Re: 9.99.104: panic in tcp_shutdown_wrapper
On Sun, Oct 30, 2022 at 5:12 PM J. Hannken-Illjes wrote: > > > On 30. Oct 2022, at 06:52, Michael van Elst wrote: > > > > ozak...@netbsd.org (Ryota Ozaki) writes: > > > >> I've committed a possible fix. Could you try it? > > > >> Thanks, > >> ozaki-r > > > > > > I just got a NULL pointer dereference in tcp_ctloutput where > > the previous check for inp == NULL is also missing. > > > > [ 24837.756043] fp c0016794db70 tcp_ctloutput() at c02ec4b4 > > netbsd:tcp_ctloutput+0x94 > > [ 24837.756043] fp c0016794dcc0 tcp_ctloutput_wrapper() at > > c02d2680 netbsd:tcp_ctloutput_wrapper+-0x31150 > > [ 24837.756043] fp c0016794dcf0 sosetopt() at c0603cbc > > netbsd:sosetopt+0x78 > > [ 24837.756043] fp c0016794ddb0 sys_setsockopt() at c060b0fc > > netbsd:sys_setsockopt+0x7c > > [ 24837.766041] fp c0016794de20 syscall() at c00b30fc > > netbsd:syscall+0x19c > > > > That's: > > > > int > > tcp_ctloutput(int op, struct socket *so, struct sockopt *sopt) > > { > > ... > > s = splsoftnet(); > >inp = sotoinpcb(so); > > ... > >} > >tp = intotcpcb(inp); <- > > > >switch (op) { > > ... and Syzcaller (https://syzkaller.appspot.com/netbsd) has a > bunch of new tcp related crashes starting ~2 days before ... It seems that all of the failures stem from the missing NULL checks. So they should be fixed now. ozaki-r
Re: 9.99.104: panic in tcp_shutdown_wrapper
On Sun, Oct 30, 2022 at 2:52 PM Michael van Elst wrote: > > ozak...@netbsd.org (Ryota Ozaki) writes: > > >I've committed a possible fix. Could you try it? > > >Thanks, > > ozaki-r > > > I just got a NULL pointer dereference in tcp_ctloutput where > the previous check for inp == NULL is also missing. > > [ 24837.756043] fp c0016794db70 tcp_ctloutput() at c02ec4b4 > netbsd:tcp_ctloutput+0x94 > [ 24837.756043] fp c0016794dcc0 tcp_ctloutput_wrapper() at > c02d2680 netbsd:tcp_ctloutput_wrapper+-0x31150 > [ 24837.756043] fp c0016794dcf0 sosetopt() at c0603cbc > netbsd:sosetopt+0x78 > [ 24837.756043] fp c0016794ddb0 sys_setsockopt() at c060b0fc > netbsd:sys_setsockopt+0x7c > [ 24837.766041] fp c0016794de20 syscall() at c00b30fc > netbsd:syscall+0x19c > > That's: > > int > tcp_ctloutput(int op, struct socket *so, struct sockopt *sopt) > { > ... > s = splsoftnet(); > inp = sotoinpcb(so); > ... > } > tp = intotcpcb(inp); <- > > switch (op) { > Thank you for the report. I've fixed the panic too. ozaki-r
Re: 9.99.104: panic in tcp_shutdown_wrapper
> On 30. Oct 2022, at 06:52, Michael van Elst wrote: > > ozak...@netbsd.org (Ryota Ozaki) writes: > >> I've committed a possible fix. Could you try it? > >> Thanks, >> ozaki-r > > > I just got a NULL pointer dereference in tcp_ctloutput where > the previous check for inp == NULL is also missing. > > [ 24837.756043] fp c0016794db70 tcp_ctloutput() at c02ec4b4 > netbsd:tcp_ctloutput+0x94 > [ 24837.756043] fp c0016794dcc0 tcp_ctloutput_wrapper() at > c02d2680 netbsd:tcp_ctloutput_wrapper+-0x31150 > [ 24837.756043] fp c0016794dcf0 sosetopt() at c0603cbc > netbsd:sosetopt+0x78 > [ 24837.756043] fp c0016794ddb0 sys_setsockopt() at c060b0fc > netbsd:sys_setsockopt+0x7c > [ 24837.766041] fp c0016794de20 syscall() at c00b30fc > netbsd:syscall+0x19c > > That's: > > int > tcp_ctloutput(int op, struct socket *so, struct sockopt *sopt) > { > ... > s = splsoftnet(); >inp = sotoinpcb(so); > ... >} >tp = intotcpcb(inp); <- > >switch (op) { ... and Syzcaller (https://syzkaller.appspot.com/netbsd) has a bunch of new tcp related crashes starting ~2 days before ... -- J. Hannken-Illjes - hann...@mailbox.org signature.asc Description: Message signed with OpenPGP
Re: 9.99.104: panic in tcp_shutdown_wrapper
ozak...@netbsd.org (Ryota Ozaki) writes: >I've committed a possible fix. Could you try it? >Thanks, > ozaki-r I just got a NULL pointer dereference in tcp_ctloutput where the previous check for inp == NULL is also missing. [ 24837.756043] fp c0016794db70 tcp_ctloutput() at c02ec4b4 netbsd:tcp_ctloutput+0x94 [ 24837.756043] fp c0016794dcc0 tcp_ctloutput_wrapper() at c02d2680 netbsd:tcp_ctloutput_wrapper+-0x31150 [ 24837.756043] fp c0016794dcf0 sosetopt() at c0603cbc netbsd:sosetopt+0x78 [ 24837.756043] fp c0016794ddb0 sys_setsockopt() at c060b0fc netbsd:sys_setsockopt+0x7c [ 24837.766041] fp c0016794de20 syscall() at c00b30fc netbsd:syscall+0x19c That's: int tcp_ctloutput(int op, struct socket *so, struct sockopt *sopt) { ... s = splsoftnet(); inp = sotoinpcb(so); ... } tp = intotcpcb(inp); <- switch (op) {
