Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 26 Apr 2018 10:06:15 +0200
From:      Hans Petter Selasky <hps@selasky.org>
To:        Andreas Longwitz <longwitz@incore.de>, freebsd-isdn@freebsd.org
Subject:   Re: page fault in isdn4bsd-kmod
Message-ID:  <fa6422c2-f4f7-0144-ed73-b2da39312e3b@selasky.org>
In-Reply-To: <caac8127-942f-4324-ebdf-1f36ae539752@selasky.org>
References:  <5AE0A686.7060109@incore.de> <caac8127-942f-4324-ebdf-1f36ae539752@selasky.org>
index | next in thread | previous in thread | raw e-mail 

[-- Attachment #1 --]
Hi,

>> (kgdb) f 12
>> #12 0xc0c631b9 in cd_update (cd=0xc50cb920, pipe=0x0, event=11) at
>> dss1_l3fsm.h:359
>> 359             l2softc_t *sc = ((__typeof(pipe))(cd->pipe))->L5_sc;
>> (kgdb) list
>> 354      * NOTE: pipe might be zero!
>> 355      */
>> 356     static void
>> 357     cd_update(call_desc_t *cd, DSS1_TCP_pipe_t *pipe, int event)
>> 358     {
>> 359             l2softc_t *sc = ((__typeof(pipe))(cd->pipe))->L5_sc;
>> 360             __typeof(cd->state)
>> 361               state = cd->state;
>> 362
>> 363             /*
>>

Event 11 means EV_L3_RELEASE. It does not use the "sc" variable. I think 
different compilers might produce different results. However, the right 
solution is simply to ignore the "cd->pipe" being NULL in this case. It 
should be set in all the other cases where "sc" is used.

It might look like an outgoing call which was instantly hung up.

Can you try the attached patch?

--HPS

[-- Attachment #2 --]
Index: src/sys/i4b/dss1/dss1_l3fsm.h
===================================================================
--- src/sys/i4b/dss1/dss1_l3fsm.h	(revision 4114)
+++ src/sys/i4b/dss1/dss1_l3fsm.h	(revision 4115)
@@ -356,11 +356,21 @@
 static void
 cd_update(call_desc_t *cd, DSS1_TCP_pipe_t *pipe, int event)
 {
-	l2softc_t *sc = ((__typeof(pipe))(cd->pipe))->L5_sc;
-	__typeof(cd->state)
-	  state = cd->state;
+	__typeof(cd->state) state = cd->state;
+	l2softc_t *sc;
 
 	/*
+	 * Check if "cd->pipe" is non-NULL to avoid NULL dereference.
+	 * If the "cd->pipe" is NULL the "sc" value should not be used
+	 * by any of the switch cases below. Typically "cd->pipe" can
+	 * be NULL on the EV_L3_RELEASE event.
+	 */
+	if (cd->pipe != NULL)
+		sc = ((__typeof(pipe))(cd->pipe))->L5_sc;
+	else
+		sc = NULL;
+
+	/*
 	 * debugging
 	 */
help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fa6422c2-f4f7-0144-ed73-b2da39312e3b>