[Bug 272319] FreeBSD kernel crash on MPD5 restart with PPP configuration.

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 02 Jul 2023 11:52:40 UTC 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272319

Aleksandr Fedorov <afedorov@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |afedorov@FreeBSD.org

--- Comment #7 from Aleksandr Fedorov <afedorov@FreeBSD.org> ---
Evgeniy, sent p priv->so to mee:

$24 = {so_lock = {lock_object = {lo_name = 0xffffffff807f7904 "socket",
lo_flags = 21168128,
      lo_data = 0, lo_witness = 0xfffff8007cd5a800}, mtx_lock = 0}, so_count =
1, so_rdsel = {
    si_tdlist = {tqh_first = 0x0, tqh_last = 0x0}, si_note = {kl_list =
{slh_first = 0x0},
      kl_lock = 0xffffffff80555a00 <so_rdknl_lock>,
      kl_unlock = 0xffffffff80555a40 <so_rdknl_unlock>,
      kl_assert_locked = 0xffffffff80555a80 <so_rdknl_assert_locked>,
      kl_assert_unlocked = 0xffffffff80555ac0 <so_rdknl_assert_unlocked>,
      kl_lockarg = 0xfffff8004da77a38, kl_autodestroy = 0}, si_mtx = 0x0},
so_wrsel = {
    si_tdlist = {tqh_first = 0x0, tqh_last = 0x0}, si_note = {kl_list =
{slh_first = 0x0},
      kl_lock = 0xffffffff80555b00 <so_wrknl_lock>,
      kl_unlock = 0xffffffff80555b40 <so_wrknl_unlock>,
      kl_assert_locked = 0xffffffff80555b80 <so_wrknl_assert_locked>,
      kl_assert_unlocked = 0xffffffff80555bc0 <so_wrknl_assert_unlocked>,
      kl_lockarg = 0xfffff8004da77a38, kl_autodestroy = 0}, si_mtx = 0x0},
so_type = 1,
  so_options = 514, so_linger = 0, so_state = 256, so_pcb = 0xfffff800355bd988,
  so_vnet = 0xfffff8000203e8c0, so_proto = 0xffffffff80a62460 <inetsw+192>,
so_timeo = 0,
  so_error = 0, so_rerror = 0, so_sigio = 0x0, so_cred = 0xfffff8005f954400,
so_label = 0x0,
  so_gencnt = 11170, so_emuldata = 0x0, so_dtor = 0x0, osd = {osd_nslots = 0,
osd_slots = 0x0,
    osd_next = {le_next = 0x0, le_prev = 0x0}}, so_fibnum = 0, so_user_cookie =
0,
  so_ts_clock = 0, so_max_pacing_rate = 0, {{so_rcv = {sb_mtx = {lock_object =
{lo_name = 0x0,
            lo_flags = 1302821776, lo_data = 4294965248, lo_witness = 0x0},
          mtx_lock = 18446735278919351200}, sb_sx = {lock_object = {lo_name =
0x0, lo_flags = 1,
            lo_data = 0, lo_witness = 0x0}, sx_lock = 0}, sb_sel = 0x0,
sb_state = 0,
        sb_mb = 0x0, sb_mbtail = 0x80000000001, sb_lastrecord = 0x800000010000,
        sb_sndptr = 0x8200820, sb_fnrdy = 0x0, sb_sndptroff = 0, sb_acc = 0,
sb_ccc = 0,
        sb_hiwat = 0, sb_mbcnt = 0, sb_mcnt = 0, sb_ccnt = 0, sb_mbmax = 0,
sb_ctl = 0,
        sb_lowat = 0, sb_timeo = 0, sb_flags = 0, sb_upcall = 0x0, sb_upcallarg
= 0x0,
        sb_aiojobq = {tqh_first = 0x0, tqh_last = 0x0}, sb_aiotask = {ta_link =
{
            stqe_next = 0x0}, ta_pending = 0, ta_priority = 0, ta_func = 0x0,
ta_context = 0x0}},
      so_snd = {sb_mtx = {lock_object = {lo_name = 0x0, lo_flags = 0, lo_data =
0,
            lo_witness = 0x0}, mtx_lock = 0}, sb_sx = {lock_object = {lo_name =
0x0,
            lo_flags = 0, lo_data = 0, lo_witness = 0x0}, sx_lock = 0}, sb_sel
= 0x0,
        sb_state = 0, sb_mb = 0x0, sb_mbtail = 0x0, sb_lastrecord = 0x0,
sb_sndptr = 0x0,
        sb_fnrdy = 0x0, sb_sndptroff = 0, sb_acc = 0, sb_ccc = 0, sb_hiwat = 0,
sb_mbcnt = 0,
        sb_mcnt = 0, sb_ccnt = 0, sb_mbmax = 0, sb_ctl = 0, sb_lowat = 0,
sb_timeo = 0,
        sb_flags = 0, sb_upcall = 0x0, sb_upcallarg = 0x0, sb_aiojobq =
{tqh_first = 0x0,
          tqh_last = 0x0}, sb_aiotask = {ta_link = {stqe_next = 0x0},
ta_pending = 0,
          ta_priority = 0, ta_func = 0x0, ta_context = 0x0}}, so_list =
{tqe_next = 0x0,
        tqe_prev = 0x0}, so_listen = 0x0, so_qstate = SQ_NONE, so_peerlabel =
0x0,
      so_oobmark = 0}, {sol_incomp = {tqh_first = 0x0, tqh_last =
0xfffff8004da77b90},
      sol_comp = {tqh_first = 0x0, tqh_last = 0xfffff8004da77ba0}, sol_qlen =
0, sol_incqlen = 0,
      sol_qlimit = 1, sol_accept_filter = 0x0, sol_accept_filter_arg = 0x0,
      sol_accept_filter_str = 0x0, sol_upcall = 0x0, sol_upcallarg = 0x0,
sol_sbrcv_lowat = 1,
      sol_sbsnd_lowat = 2048, sol_sbrcv_hiwat = 65536, sol_sbsnd_hiwat = 32768,
      sol_sbrcv_flags = 2080, sol_sbsnd_flags = 2080, sol_sbrcv_timeo = 0,
sol_sbsnd_timeo = 0}}}
(kgdb)

priv->so->so_options == 512 (0x202 - SO_ACCPTCONN | SO_REUSEADDR), so this is a
LISTENNING type of socket.

After this commit:
https://github.com/freebsd/freebsd-src/commit/779f106aa169256b7010a1d8f963ff656b881e92

Access to so_rcv, so_snd fields is invalid for listening sockets. Because they
share the same place with sol_* fields.

-- 
You are receiving this mail because:
You are the assignee for the bug.