Re: 9.99.104: panic in tcp_shutdown_wrapper
Hi, I've committed a possible fix. Could you try it? Thanks, ozaki-r On Sun, Oct 30, 2022 at 12:17 AM Thomas Klausner wrote: > > Hi! > > A couple hours later, my shell was in an NFS mounted directory (probably idle > for some time) and I tried tab-completing an entry, and it panicked again. > Same location as below. > > Hand copied: > tcp_shutdown_wrapper+0x20 > nfs_disconnect+0x69 > nfs_reconnect+0x1a > nfs_request+0x7fb > nfs_access+0x1ed > VOP_ACCESS+0x61 > nfs_lookup+052f > VOP_LOOKUP+0x8a > lookup_once+0x1a6 > namei_tryemulroot+0xb00 > namei+0x29 > vn_open+0x133 > do_open+0xc3 > do_sys_openat+0x74 > sys_open+0x24 > syscall+0x196 > > Thomas > > > On 29.10.2022, at 11:53, Thomas Klausner wrote: > > > > Hi! > > > > I’ve upgraded from 9.99.100 (stable) to 9.99.104 this morning (kernel + > > user land, but packages still the old ones built on 9.99.100 in case it > > matters). > > A couple hours later I started transmission-gtk and the machine immediately > > panicked. > > > > Hand copied: > > > > uvm_fault(0xf8b04ab6d8f0, 0x0, 1) -> e > > Fatal page fault in supervisor mode > > Trap type 6 code 0 rip 0x80b06b82 cs 0x8 rflags 0x10246 cr2 0x38 > > ilevel 0 rsp 0xfc62191caaaf0 > > Curlwp 0xff8b08ac6d040 pid 6904.22757 lowest kstack 0xfc62191ca62c0 > > Kernel: page fault trap, code = 0 > > Stopped in pid 6904.22757 (transmission-gtk) at > > netbsd:tcp_shutdown_wrapper+0x20 > > : movq 38(%rax), %r14 > > tcp_shutdown_wrapper() at netbsd:tcp_shutdown_wrapper:0x20 > > nfs_disconnect() at netbsd:nfs_disconnect+0x69 > > nfs_reconnect() at netbsd:nfs_reconnect+0x1a > > nfs_request() at netbsd:nfs_request+0x7fb > > nfs_statvfs() at netbsd:nfs_statvfs+0x173 > > VFS_STATVFS() at netbsd:VFS_STATVFS+0x22 > > dostatvfs() at netbsd:dostatvfs+0x132 > > do_sys_getvfsstat() at netbsd:do_sys_getvfsstat+0x9f > > sys___getvfsstat90() at netbsd:sys___getvfsstat90+0x2b > > syscall() at netbsd:syscall+0x196 > > > > I have nfs mounted some shares from a Synology station. > > > > Ideas? Perhaps the pcb merge changes from this week? > > Thomas >
Re: 9.99.104: panic in tcp_shutdown_wrapper
Hi! A couple hours later, my shell was in an NFS mounted directory (probably idle for some time) and I tried tab-completing an entry, and it panicked again. Same location as below. Hand copied: tcp_shutdown_wrapper+0x20 nfs_disconnect+0x69 nfs_reconnect+0x1a nfs_request+0x7fb nfs_access+0x1ed VOP_ACCESS+0x61 nfs_lookup+052f VOP_LOOKUP+0x8a lookup_once+0x1a6 namei_tryemulroot+0xb00 namei+0x29 vn_open+0x133 do_open+0xc3 do_sys_openat+0x74 sys_open+0x24 syscall+0x196 Thomas > On 29.10.2022, at 11:53, Thomas Klausner wrote: > > Hi! > > I’ve upgraded from 9.99.100 (stable) to 9.99.104 this morning (kernel + user > land, but packages still the old ones built on 9.99.100 in case it matters). > A couple hours later I started transmission-gtk and the machine immediately > panicked. > > Hand copied: > > uvm_fault(0xf8b04ab6d8f0, 0x0, 1) -> e > Fatal page fault in supervisor mode > Trap type 6 code 0 rip 0x80b06b82 cs 0x8 rflags 0x10246 cr2 0x38 > ilevel 0 rsp 0xfc62191caaaf0 > Curlwp 0xff8b08ac6d040 pid 6904.22757 lowest kstack 0xfc62191ca62c0 > Kernel: page fault trap, code = 0 > Stopped in pid 6904.22757 (transmission-gtk) at > netbsd:tcp_shutdown_wrapper+0x20 > : movq 38(%rax), %r14 > tcp_shutdown_wrapper() at netbsd:tcp_shutdown_wrapper:0x20 > nfs_disconnect() at netbsd:nfs_disconnect+0x69 > nfs_reconnect() at netbsd:nfs_reconnect+0x1a > nfs_request() at netbsd:nfs_request+0x7fb > nfs_statvfs() at netbsd:nfs_statvfs+0x173 > VFS_STATVFS() at netbsd:VFS_STATVFS+0x22 > dostatvfs() at netbsd:dostatvfs+0x132 > do_sys_getvfsstat() at netbsd:do_sys_getvfsstat+0x9f > sys___getvfsstat90() at netbsd:sys___getvfsstat90+0x2b > syscall() at netbsd:syscall+0x196 > > I have nfs mounted some shares from a Synology station. > > Ideas? Perhaps the pcb merge changes from this week? > Thomas