From owner-freebsd-hackers Thu Oct 10 21:08:08 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id VAA13611 for hackers-outgoing; Thu, 10 Oct 1996 21:08:08 -0700 (PDT) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id VAA13462; Thu, 10 Oct 1996 21:07:55 -0700 (PDT) Received: from mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by Kitten.mcs.com (8.8.0/8.8.Beta.3) with SMTP id XAA11153; Thu, 10 Oct 1996 23:05:16 -0500 (CDT) Received: by mailbox.mcs.com (/\==/\ Smail3.1.28.1 #28.15) id ; Thu, 10 Oct 96 23:05 CDT Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.Beta.6/8.8.Beta.3) id XAA23331; Thu, 10 Oct 1996 23:05:13 -0500 (CDT) From: Karl Denninger Message-Id: <199610110405.XAA23331@Jupiter.Mcs.Net> Subject: Re: Crash in -current (and fix) - plus NEW issue! To: fenner@parc.xerox.com (Bill Fenner) Date: Thu, 10 Oct 1996 23:05:13 -0500 (CDT) Cc: karl@Mcs.Net, fenner@parc.xerox.com, current@freebsd.org, hackers@freebsd.org, pst@jnx.com In-Reply-To: <96Oct10.171224pdt.177476@crevenia.parc.xerox.com> from "Bill Fenner" at Oct 10, 96 05:12:20 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > In message <199610102347.SAA16950@Jupiter.Mcs.Net> you write: > >>From what I can see of the code the following fragment looked safe: > > > >sofree(so2); > >so2=sonewconn(so, 0); > > I think this will leave the socket on the incomplete connections queue. > tcp_drop() already tries to free the socket, but sofree() refuses since > so_flags has SS_NOFDREF set. This means that it will still take up > a queue slot even though that's exactly what we're trying to avoid. > > I think my suggested fix is: > > if (so2) { > so2->so_flags &= ~SS_NOFDREF; > tcp_drop(sototcpcb(so2), ETIMEDOUT); > so2 = sonewconn(so, 0); > if (so2 == 0) /* can't happen? */ > goto drop; > } else > goto drop; > > Turning off SS_NOFDREF will let tcp_drop free the socket, and you check > to make absolutely sure that sonewconn() gave you something. > > >So I inserted that in the appropriate place... We'll see what happens; I'm > >running that test kernel now on the machine which was blowing up. > > I think it'll still blow up; since sofree() doesn't actually free the > socket (or remove it from the lists), the so2=sonewconn(so,0) will fail > and if you don't check the result you'll die later. > > Bill This doesn't work. I just got another panic, and this one is from legit data inbound but with another null dereference in the same place. I did NOT get a panic for several hours with the other patch (sofree(so2)) in there; I'm going to go back to THAT kernel and see if it is stable. I don't expect it will be, after what you sent, but heh, right now I've got nothing to lose :-) This problem is not fixed. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1 from $600 monthly; speeds to DS-3 available | 23 Chicagoland Prefixes, 13 ISDN, much more Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 312 248-9865] | Home of Chicago's only FULL Clarinet feed!