kern/100940: passing file descriptor over datagram UNIX domain socket crashes kernel

Maxim Konovalov maxim at macomnet.ru
Sat Jul 29 20:30:27 UTC 2006 

The following reply was made to PR kern/100940; it has been noted by GNATS.

From: Maxim Konovalov <maxim at macomnet.ru>
To: Young Hyun <youngh at caida.org>
Cc: bug-followup at freebsd.org
Subject: Re: kern/100940: passing file descriptor over datagram UNIX domain
 socket crashes kernel
Date: Sun, 30 Jul 2006 00:21:32 +0400 (MSD)

 Hello,
 
 [...]
 > >Release:        FreeBSD 6.1-STABLE-200607 i386
 > >Organization:
 > CAIDA/UCSD
 > >Environment:
 > System: FreeBSD brak.caida.org 6.1-STABLE-200607 FreeBSD
 > 6.1-STABLE-200607 #0: Wed Jul 26 18:32:47 PDT 2006
 > root at brak.caida.org:/usr/src/sys/i386/compile/SMP i386
 >
 >
 >
 > >Description:
 >
 > Passing file descriptors over a SOCK_DGRAM UNIX domain socket crashes
 > the kernel with "Fatal trap 12: page fault while in kernel mode".
 > This bug is probably closely related to (but not identical with)
 > PR kern/93914.  In PR 93914, the sample code passes file descriptors
 > over a SOCK_STREAM socket, and it no longer causes a kernel crash under
 > 6.1-STABLE.  My own SOCK_STREAM-based test program that crashes the 5.4
 > kernel also fails to crash the 6.1 kernel.  In the present case, the
 > kernel crashes in code specific to the handling of SOCK_DGRAM sockets
 > (though, of course, that doesn't exclude the possibility of the same
 > underlying problem behind this and PR 93914 and which somehow only got
 > masked for the SOCK_STREAM case in 6.1-STABLE).
 >
 > #0  doadump () at pcpu.h:165
 > #1  0xc06632ca in boot (howto=260) at ../../../kern/kern_shutdown.c:409
 > #2  0xc0663621 in panic (fmt=0xc08913da "%s")
 >     at ../../../kern/kern_shutdown.c:565
 > #3  0xc085bfd6 in trap_fatal (frame=0xde946b54, eva=8)
 >     at ../../../i386/i386/trap.c:836
 > #4  0xc085bcdf in trap_pfault (frame=0xde946b54, usermode=0, eva=8)
 >     at ../../../i386/i386/trap.c:744
 > #5  0xc085b8d5 in trap (frame=
 >       {tf_fs = -1017839608, tf_es = -1014300632, tf_ds = 40, tf_edi = -1016513388, tf_esi = -1017187284, tf_ebp = -560698452, tf_isp = -560698496, tf_ebx = 0, tf_edx = 0, tf_ecx = 0, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1066768486, tf_cs = 32, tf_eflags = 66118, tf_esp = -560698440, tf_ss = -1065577831})
 >     at ../../../i386/i386/trap.c:434
 > #6  0xc08484da in calltrap () at ../../../i386/i386/exception.s:139
 > #7  0xc06a679a in uipc_send (so=0xc35ef42c, flags=0, m=0xc38f3500,
 >     nam=0xc35474f0, control=0xc351b900, td=0xc3552900)
 >     at ../../../kern/uipc_usrreq.c:432
 > #8  0xc069dc8f in sosend (so=0xc35ef42c, addr=0xc35474f0, uio=0xde946c3c,
 >     top=0xc38f3500, control=0xc351d600, flags=0, td=0xc3552900)
 >     at ../../../kern/uipc_socket.c:836
 > #9  0xc06a36a5 in kern_sendit (td=0xc3552900, s=3, mp=0xde946cb4, flags=0,
 >     control=0xc351d600, segflg=UIO_USERSPACE)
 >     at ../../../kern/uipc_syscalls.c:772
 > #10 0xc06a355f in sendit (td=0xc3552900, s=3, mp=0xde946cb4, flags=0)
 >     at ../../../kern/uipc_syscalls.c:712
 > #11 0xc06a3976 in sendmsg (td=0xc3552900, uap=0xde946d04)
 >     at ../../../kern/uipc_syscalls.c:920
 > #12 0xc085c31b in syscall (frame=
 >       {tf_fs = 671350843, tf_es = -1078001605, tf_ds = -1078001605, tf_edi = 671410632, tf_esi = -1077940984, tf_ebp = -1077941096, tf_isp = -560698012, tf_ebx = 1, tf_edx = 17, tf_ecx = 17, tf_eax = 28, tf_trapno = 32, tf_err = 2, tf_eip = 672073267, tf_cs = 51, tf_eflags = 658, tf_esp = -1077941300, tf_ss = 59})
 >     at ../../../i386/i386/trap.c:981
 > #13 0xc084852f in Xint0x80_syscall () at ../../../i386/i386/exception.s:200
 > #14 0x00000033 in ?? ()
 > Previous frame inner to this frame (corrupt stack?)
 > (kgdb) up 7
 > #7  0xc06a679a in uipc_send (so=0xc35ef42c, flags=0, m=0xc38f3500,
 >     nam=0xc35474f0, control=0xc351b900, td=0xc3552900)
 >     at ../../../kern/uipc_usrreq.c:432
 > 432                     so2 = unp->unp_conn->unp_socket;
 > (kgdb) p unp->unp_conn
 > $1 = (struct unpcb *) 0x0
 > (kgdb) p *unp
 > $2 = {unp_link = {le_next = 0xc3693a64, le_prev = 0xc09a7098},
 >   unp_socket = 0xc35ef42c, unp_vnode = 0xc38d2660, unp_ino = 0,
 >   unp_conn = 0x0, unp_refs = {lh_first = 0x0}, unp_reflink = {le_next = 0x0,
 >     le_prev = 0xc36938d8}, unp_addr = 0xc3547390, unp_cc = 0, unp_mbcnt = 0,
 >   unp_gencnt = 100, unp_flags = 0, unp_peercred = {cr_version = 0, cr_uid = 0,
 >     cr_ngroups = 0, cr_groups = {0 <repeats 16 times>}, _cr_unused1 = 0x0}}
 > (kgdb)
 >
 > >How-To-Repeat:
 >
 > Execute the attached sample code, and let it run for a few minutes.  The
 > sample code is the same one supplied for PR kern/91224, except there it
 > caused a crash in a different part of the kernel (PR 91224 is closed).
 [...]
 
 While 6.1-RELEASE panics on your testcase I could not reproduce the
 panic on today 6.1-STABLE.   Could you please upgrade your system and
 test?  Thanks!
 
 -- 
 Maxim Konovalov

More information about the freebsd-bugs mailing list