Date: Mon, 20 Dec 2021 11:11:37 +0000 From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 260393] Page Fault tcp_output/tcp_input Message-ID: <bug-260393-7501-e46cPhJMY1@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-260393-7501@https.bugs.freebsd.org/bugzilla/> References: <bug-260393-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D260393 --- Comment #10 from Dobri Dobrev <ddobrev85@gmail.com> --- (In reply to Michael Tuexen from comment #9) (kgdb) frame 8 #8 m_copydata (m=3D0x0, m@entry=3D0xfffff8010ee80d00, off=3D0, len=3D1, cp= =3D<optimized out>) at /usr/src/sys/kern/uipc_mbuf.c:657 657 count =3D min(m->m_len - off, len); (kgdb) list 652 off -=3D m->m_len; 653 m =3D m->m_next; 654 } 655 while (len > 0) { 656 KASSERT(m !=3D NULL, ("m_copydata, length > size of= mbuf chain")); 657 count =3D min(m->m_len - off, len); 658 if ((m->m_flags & M_EXTPG) !=3D 0) 659 m_copyfromunmapped(m, off, count, cp); 660 else 661 bcopy(mtod(m, caddr_t) + off, cp, count); (kgdb) print *(struct mbuf *)0xfffff8010ee80d00 $1 =3D {{m_next =3D 0x0, m_slist =3D {sle_next =3D 0x0}, m_stailq =3D {stqe= _next =3D 0x0}}, {m_nextpkt =3D 0x0, m_slistpkt =3D {sle_next =3D 0x0}, m_stailqpkt =3D {stq= e_next =3D 0x0}},=20 m_data =3D 0xfffff8015b91e528 "&i\365\267\254\350s\352,\025\216*\265\216\004\024\201j\256\245?\225<\020)W= \214%\212\371\221$\205s\277LE<\326\340\032\267\377\366\214\217\235\215^)1x\= 377\342\032\234=C6=82\217]\211\375\333h\361\212\320nE\024\370\330\325S8\272= \001y\023\304;\016:\017\032kT5\323\300\f\245MJd\n\025W\352c\321\062)Pl{/\26= 3\320>6\231\362x\305\311\031=C3=B6\vy\356&=C3=89\265\343;_\273`\272\005\205= \315m(\353=EC=81=9E\001\223\254\371\037]UN\357\202%\201\364\033\r\232G$-N\2= 51\262#\264\204\375\t\321\036\203\241\254\274\314=D8=B2\252j=C5=B9c.k\217\2= 24#\235\206\241U\262\a\215I\035&\253j3"..., m_len =3D 24, m_type =3D 1, m_flags =3D 1, {{{m_pkthdr =3D {{snd_tag =3D 0x= 0,=20 rcvif =3D 0x0}, tags =3D {slh_first =3D 0x0}, len =3D 1337, flo= wid =3D 0, csum_flags =3D 0, fibnum =3D 0, numa_domain =3D 255 '\377', rsstype =3D 0 '= \000', {rcv_tstmp =3D 0, {l2hlen =3D 0 '\000', l3hlen =3D 0 '\000',=20 l4hlen =3D 0 '\000', l5hlen =3D 0 '\000', inner_l2hlen =3D 0 = '\000', inner_l3hlen =3D 0 '\000', inner_l4hlen =3D 0 '\000', inner_l5hlen =3D 0 '\= 000'}}, PH_per =3D {eight =3D "\000\000\000\000\377\377\000", sixteen =3D { 0, 0, 65535, 0}, thirtytwo =3D {0, 65535}, sixtyfour =3D {281470681743360}, unintptr =3D {281470681743360}, ptr =3D 0xffff00000000},= PH_loc =3D {eight =3D "\000\000\000\000\000\000\000", sixteen =3D {0, 0, 0, 0},=20 thirtytwo =3D {0, 0}, sixtyfour =3D {0}, unintptr =3D {0}, ptr = =3D 0x0}}, {m_epg_npgs =3D 0 '\000', m_epg_nrdy =3D 0 '\000', m_epg_hdrlen =3D 0 '\000= ', m_epg_trllen =3D 0 '\000', m_epg_1st_off =3D 0, m_epg_last_len =3D 0,=20 m_epg_flags =3D 0 '\000', m_epg_record_type =3D 0 '\000', __spare= =3D "\000", m_epg_enc_cnt =3D 0, m_epg_tls =3D 0x539, m_epg_so =3D 0xff00000000= 0000, m_epg_seqno =3D 0, m_epg_stailq =3D {stqe_next =3D 0xffff00000000}}}, { m_ext =3D {{ext_count =3D 1, ext_cnt =3D 0x1}, ext_size =3D 2048, e= xt_type =3D 6, ext_flags =3D 1, {{ext_buf =3D 0xfffff8015b91e000 "\023\367\265R\030\254\212\342\220\255\331'\206\217\245f\223o\aH\205\277\22= 2",=20 ext_arg2 =3D 0x0}, {extpg_pa =3D {18446735283447783424, 0, 0,= 0, 0}, extpg_trail =3D '\000' <repeats 63 times>, extpg_hdr =3D '\000' <repeats 22 times>}}, ext_free =3D 0x0, ext_arg1 =3D 0x0},=20 m_pktdat =3D 0xfffff8010ee80d58 "\001"}}, m_dat =3D 0xfffff8010ee80= d20 ""}} (kgdb) frame 10 #10 0xffffffff80dcd382 in tcp_do_segment (m=3D<optimized out>, th=3D<optimi= zed out>, so=3D<optimized out>, tp=3D0xfffffe0251638870, drop_hdrlen=3D40, tlen=3D<optimized out>, iptos=3D0 '\000') at /usr/src/sys/netinet/tcp_input.c:2822 2822 tcp_sack_partialack= (tp, th); (kgdb) print *tp $2 =3D {t_inpcb =3D 0xfffff80a54294000, t_fb =3D 0xffffffff8193b000 <tcp_def_funcblk>, t_fb_ptr =3D 0x0, t_maxseg =3D 1360, t_logstate =3D 0, t= _port =3D 0, t_state =3D 8, t_idle_reduce =3D 0, t_delayed_ack =3D 0, t_fin_is_rst =3D 0= ,=20 t_log_state_set =3D 0, bits_spare =3D 0, t_flags =3D 554697333, snd_una = =3D 3223852179, snd_max =3D 3223852205, snd_nxt =3D 3223852204, snd_up =3D 3223= 850831, snd_wnd =3D 65292, snd_cwnd =3D 1359, t_peakrate_thr =3D 0,=20 ts_offset =3D 0, rfbuf_ts =3D 313886170, rcv_numsacks =3D 0, t_tsomax =3D= 65535, t_tsomaxsegcount =3D 37, t_tsomaxsegsize =3D 4096, rcv_nxt =3D 2467824635, = rcv_adv =3D 2467891323, rcv_wnd =3D 66688, t_flags2 =3D 1024, t_srtt =3D 3309,=20 t_rttvar =3D 287, ts_recent =3D 0, snd_scale =3D 2 '\002', rcv_scale =3D = 6 '\006', snd_limited =3D 0 '\000', request_r_scale =3D 6 '\006', last_ack_sent =3D 2= 467824635, t_rcvtime =3D 2461112999, rcv_up =3D 2467824635,=20 t_segqlen =3D 0, t_segqmbuflen =3D 0, t_segq =3D {tqh_first =3D 0x0, tqh_= last =3D 0xfffffe0251638900}, t_in_pkt =3D 0x0, t_tail_pkt =3D 0x0, t_timers =3D 0xfffffe0251638b18, t_vnet =3D 0xfffff801014c0580, snd_ssthresh =3D 2720,=20 snd_wl1 =3D 2467824635, snd_wl2 =3D 3223852179, irs =3D 2467822589, iss = =3D 3223768989, t_acktime =3D 0, t_sndtime =3D 2460931776, ts_recent_age =3D 0, snd_recover =3D 3223852205, cl4_spare =3D 0, t_oobflags =3D 0 '\000',=20 t_iobc =3D 0 '\000', t_rxtcur =3D 64000, t_rxtshift =3D 11, t_rtttime =3D= 0, t_rtseq =3D 3223852203, t_starttime =3D 2460765463, t_fbyte_in =3D 2460765472, t_fb= yte_out =3D 2460765472, t_pmtud_saved_maxseg =3D 0,=20 t_blackhole_enter =3D 0, t_blackhole_exit =3D 0, t_rttmin =3D 30, t_rttbe= st =3D 3596, t_softerror =3D 0, max_sndwnd =3D 66640, snd_cwnd_prev =3D 8160, snd_ssthre= sh_prev =3D 2720, snd_recover_prev =3D 3223823643, t_sndzerowin =3D 0,=20 t_rttupdated =3D 9, snd_numholes =3D 1, t_badrxtwin =3D 2460781714, snd_h= oles =3D {tqh_first =3D 0xfffff806d12b8780, tqh_last =3D 0xfffff806d12b8790}, snd_fa= ck =3D 3223852203, sackblks =3D {{start =3D 2467824634,=20 end =3D 2467824635}, {start =3D 0, end =3D 0}, {start =3D 0, end =3D = 0}, {start =3D 0, end =3D 0}, {start =3D 0, end =3D 0}, {start =3D 0, end =3D 0}}, sackhin= t =3D {nexthole =3D 0xfffff806d12b8780, sack_bytes_rexmit =3D 0,=20 last_sack_ack =3D 3223852203, delivered_data =3D 12, sacked_bytes =3D 0, recover_fs =3D 1373, prr_delivered =3D 2722, prr_out =3D 4105}, t_rttlow = =3D 84, rfbuf_cnt =3D 0, tod =3D 0x0, t_sndrexmitpack =3D 59, t_rcvoopack =3D 0,=20 t_toe =3D 0x0, cc_algo =3D 0xffffffff81937eb0 <newreno_cc_algo>, ccv =3D 0xfffffe0251638c60, osd =3D 0xfffffe0251638c88, t_bytes_acked =3D 0, t_maxu= nacktime =3D 0, t_keepinit =3D 0, t_keepidle =3D 0, t_keepintvl =3D 0,=20 t_keepcnt =3D 0, t_dupacks =3D 0, t_lognum =3D 0, t_loglimit =3D 5000, t_= pacing_rate =3D -1, t_logs =3D {stqh_first =3D 0x0, stqh_last =3D 0xfffffe0251638a88}, = t_lin =3D 0x0, t_lib =3D 0x0, t_output_caller =3D 0x0, t_stats =3D 0x0,=20 t_logsn =3D 0, gput_ts =3D 0, gput_seq =3D 0, gput_ack =3D 0, t_stats_gpu= t_prev =3D 0, t_maxpeakrate =3D 0, t_sndtlppack =3D 0, t_sndtlpbyte =3D 0, t_sndbytes =3D= 91397, t_snd_rxt_bytes =3D 61193, t_tfo_client_cookie_len =3D 0 '\000',=20 t_end_info_status =3D 0, t_tfo_pending =3D 0x0, t_tfo_cookie =3D {client = =3D '\000' <repeats 15 times>, server =3D 0}, {t_end_info_bytes =3D "\000\000\000\000\000\000\000", t_end_info =3D 0}} (kgdb) frame 12 #12 0xffffffff80dca9eb in tcp_input (mp=3D0xfffff8010ee80d00, offp=3D0x0, p= roto=3D1) at /usr/src/sys/netinet/tcp_input.c:1496 1496 return(tcp_input_with_port(mp, offp, proto, 0)); (kgdb) print **mp Cannot access memory at address 0x0 (kgdb) --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-260393-7501-e46cPhJMY1>