From owner-freebsd-current@FreeBSD.ORG Mon Jun 26 09:38:33 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DEA2816A401 for ; Mon, 26 Jun 2006 09:38:32 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5940443D66 for ; Mon, 26 Jun 2006 09:38:24 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id A21F946B86; Mon, 26 Jun 2006 05:38:24 -0400 (EDT) Date: Mon, 26 Jun 2006 10:38:24 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Michiel Boland In-Reply-To: Message-ID: <20060626103804.A24406@fledge.watson.org> References: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1779895857-1151314704=:24406" Cc: freebsd-current@freebsd.org Subject: Re: crash in tcp6_usr_accept X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jun 2006 09:38:33 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1779895857-1151314704=:24406 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On Mon, 26 Jun 2006, Michiel Boland wrote: > Hi. I returned from holidays only to find my work machine had crashed. Lo= oks=20 > like the following line is the culprit. Indeed -- committed your patch, thanks! Robert N M Watson Computer Laboratory University of Cambridge > > static int > tcp6_usr_accept(struct socket *so, struct sockaddr **nam) > { > [...] > if (so->so_state & SS_ISDISCONNECTED) { > error =3D ECONNABORTED; > goto out; > } > [...] > out: > [...] > INP_UNLOCK(inp); > > ^^^ inp has not been initialized at this stage > > > quick fix: > > --- netinet/tcp_usrreq.c.orig=09Thu Jun 8 17:28:23 2006 > +++ netinet/tcp_usrreq.c=09Mon Jun 26 10:29:00 2006 > @@ -647,10 +647,8 @@ > =09int v4 =3D 0; > =09TCPDEBUG0; > > -=09if (so->so_state & SS_ISDISCONNECTED) { > -=09=09error =3D ECONNABORTED; > -=09=09goto out; > -=09} > +=09if (so->so_state & SS_ISDISCONNECTED) > +=09=09return ECONNABORTED; > > =09inp =3D sotoinpcb(so); > =09KASSERT(inp !=3D NULL, ("tcp6_usr_accept: inp =3D=3D NULL")); > > > FreeBSD 7.0-CURRENT #1: Fri Jun 16 00:19:30 CEST 2006 > root@leefnet.office.internl.net:/usr/obj/usr/src/sys/LEEFNET > > Fatal trap 12: page fault while in kernel mode > fault virtual address=09=3D 0xa0 > fault code=09=09=3D supervisor write, page not present > instruction pointer=09=3D 0x20:0xc0573d7e > stack pointer=09 =3D 0x28:0xd6ec7c08 > frame pointer=09 =3D 0x28:0xd6ec7c2c > code segment=09=09=3D base 0x0, limit 0xfffff, type 0x1b > =09=09=09=3D DPL 0, pres 1, def32 1, gran 1 > processor eflags=09=3D interrupt enabled, resume, IOPL =3D 0 > current process=09=09=3D 766 (httpd) > trap number=09=09=3D 12 > panic: page fault > KDB: stack backtrace: > kdb_backtrace(100,c215dd80,28,d6ec7bc8,c) at kdb_backtrace+0x29 > panic(c063640e,c0644b03,0,fffff,c226e69b) at panic+0xa8 > trap_fatal(d6ec7bc8,a0,c215dd80,0,2) at trap_fatal+0x2a6 > trap_pfault(d6ec7bc8,0,a0) at trap_pfault+0x1eb > trap(c04b0008,c25a0028,c2150028,0,35) at trap+0x3b5 > calltrap() at calltrap+0x5 > --- trap 0xc, eip =3D 0xc0573d7e, esp =3D 0xd6ec7c08, ebp =3D 0xd6ec7c2c = --- > tcp6_usr_accept(c25d1bac,d6ec7c54,d6ec7c58,d6ec7c7c,c0522193) at=20 > tcp6_usr_accept+0xc2 > soaccept(c25d1bac,d6ec7c54,c25ac900,0,0) at soaccept+0x7d > accept1(c215dd80,d6ec7d04,0,d6ec7d30,c0612946) at accept1+0x42f > accept(c215dd80,d6ec7d04,3,206,c0670028) at accept+0x10 > syscall(3b,3b,3b,82063b0,83dc050) at syscall+0x2ee > Xint0x80_syscall() at Xint0x80_syscall+0x1f > --- syscall (30, FreeBSD ELF32, accept), eip =3D 0x283c37ff, esp =3D 0xbf= bfec0c,=20 > ebp =3D 0xbfbfec38 --- > Uptime: 7d11h16m47s > Physical memory: 505 MB > Dumping 127 MB: 112 96 80 64 48 32 16 > > (kgdb) f 7 > #7 0xc0573d7e in tcp6_usr_accept (so=3D0xc215dd80, nam=3D0xd6ec7c54) > at atomic.h:149 > 149 __asm __volatile ( > (kgdb) info locals > inp =3D (struct inpcb *) 0x0 > error =3D 53 > addr =3D {s_addr =3D 3256212864} > addr6 =3D {__u6_addr =3D {__u6_addr8 =3D "\000\000\000\0004|=EC=D6\232kN= =C0N=E92=C2", > __u6_addr16 =3D {0, 0, 31796, 55020, 27546, 49230, 59726, 49714}, > __u6_addr32 =3D {0, 3605822516, 3226364826, 3258116430}}} > port =3D 0 > v4 =3D 0 --0-1779895857-1151314704=:24406--