _cr_unused1 = 0x0}} > (kgdb) > > >How-To-Repeat: > > Execute the attached sample code, and let it run for a few minutes. The > sample code is the same one supplied for PR kern/91224, except there it > caused a crash in a different part of the kernel (PR 91224 is closed). [...] While 6.1-RELEASE panics on your testcase I could not reproduce the panic on today 6.1-STABLE. Could you please upgrade your system and test? Thanks! -- Maxim Konovalov