On Thu, Mar 14, 2013 at 03:20:06PM +0000, Keith wrote:
> uvm_fault(0xffffffff80d44ea0, 0x0x 0x 2) -> e
> kernel: page fault trap, code=0
> Stopped at sounsplice+0x44: andw $0xfeff,0x1a8(%r12)
> ddb{0}>
I was thinking about this crash again, and I concluded there is
another race. It looks like that so or sosp in sounsplice() is
NULL. Before calling sounsplice() we check that condition everywhere
exept in soidle().
When a timeout is fired, a network interrupt can unsplice() the
sockets before soidle() goes to splsoftnet(). In this case,
unsplice() is called twice. So check wether splicing still exists
within the lock.
Keith, can you test this patch?
bluhm
Index: kern/uipc_socket.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/kern/uipc_socket.c,v
retrieving revision 1.114
diff -u -p -r1.114 uipc_socket.c
--- kern/uipc_socket.c 16 Feb 2013 14:34:52 -0000 1.114
+++ kern/uipc_socket.c 17 Mar 2013 09:47:22 -0000
@@ -1443,8 +1443,10 @@ soidle(void *arg)
int s;
s = splsoftnet();
- so->so_error = ETIMEDOUT;
- sounsplice(so, so->so_splice, 1);
+ if (so->so_splice) {
+ so->so_error = ETIMEDOUT;
+ sounsplice(so, so->so_splice, 1);
+ }
splx(s);
}
#endif /* SOCKET_SPLICE */
