Date: Thu, 26 Apr 2018 10:06:15 +0200 From: Hans Petter Selasky <hps@selasky.org> To: Andreas Longwitz <longwitz@incore.de>, freebsd-isdn@freebsd.org Subject: Re: page fault in isdn4bsd-kmod Message-ID: <fa6422c2-f4f7-0144-ed73-b2da39312e3b@selasky.org> In-Reply-To: <caac8127-942f-4324-ebdf-1f36ae539752@selasky.org> References: <5AE0A686.7060109@incore.de> <caac8127-942f-4324-ebdf-1f36ae539752@selasky.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------0DEBAAE7C6F2469B6539045B
Content-Type: text/plain; charset=iso-8859-15; format=flowed
Content-Transfer-Encoding: 8bit
Hi,
>> (kgdb) f 12
>> #12 0xc0c631b9 in cd_update (cd=0xc50cb920, pipe=0x0, event=11) at
>> dss1_l3fsm.h:359
>> 359 l2softc_t *sc = ((__typeof(pipe))(cd->pipe))->L5_sc;
>> (kgdb) list
>> 354 * NOTE: pipe might be zero!
>> 355 */
>> 356 static void
>> 357 cd_update(call_desc_t *cd, DSS1_TCP_pipe_t *pipe, int event)
>> 358 {
>> 359 l2softc_t *sc = ((__typeof(pipe))(cd->pipe))->L5_sc;
>> 360 __typeof(cd->state)
>> 361 state = cd->state;
>> 362
>> 363 /*
>>
Event 11 means EV_L3_RELEASE. It does not use the "sc" variable. I think
different compilers might produce different results. However, the right
solution is simply to ignore the "cd->pipe" being NULL in this case. It
should be set in all the other cases where "sc" is used.
It might look like an outgoing call which was instantly hung up.
Can you try the attached patch?
--HPS
--------------0DEBAAE7C6F2469B6539045B
Content-Type: text/x-patch;
name="i4b-NULL.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="i4b-NULL.diff"
Index: src/sys/i4b/dss1/dss1_l3fsm.h
===================================================================
--- src/sys/i4b/dss1/dss1_l3fsm.h (revision 4114)
+++ src/sys/i4b/dss1/dss1_l3fsm.h (revision 4115)
@@ -356,11 +356,21 @@
static void
cd_update(call_desc_t *cd, DSS1_TCP_pipe_t *pipe, int event)
{
- l2softc_t *sc = ((__typeof(pipe))(cd->pipe))->L5_sc;
- __typeof(cd->state)
- state = cd->state;
+ __typeof(cd->state) state = cd->state;
+ l2softc_t *sc;
/*
+ * Check if "cd->pipe" is non-NULL to avoid NULL dereference.
+ * If the "cd->pipe" is NULL the "sc" value should not be used
+ * by any of the switch cases below. Typically "cd->pipe" can
+ * be NULL on the EV_L3_RELEASE event.
+ */
+ if (cd->pipe != NULL)
+ sc = ((__typeof(pipe))(cd->pipe))->L5_sc;
+ else
+ sc = NULL;
+
+ /*
* debugging
*/
--------------0DEBAAE7C6F2469B6539045B--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fa6422c2-f4f7-0144-ed73-b2da39312e3b>