Re: page fault trap stopped at pipex_close_session

Fri, 05 Jul 2013 00:58:47 -0700 

On Thu, 4 Jul 2013, Marko Cupa? wrote:
> On Thu, 4 Jul 2013 11:32:08 +0100
> Stuart Henderson <[email protected]> wrote:
> 
> > On 2013/07/04 10:47, Marko Cupa? wrote:
> > > One of my firewalls hanged twice in last 10 days. Anyone willing to
> > > help please? Thank you in advance.
> > > 
> > > Console message:
> > > 
> > > uvm_fault(0xd8f5f680, 0x0, 0, 3) -> e
> > > kernel: page fault trap, code=0
> > > Stopped at   pipex_close_session+0xc4:   movl   %eax,0x6c(%exc)
> > > ddb{3}>
> > 
> > Next time it happens please collect output from at least "trace"
> 
> I would have (as stated on http://www.openbsd.org/report.html), but it
> wouldn't have taken input from USB keyboard. If I understand well, now
> is the time to set sysctl ddb.console=1 and wait for another hang, am
> I right? And once it happens get into ddb by hitting Ctl+Alt+Esc on
> the keyboard?

If it's a USB keyboard, then ddb.console=1 won't help.  That can serve as 
a test case: if you have ddb.console=1 and Ctl+Alt+Esc gets you into ddb 
and you can type commands there, then it'll work after a crash.

If not, well, serial is the other option.  If you system has something 
like Intel's AMT for serial-over-network, then that may work, though it's 
kinda scary to set up...


Regarding your pipex crash, the location pipex_close_session+0xc4 
indicates that it crashed in the LIST_REMOVE() macro in 
pipex_close_session() when trying to update the 'prev' pointer in the 
*next* element.  I.e., either this item isn't really on a list, or the 
_next_ item was freed while it was still on the list.  I believe the 
latter occurred: I think pipex_destroy_session() can be closed on a 
session in the PIPEX_STATE_CLOSE_WAIT state, in which case that session is 
on the list headed by pipex_close_wait_list and needs to be removed from 
that before being freed.

Please try the following diff.


Philip Guenther

Index: net/pipex.c
===================================================================
RCS file: /cvs/src/sys/net/pipex.c,v
retrieving revision 1.42
diff -u -p -r1.42 pipex.c
--- net/pipex.c 8 Jun 2013 14:24:38 -0000       1.42
+++ net/pipex.c 5 Jul 2013 07:42:36 -0000
@@ -608,6 +608,9 @@ pipex_destroy_session(struct pipex_sessi
                KASSERT(rn != NULL);
        }
 
+       if (session->state == PIPEX_STATE_CLOSE_WAIT)
+               LIST_REMOVE(session, state_list);
+
        LIST_REMOVE(session, id_chain);
        LIST_REMOVE(session, session_list);
 #ifdef PIPEX_PPTP

Reply via email to