SCTP panic with sctp_send()

Sat Jun 26 19:29:03 UTC 2010

On Jun 26, 2010, at 3:00 PM, Valentin Nechayev wrote:

> Hi,
> 
> FreeBSD 7.3-RELEASE i386
> 
> Fatal trap 12: page fault while in kernel mode
> fault virtual address   = 0x0
> fault code              = supervisor read, page not present
> instruction pointer     = 0x20:0xc05955ca
> stack pointer           = 0x28:0xe783bb94
> frame pointer           = 0x28:0xe783bc80
> code segment            = base 0x0, limit 0xfffff, type 0x1b
>                        = DPL 0, pres 1, def32 1, gran 1
> processor eflags        = interrupt enabled, resume, IOPL = 0
> current process         = 7751 (spc)
> trap number             = 12
> panic: page fault
> Uptime: 20d6h25m18s
> Physical memory: 1910 MB
> Dumping 265 MB: 250 234 218 202 186 170 154 138 122 106 90 74 58 42 26 10
> 
> (kgdb) bt
> #0  doadump () at pcpu.h:196
> #1  0xc053a730 in boot (howto=260) at /usr/BSD/src/sys/kern/kern_shutdown.c:418
> #2  0xc053a931 in panic (fmt=Variable "fmt" is not available.
> ) at /usr/BSD/src/sys/kern/kern_shutdown.c:574
> #3  0xc0762e4c in trap_fatal (frame=0xe783bb54, eva=0)
>    at /usr/BSD/src/sys/i386/i386/trap.c:950
> #4  0xc07630b0 in trap_pfault (frame=0xe783bb54, usermode=0, eva=0)
>    at /usr/BSD/src/sys/i386/i386/trap.c:863
> #5  0xc0763a92 in trap (frame=0xe783bb54)
>    at /usr/BSD/src/sys/i386/i386/trap.c:541
> #6  0xc074f81b in calltrap () at /usr/BSD/src/sys/i386/i386/exception.s:166
> #7  0xc05955ca in sctp_generic_sendmsg (td=0xcafb7d80, uap=0xe783bcfc)
>    at /usr/BSD/src/sys/kern/uipc_syscalls.c:2386
> #8  0xc0763405 in syscall (frame=0xe783bd38)
>    at /usr/BSD/src/sys/i386/i386/trap.c:1101
> #9  0xc074f880 in Xint0x80_syscall ()
>    at /usr/BSD/src/sys/i386/i386/exception.s:262
> #10 0x00000033 in ?? ()
> Previous frame inner to this frame (corrupt stack?)
> 
> (kgdb) f 7
> #7  0xc05955ca in sctp_generic_sendmsg (td=0xcafb7d80, uap=0xe783bcfc)
>    at /usr/BSD/src/sys/kern/uipc_syscalls.c:2386
> 2386                    ktrsockaddr(to);
> (kgdb) p to
> $1 = (struct sockaddr *) 0x0
> (kgdb) l
> 2381            error = getsock(td->td_proc->p_fd, uap->sd, &fp, NULL);
> 2382            if (error)
> 2383                    goto sctp_bad;
> 2384    #ifdef KTRACE
> 2385            if (KTRPOINT(td, KTR_STRUCT))
> 2386                    ktrsockaddr(to);
> 2387    #endif
> 2388
> 2389            iov[0].iov_base = uap->msg;
> 2390            iov[0].iov_len = uap->mlen;
> 
> As seen from code, if uap->tolen is zero, `to' isn't initialized and remains
> NULL. This error is identical to -CURRENT.
Thanks for reporting it. It is fixed in r209540 for current.

Best regards
Michael
> 
> Seems this zero originates from libc code for sctp_send():
> 
> ===
> #ifdef SYS_sctp_generic_sendmsg
>        struct sockaddr *to = NULL;
> 
>        return (syscall(SYS_sctp_generic_sendmsg, sd,
>            data, len, to, 0, sinfo, flags));
> #else
> ===
> 
> why after `to'?
> 
> 
> -netch-
> 