From owner-freebsd-stable@FreeBSD.ORG Fri Jun 30 14:01:33 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 484FB16A403 for ; Fri, 30 Jun 2006 14:01:33 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDD3D43D45 for ; Fri, 30 Jun 2006 14:01:32 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id EA76546B4B; Fri, 30 Jun 2006 10:01:31 -0400 (EDT) Date: Fri, 30 Jun 2006 15:01:31 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Stanislaw Halik In-Reply-To: <20060630120812.GA2380@tehran.lain.pl> Message-ID: <20060630145851.S23703@fledge.watson.org> References: <20060627045310.GA6324@tehran.lain.pl> <20060627140946.J273@fledge.watson.org> <20060627134134.GA23337@tehran.lain.pl> <20060628101405.I50845@fledge.watson.org> <20060630120812.GA2380@tehran.lain.pl> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-stable@freebsd.org Subject: Re: trap 12: supervisor write, page not present on 6.1-STABLE Tue May 16 2006 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jun 2006 14:01:33 -0000 On Fri, 30 Jun 2006, Stanislaw Halik wrote: >> Per my earlier e-mail, I had hoped to merge a larger set of changes from >> HEAD that resolve the underlying problem here (that inpcb's can be detached >> from a socket while the socket is still in use), but right now I'm >> deferring merging those changes as they are somewhat risky (as they are >> large). Instead, I've produced a candidate work-around patch, now attached >> to kern/97095. This does not fix the underlying problem, but seeks to >> narrow the window for the race to be exercised by avoiding caching a >> volatile pointer across user memory copying, which under load can result in >> blocking I/O. I would be quite interested in knowing if this resolves the >> problem in practice -- if so, it's a definite short-term merge candidate to >> reduce the symptoms of this problem until the proper fix can be merged. > > Unfortunately, it still happens to crash in the same code path: > I'll be happy to test any other patches when they're available. Thanks for testing the patch -- it looks like there's a more pressing logical problem in this code! Could you try the following simpler patch: http://www.watson.org/~robert/freebsd/netperf/ip_ctloutput.diff The IP option code seems not to know that (in RELENG_6 and before) the pcb is discarded on disconnect, and the application is querying the TTL after a disconnect. In FreeBSD 7.x, the pcb is preserved after disconnect so this succeeds. It could be we actually need both patches, but let's try this one by itself first. Thanks, Robert N M Watson Computer Laboratory University of Cambridge Attached: Index: ip_output.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_output.c,v retrieving revision 1.242.2.9 diff -u -r1.242.2.9 ip_output.c --- ip_output.c 4 Jun 2006 10:19:34 -0000 1.242.2.9 +++ ip_output.c 30 Jun 2006 13:58:03 -0000 @@ -1162,6 +1162,9 @@ return (EINVAL); } + if (inp == NULL) + return (EINVAL); + switch (sopt->sopt_dir) { case SOPT_SET: switch (sopt->sopt_name) {