From owner-freebsd-net@FreeBSD.ORG Mon Sep 26 06:06:22 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94FDE106566C; Mon, 26 Sep 2011 06:06:22 +0000 (UTC) (envelope-from lacombar@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 0563F8FC0A; Mon, 26 Sep 2011 06:06:21 +0000 (UTC) Received: by wwe3 with SMTP id 3so5666780wwe.31 for ; Sun, 25 Sep 2011 23:06:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=3IPLvuJrxWrzwBSqpi7FOhyybb50aG/9rzDR1IlXkws=; b=nJU+82NPRS41gzUQMBspVoEVOuNUG/hbb5xxD46ch77VnjX8ZsWL4GQ0K1fax9Lv+p 77w6NuOGu6gaMcmYREWC9ZUcK750a21zGR4ULImtWVjNMeG1TQQLCC9EAT9E8eSjrwOJ TxEpbO4ykVEEkew4IGhk3WChd0m6wZWqUe7tA= MIME-Version: 1.0 Received: by 10.227.36.197 with SMTP id u5mr6614641wbd.36.1317017180872; Sun, 25 Sep 2011 23:06:20 -0700 (PDT) Received: by 10.180.103.33 with HTTP; Sun, 25 Sep 2011 23:06:20 -0700 (PDT) In-Reply-To: References: Date: Mon, 26 Sep 2011 02:06:20 -0400 Message-ID: From: Arnaud Lacombe To: Adrian Chadd Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-net@freebsd.org, dave jones Subject: Re: Kernel panic on FreeBSD 9.0-beta2 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Sep 2011 06:06:22 -0000 Hi, On Mon, Sep 26, 2011 at 1:45 AM, Adrian Chadd wrote: > On 26 September 2011 13:41, Arnaud Lacombe wrote: >> =A0/* >> =A0 * XXX >> =A0 * This entire block sorely needs a rewrite. >> =A0 */ >> =A0 =A0 =A0 =A0if (t && >> =A0 =A0 =A0 =A0 =A0 =A0((t->inp_flags & INP_TIMEWAIT) =3D=3D 0) && >> =A0 =A0 =A0 =A0 =A0 =A0(so->so_type !=3D SOCK_STREAM || >> =A0 =A0 =A0 =A0 =A0 =A0 ntohl(t->inp_faddr.s_addr) =3D=3D INADDR_ANY) && >> =A0 =A0 =A0 =A0 =A0 =A0(ntohl(sin->sin_addr.s_addr) !=3D INADDR_ANY || >> =A0 =A0 =A0 =A0 =A0 =A0 ntohl(t->inp_laddr.s_addr) !=3D INADDR_ANY || >> =A0 =A0 =A0 =A0 =A0 =A0 (t->inp_socket->so_options & >> =A0 =A0 =A0 =A0 =A0 SO_REUSEPORT) =3D=3D 0) && >> =A0 =A0 =A0 =A0 =A0 =A0(inp->inp_cred->cr_uid !=3D >> =A0 =A0 =A0 =A0 =A0 =A0 t->inp_cred->cr_uid)) >> =A0 =A0 =A0 =A0 =A0return (EADDRINUSE); >> =A0 =A0 =A0} >> >> more specifically, `t->inp_socket' is NULL. The top comment may not be >> relevant, as it's been here for the past 8 years. > > Why would t->inp_socket be NULL at this point? > I really have no idea. This is just what gdb's disassembly and gcc's verbose assembly output led me to[0]: it crashes on the following instruction: 0xc0b235af : testb $0x2,0x7(%eax) 0xc0b235b3 : jne 0xc0b235c7 for which gcc originally generated: testb $2, 7(%eax) #, .so_options jne .L523 Test of the second bit at offset 0x7 is consistent with `(t->inp_socket->so_options & SO_REUSEPORT) =3D=3D 0', and that instruction is followed by a bunch of `cr_uid' checks: movl 48(%edi), %eax # .inp_cred, .inp_cred movl 48(%edx), %edx # .inp_cred, .inp_cred movl 4(%eax), %eax # .cr_uid, .cr_uid cmpl 4(%edx), %eax # .cr_uid, .cr_uid jne .L535 #, matching gdb disassembly: 0xc0b235b5 : mov 0x30(%edi),%eax 0xc0b235b8 : mov 0x30(%edx),%edx 0xc0b235bb : mov 0x4(%eax),%eax 0xc0b235be : cmp 0x4(%edx),%eax 0xc0b235c1 : jne 0xc0b236be moreover, .L535 terminates the function and returns EADDRINUSE. That said, I agree, this only tells "where" and "what", not "why" we ended up in this situation :-) - Arnaud [0]: and I'd be glad to be wrong, provided the other side provides a more meaningful answer :)