On Mon, May 12, 2014 at 11:01:02AM -0700, Philip Guenther wrote:
> On Sun, 11 May 2014, RD Thrush wrote:
> > nel: page fault trap, code=0
> > Stopped at unp_disconnect+0x76: movl 0x18(%edx),%eax
>
> That's the unp2->unp_nextref dereference at line 593:
> if (unp2->unp_nextref == unp)
>
> So the links between UNIX datagram sockets are corrupt.
I have seen a similar crash on an i386 OpenBSD 5.2 machine.
m_free_unlocked(efffeecc,0,f54d3ddc,d483ac64,d07b7c28) at m_free_unlocked+0xf
m_freem(efffeecc,d4b3e744,d4b3e744,d4be9c08,d4d9f040) at m_freem+0x28
unp_drop(d6a3ffc0,36,f54d3ddc,d034229f,d07b74e0) at unp_drop+0x41
unp_detach(d4d9f040,40,f54d3dfc,d0359a15,d07b74e0) at unp_detach+0x50
uipc_usrreq(d4be9d20,1,0,0,0) at uipc_usrreq+0x2d8
soclose(d4be9d20,d4c5178c,f54d3e5c,d0320488,d4c5178c) at soclose+0xd6
soo_close(d4c5178c,d4b3e744,7c8b3000,fffffffd,d4c5178c) at soo_close+0x1b
fdrop(d4c5178c,d4b3e744,7c8b4000,7a86b465,d4c65684,802,1,d4c643a8,cfc00000,d07b
16a0,0,f54d3e9c,d4c4ba68,d07b16a0,8,d03426de) at fdrop+0x28
closef(d4c5178c,d4b3e744,c07,0,d4b3e744) at closef+0xb3
fdfree(d4b3e744,9,7c8b3000,7c8b3000,1) at fdfree+0x52
exit1(d4b3e744,100,1,d0329d52,d07af9e4) at exit1+0xeb
sys_exit(d4b3e744,f54d3f64,f54d3f84,d0329d52,d07af9e4) at sys_exit+0x25
syscall() at syscall+0x237
There it was syslog, which had a bad unp_addr during shutdown.
(gdb) print *((struct unpcb *)0xd4d9f040)->unp_refs
$25 = {unp_socket = 0xd07b7c28, unp_vnode = 0xf60a2370, unp_ino = 0,
unp_conn = 0x0, unp_refs = 0x0, unp_nextref = 0xefffeecc,
unp_addr = 0xefffeecc, unp_flags = 0, unp_connid = {uid = 0, gid = 0,
pid = 0}, unp_cc = 0, unp_mbcnt = 0, unp_ctime = {tv_sec = 1397683681,
tv_nsec = 596964155}}
bluhm
