From owner-freebsd-isdn@freebsd.org Thu Apr 26 08:06:24 2018 Return-Path: Delivered-To: freebsd-isdn@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9C2A2FA55BC for ; Thu, 26 Apr 2018 08:06:24 +0000 (UTC) (envelope-from hps@selasky.org) Received: from mail.turbocat.net (turbocat.net [88.99.82.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 387D77DE34 for ; Thu, 26 Apr 2018 08:06:23 +0000 (UTC) (envelope-from hps@selasky.org) Received: from hps2016.home.selasky.org (unknown [62.141.128.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.turbocat.net (Postfix) with ESMTPSA id 5AAEB260E49; Thu, 26 Apr 2018 10:06:22 +0200 (CEST) Subject: Re: page fault in isdn4bsd-kmod From: Hans Petter Selasky To: Andreas Longwitz , freebsd-isdn@freebsd.org References: <5AE0A686.7060109@incore.de> Message-ID: Date: Thu, 26 Apr 2018 10:06:15 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/mixed; boundary="------------0DEBAAE7C6F2469B6539045B" Content-Language: en-US X-BeenThere: freebsd-isdn@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Using ISDN with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Apr 2018 08:06:24 -0000 This is a multi-part message in MIME format. --------------0DEBAAE7C6F2469B6539045B Content-Type: text/plain; charset=iso-8859-15; format=flowed Content-Transfer-Encoding: 8bit Hi, >> (kgdb) f 12 >> #12 0xc0c631b9 in cd_update (cd=0xc50cb920, pipe=0x0, event=11) at >> dss1_l3fsm.h:359 >> 359             l2softc_t *sc = ((__typeof(pipe))(cd->pipe))->L5_sc; >> (kgdb) list >> 354      * NOTE: pipe might be zero! >> 355      */ >> 356     static void >> 357     cd_update(call_desc_t *cd, DSS1_TCP_pipe_t *pipe, int event) >> 358     { >> 359             l2softc_t *sc = ((__typeof(pipe))(cd->pipe))->L5_sc; >> 360             __typeof(cd->state) >> 361               state = cd->state; >> 362 >> 363             /* >> Event 11 means EV_L3_RELEASE. It does not use the "sc" variable. I think different compilers might produce different results. However, the right solution is simply to ignore the "cd->pipe" being NULL in this case. It should be set in all the other cases where "sc" is used. It might look like an outgoing call which was instantly hung up. Can you try the attached patch? --HPS --------------0DEBAAE7C6F2469B6539045B Content-Type: text/x-patch; name="i4b-NULL.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="i4b-NULL.diff" Index: src/sys/i4b/dss1/dss1_l3fsm.h =================================================================== --- src/sys/i4b/dss1/dss1_l3fsm.h (revision 4114) +++ src/sys/i4b/dss1/dss1_l3fsm.h (revision 4115) @@ -356,11 +356,21 @@ static void cd_update(call_desc_t *cd, DSS1_TCP_pipe_t *pipe, int event) { - l2softc_t *sc = ((__typeof(pipe))(cd->pipe))->L5_sc; - __typeof(cd->state) - state = cd->state; + __typeof(cd->state) state = cd->state; + l2softc_t *sc; /* + * Check if "cd->pipe" is non-NULL to avoid NULL dereference. + * If the "cd->pipe" is NULL the "sc" value should not be used + * by any of the switch cases below. Typically "cd->pipe" can + * be NULL on the EV_L3_RELEASE event. + */ + if (cd->pipe != NULL) + sc = ((__typeof(pipe))(cd->pipe))->L5_sc; + else + sc = NULL; + + /* * debugging */ --------------0DEBAAE7C6F2469B6539045B--