Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 10 Oct 1996 17:09:57 -0500 (CDT)
From:      Karl Denninger  <karl@Mcs.Net>
To:        fenner@parc.xerox.com (Bill Fenner)
Cc:        fenner@parc.xerox.com, karl@Mcs.Net, current@freebsd.org, hackers@freebsd.org
Subject:   Re: Crash in -current (from the current SNAP)
Message-ID:  <199610102209.RAA14435@Jupiter.Mcs.Net>
In-Reply-To: <96Oct10.144023pdt.177476@crevenia.parc.xerox.com> from "Bill Fenner" at Oct 10, 96 02:40:12 pm
next in thread | previous in thread | raw e-mail | index | archive | help 
> 
> >(kgdb) 
> >(kgdb) select-frame 14
> >(kgdb) print ip_protox[ip->ip_p]
> >$1 = 2 '\002'
> >
> >That's "INET", if I'm reading the headers correctly.
> 
> No, it's "TCP" (ip_protox[] is an offset into the inetsw[], and inetsw[2]
> is TCP).
> 
> >(kgdb) print inetsw[ip_protox[ip->ip_p]].pr_input 
> >$2 = (void (*)()) 0xf01477ec <tcp_input>
> 
> Looks fine.  Perhaps the trap didn't actually happen in ip_input?
> Try "select-frame 12" and then "frame frame->tf_ebp frame->tf_eip",
> which should tell you where the crash really happened.
> 
>   Bill
> 

Oh, one more thing to add from that section of code...
                       so2 = sonewconn(so, 0);
                        if (so2 == 0) {
                                tcpstat.tcps_listendrop++;
                                so2 = sodropablereq(so);
                                if (so2)
                                    tcp_drop(sototcpcb(so2), ETIMEDOUT);
                                else
                                    goto drop;
                        }
                        so = so2;
                        /*
                         * This is ugly, but ....
                         * 
                         * Mark socket as temporary until we're
                         * committed to keeping it.  The code at
                         * ``drop'' and ``dropwithreset'' check the
                         * flag dropsocket to see if the temporary
                         * socket created here should be discarded.
                         * We mark the socket as discardable until
                         * we're committed to it below in TCPS_LISTEN.
                         */
                        dropsocket++;
                        inp = (struct inpcb *)so->so_pcb;
>>>>>>                  inp->inp_laddr = ti->ti_dst;
                        inp->inp_lport = ti->ti_dport;
                        in_pcbrehash(inp);

The crash is at ">>>>>>"

The problem is right here:

(kgdb) print so->so_pcb
$7 = 0x0

Ouch.

Needless to say, trying to write to page zero will blow up! :-)

Now how did so->so_pcb end up being zero is the real question?

--
--
Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity
http://www.mcs.net/~karl     | T1 from $600 monthly; speeds to DS-3 available
			     | 23 Chicagoland Prefixes, 13 ISDN, much more
Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/
Fax:   [+1 312 248-9865]     | Home of Chicago's only FULL Clarinet feed!

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610102209.RAA14435>