crash in tcp6_usr_accept

From: Michiel Boland <michiel_at_boland.org> Date: Mon, 26 Jun 2006 10:51:18 +0200 (MEST) · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:57 UTC

Hi. I returned from holidays only to find my work machine had crashed.
Looks like the following line is the culprit.

static int
tcp6_usr_accept(struct socket *so, struct sockaddr **nam)
{
         [...]
         if (so->so_state & SS_ISDISCONNECTED) {
                 error = ECONNABORTED;
                 goto out;
         }
         [...]
out:
         [...]
         INP_UNLOCK(inp);

                    ^^^ inp has not been initialized at this stage

quick fix:

--- netinet/tcp_usrreq.c.orig	Thu Jun  8 17:28:23 2006
+++ netinet/tcp_usrreq.c	Mon Jun 26 10:29:00 2006
_at__at_ -647,10 +647,8 _at__at_
  	int v4 = 0;
  	TCPDEBUG0;

-	if (so->so_state & SS_ISDISCONNECTED) {
-		error = ECONNABORTED;
-		goto out;
-	}
+	if (so->so_state & SS_ISDISCONNECTED)
+		return ECONNABORTED;

  	inp = sotoinpcb(so);
  	KASSERT(inp != NULL, ("tcp6_usr_accept: inp == NULL"));

FreeBSD 7.0-CURRENT #1: Fri Jun 16 00:19:30 CEST 2006
     root_at_leefnet.office.internl.net:/usr/obj/usr/src/sys/LEEFNET

Fatal trap 12: page fault while in kernel mode
fault virtual address	= 0xa0
fault code		= supervisor write, page not present
instruction pointer	= 0x20:0xc0573d7e
stack pointer	        = 0x28:0xd6ec7c08
frame pointer	        = 0x28:0xd6ec7c2c
code segment		= base 0x0, limit 0xfffff, type 0x1b
 			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 766 (httpd)
trap number		= 12
panic: page fault
KDB: stack backtrace:
kdb_backtrace(100,c215dd80,28,d6ec7bc8,c) at kdb_backtrace+0x29
panic(c063640e,c0644b03,0,fffff,c226e69b) at panic+0xa8
trap_fatal(d6ec7bc8,a0,c215dd80,0,2) at trap_fatal+0x2a6
trap_pfault(d6ec7bc8,0,a0) at trap_pfault+0x1eb
trap(c04b0008,c25a0028,c2150028,0,35) at trap+0x3b5
calltrap() at calltrap+0x5
--- trap 0xc, eip = 0xc0573d7e, esp = 0xd6ec7c08, ebp = 0xd6ec7c2c ---
tcp6_usr_accept(c25d1bac,d6ec7c54,d6ec7c58,d6ec7c7c,c0522193) at tcp6_usr_accept+0xc2
soaccept(c25d1bac,d6ec7c54,c25ac900,0,0) at soaccept+0x7d
accept1(c215dd80,d6ec7d04,0,d6ec7d30,c0612946) at accept1+0x42f
accept(c215dd80,d6ec7d04,3,206,c0670028) at accept+0x10
syscall(3b,3b,3b,82063b0,83dc050) at syscall+0x2ee
Xint0x80_syscall() at Xint0x80_syscall+0x1f
--- syscall (30, FreeBSD ELF32, accept), eip = 0x283c37ff, esp = 0xbfbfec0c, ebp = 0xbfbfec38 ---
Uptime: 7d11h16m47s
Physical memory: 505 MB
Dumping 127 MB: 112 96 80 64 48 32 16

(kgdb) f 7
#7  0xc0573d7e in tcp6_usr_accept (so=0xc215dd80, nam=0xd6ec7c54)
     at atomic.h:149
149             __asm __volatile (
(kgdb) info locals
inp = (struct inpcb *) 0x0
error = 53
addr = {s_addr = 3256212864}
addr6 = {__u6_addr = {__u6_addr8 = "\000\000\000\0004|ìÖ\232kNÀNé2Â",
     __u6_addr16 = {0, 0, 31796, 55020, 27546, 49230, 59726, 49714},
     __u6_addr32 = {0, 3605822516, 3226364826, 3258116430}}}
port = 0
v4 = 0