kern/60856: [patch] panic at tcp_output(), with TCPDEBUG and INET6, and SO_DEBUG(socket)

Galois Zheng zyf11 at mail.ustc.edu.cn
Sat Jan 3 06:40:26 PST 2004 

>Number:         60856
>Category:       kern
>Synopsis:       [patch] panic at tcp_output(), with TCPDEBUG and INET6, and SO_DEBUG(socket)
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 03 06:40:18 PST 2004
>Closed-Date:
>Last-Modified:
>Originator:     Galois Zheng
>Release:        5.2-RC2, 5.2-current
>Organization:
G2 Project, Univ. Science and Technology of China
>Environment:
FreeBSD 5.2-RC2 or 5.2-Current, PIII 866MHz, 256M memory, harddisk:14G Quantum Firewall.
>Description:
     In both 5.2-rc and 5.2-current there exists this problem.
     in .../netinet/tcp_output.c,there is the following lines:
=============================================================
#ifdef TCPDEBUG
    if (so->so_options & SO_DEBUG) {
        u_short save = ipov->ih_len;
        ipov->ih_len = htons(m->m_pkthdr.len);
        tcp_trace(TA_OUTPUT, tp->t_state, tp, mtod(m, void *), th, 0);
        ipov->ih_len = save;
    }
#endif
========================================================
Please notes the variable: "ipov" which is "struct ipovly *" pointer, it used unckeckly. but when sending ipv6 packet, the variable "isipv6" is set to 1, so 682# line: "ipov = (struct ipovly *)ip;" could not be executed. While getting to the above TCPDEBUG code block, ipov point is used uninitializedly.
The kernel will panic with "supervisor read, page not present". 
    It likes that the bad codes are very careless. It is not very complicated.
>How-To-Repeat:
      Compiling the kernel of 5.2-current or 5.2-RC2 with: options INET,INET6,TCPDEBUG. 
      Setting its ipv6 address, such as 3ffe:1111:ffff:1000::2. then set another host's ipv6 addr is 3ffe:1111:ffff:1000::1.
    At the FreeBSD-5.2 box with INET6 and TCPDEBUG options, run commands: "ftp -d 3ffe:1111:ffff:1000::1", and login to another host. 
    Then in ftp environment, run pwd, help..., when running "ps" or "get filename" command, the FreeBSD-5.2 will panic and display some messages like "page not present..., at tcp_output+0xyyy",  and so on.  
>Fix:
      when i met thie panic several times, i objdumped the problem kernel, located the problem codes and created a patch for tcp_output.c(both 5.2-current and 5.2-rc2 can use it):
=======================================================
#diff -u tcp_output.c.orig tcp_output.c > tcp_output.patch
#cat tcp_output.patch
--- tcp_output.c.orig   2003-11-20 20:07:38.000000000 +0000
+++ tcp_output.c        2004-01-03 22:13:47.000000000 +0000
@@ -849,9 +849,19 @@
     * Trace.
     */
    if (so->so_options & SO_DEBUG) {
-       u_short save = ipov->ih_len;
+       u_short save;
+#ifdef INET6
+       if (!isipv6)
+#endif
+           {
+       save = ipov->ih_len;
        ipov->ih_len = htons(m->m_pkthdr.len /* - hdrlen + (th->th_off << 2) */);
+           }
+
        tcp_trace(TA_OUTPUT, tp->t_state, tp, mtod(m, void *), th, 0);
+#ifdef INET6
+       if (!isipv6)
+#endif
        ipov->ih_len = save;
    }
 #endif

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list