From owner-freebsd-current@FreeBSD.ORG Wed May 21 06:45:42 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CAD7B37B401 for ; Wed, 21 May 2003 06:45:42 -0700 (PDT) Received: from cognet.ci0.org (cognet.ci0.org [80.65.224.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 814D443F3F for ; Wed, 21 May 2003 06:45:41 -0700 (PDT) (envelope-from mlfbsd@cognet.ci0.org) Received: from cognet.ci0.org (localhost [127.0.0.1]) by cognet.ci0.org (8.12.9/8.12.9) with ESMTP id h4LDiiNG000820; Wed, 21 May 2003 15:44:44 +0200 (CEST) (envelope-from mlfbsd@cognet.ci0.org) Received: (from mlfbsd@localhost) by cognet.ci0.org (8.12.9/8.12.9/Submit) id h4LDiiKV000819; Wed, 21 May 2003 15:44:44 +0200 (CEST) Date: Wed, 21 May 2003 15:44:44 +0200 From: Olivier Houchard To: Craig Boston Message-ID: <20030521134444.GA764@ci0.org> References: <1053466303.815.22.camel@owen1492.uf.corelab.com> <20030521065152.GA725@laptop.6bone.nl> <86k7ck4exw.wl@j10n.org> <1053524410.31600.8.camel@owen1492.uf.corelab.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="jRHKVT23PllUwdXP" Content-Disposition: inline In-Reply-To: <1053524410.31600.8.camel@owen1492.uf.corelab.com> User-Agent: Mutt/1.5.4i cc: current@freebsd.org cc: AIDA Shinra Subject: Re: Reproducable panic in in6_pcbbind X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2003 13:45:43 -0000 --jRHKVT23PllUwdXP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, May 21, 2003 at 08:40:11AM -0500, Craig Boston wrote: > > I experienced the same kgdb trace last manth. I found the crashdump > > lied about where the trap occured. What DDB prints? If the true trap > > point is at in6_pcbbind() in netinet6/in6_pcb.c, the problem may be > > same to kern/50621. > > This may be the same problem. It happens if I disconnect and quickly > reconnect the ssh session (causing ssh to open a listener socket on > ::1). I thought it might be related to TIME_WAIT, and kern/50621 seems > to point to that as well. > > I do have a serial console hooked up, so as soon as I get a moment when > I can remount everything read-only I'll try to trigger the bug and see > what DDB says. > > Craig Hi, I had the same problem, and the attached patch should fix it, although I'm not sure of how right it is. Cheers, Olivier --jRHKVT23PllUwdXP Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="in6_pcb.c.diff" Index: in6_pcb.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/in6_pcb.c,v retrieving revision 1.36 diff -u -p -r1.36 in6_pcb.c --- in6_pcb.c 19 Feb 2003 22:32:42 -0000 1.36 +++ in6_pcb.c 14 May 2003 05:17:39 -0000 @@ -198,12 +198,18 @@ in6_pcbbind(inp, nam, td) t = in6_pcblookup_local(pcbinfo, &sin6->sin6_addr, lport, INPLOOKUP_WILDCARD); - if (t && + if (t && (t->inp_vflag & INP_TIMEWAIT)) { + if ((!IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr) || + !IN6_IS_ADDR_UNSPECIFIED(&t->in6p_laddr) || + !(intotw(t)->tw_so_options & SO_REUSEPORT)) + && so->so_cred->cr_uid != + intotw(t)->tw_cred->cr_uid) + return (EADDRINUSE); + } else if (t && (!IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr) || - !IN6_IS_ADDR_UNSPECIFIED(&t->in6p_laddr) || - (t->inp_socket->so_options & - SO_REUSEPORT) == 0) && - (so->so_cred->cr_uid != + !IN6_IS_ADDR_UNSPECIFIED(&t->in6p_laddr) || + (t->inp_socket->so_options & SO_REUSEPORT) + == 0) && (so->so_cred->cr_uid != t->inp_socket->so_cred->cr_uid)) return (EADDRINUSE); if ((inp->inp_flags & IN6P_IPV6_V6ONLY) == 0 && @@ -214,7 +220,17 @@ in6_pcbbind(inp, nam, td) t = in_pcblookup_local(pcbinfo, sin.sin_addr, lport, INPLOOKUP_WILDCARD); - if (t && + if (t && (t->inp_vflag & INP_TIMEWAIT)) { + if (so->so_cred->cr_uid != + intotw(t)->tw_cred->cr_uid && + (ntohl(t->inp_laddr.s_addr) != + INADDR_ANY || + ((inp->inp_vflag & + INP_IPV6PROTO) == + (t->inp_vflag & + INP_IPV6PROTO)))) + return (EADDRINUSE); + } else if (t && (so->so_cred->cr_uid != t->inp_socket->so_cred->cr_uid) && (ntohl(t->inp_laddr.s_addr) != @@ -226,7 +242,9 @@ in6_pcbbind(inp, nam, td) } t = in6_pcblookup_local(pcbinfo, &sin6->sin6_addr, lport, wild); - if (t && (reuseport & t->inp_socket->so_options) == 0) + if (t && (reuseport & ((t->inp_vflag & INP_TIMEWAIT) ? + intotw(t)->tw_so_options : + t->inp_socket->so_options)) == 0) return(EADDRINUSE); if ((inp->inp_flags & IN6P_IPV6_V6ONLY) == 0 && IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) { @@ -235,12 +253,19 @@ in6_pcbbind(inp, nam, td) in6_sin6_2_sin(&sin, sin6); t = in_pcblookup_local(pcbinfo, sin.sin_addr, lport, wild); - if (t && - (reuseport & t->inp_socket->so_options) - == 0 && - (ntohl(t->inp_laddr.s_addr) - != INADDR_ANY || - INP_SOCKAF(so) == + if (t && t->inp_vflag & INP_TIMEWAIT) { + if ((reuseport & + intotw(t)->tw_so_options) == 0 && + (ntohl(t->inp_laddr.s_addr) != + INADDR_ANY || ((inp->inp_vflag & + INP_IPV6PROTO) == + (t->inp_vflag & INP_IPV6PROTO)))) + return (EADDRINUSE); + } + else if (t && + (reuseport & t->inp_socket->so_options) + == 0 && (ntohl(t->inp_laddr.s_addr) != + INADDR_ANY || INP_SOCKAF(so) == INP_SOCKAF(t->inp_socket))) return (EADDRINUSE); } --jRHKVT23PllUwdXP--