subject:"Re\: 9.99.104\: panic in tcp_shutdown

Re: 9.99.104: panic in tcp_shutdown_wrapper

2022-10-30 Thread Ryota Ozaki

On Sun, Oct 30, 2022 at 5:12 PM J. Hannken-Illjes  wrote:
>
> > On 30. Oct 2022, at 06:52, Michael van Elst  wrote:
> >
> > ozak...@netbsd.org (Ryota Ozaki) writes:
> >
> >> I've committed a possible fix.  Could you try it?
> >
> >> Thanks,
> >> ozaki-r
> >
> >
> > I just got a NULL pointer dereference in tcp_ctloutput where
> > the previous check for inp == NULL is also missing.
> >
> > [ 24837.756043] fp c0016794db70 tcp_ctloutput() at c02ec4b4 
> > netbsd:tcp_ctloutput+0x94
> > [ 24837.756043] fp c0016794dcc0 tcp_ctloutput_wrapper() at 
> > c02d2680 netbsd:tcp_ctloutput_wrapper+-0x31150
> > [ 24837.756043] fp c0016794dcf0 sosetopt() at c0603cbc 
> > netbsd:sosetopt+0x78
> > [ 24837.756043] fp c0016794ddb0 sys_setsockopt() at c060b0fc 
> > netbsd:sys_setsockopt+0x7c
> > [ 24837.766041] fp c0016794de20 syscall() at c00b30fc 
> > netbsd:syscall+0x19c
> >
> > That's:
> >
> > int
> > tcp_ctloutput(int op, struct socket *so, struct sockopt *sopt)
> > {
> > ...
> >   s = splsoftnet();
> >inp = sotoinpcb(so);
> > ...
> >}
> >tp = intotcpcb(inp); <-
> >
> >switch (op) {
>
> ... and Syzcaller (https://syzkaller.appspot.com/netbsd) has a
> bunch of new tcp related crashes starting ~2 days before ...

It seems that all of the failures stem from the missing NULL checks.
So they should be fixed now.

  ozaki-r

Re: 9.99.104: panic in tcp_shutdown_wrapper

2022-10-30 Thread Ryota Ozaki

On Sun, Oct 30, 2022 at 2:52 PM Michael van Elst  wrote:
>
> ozak...@netbsd.org (Ryota Ozaki) writes:
>
> >I've committed a possible fix.  Could you try it?
>
> >Thanks,
> >  ozaki-r
>
>
> I just got a NULL pointer dereference in tcp_ctloutput where
> the previous check for inp == NULL is also missing.
>
> [ 24837.756043] fp c0016794db70 tcp_ctloutput() at c02ec4b4 
> netbsd:tcp_ctloutput+0x94
> [ 24837.756043] fp c0016794dcc0 tcp_ctloutput_wrapper() at 
> c02d2680 netbsd:tcp_ctloutput_wrapper+-0x31150
> [ 24837.756043] fp c0016794dcf0 sosetopt() at c0603cbc 
> netbsd:sosetopt+0x78
> [ 24837.756043] fp c0016794ddb0 sys_setsockopt() at c060b0fc 
> netbsd:sys_setsockopt+0x7c
> [ 24837.766041] fp c0016794de20 syscall() at c00b30fc 
> netbsd:syscall+0x19c
>
> That's:
>
> int
> tcp_ctloutput(int op, struct socket *so, struct sockopt *sopt)
> {
> ...
> s = splsoftnet();
> inp = sotoinpcb(so);
> ...
> }
> tp = intotcpcb(inp); <-
>
> switch (op) {
>

Thank you for the report.  I've fixed the panic too.

  ozaki-r

Re: 9.99.104: panic in tcp_shutdown_wrapper

2022-10-30 Thread J. Hannken-Illjes

> On 30. Oct 2022, at 06:52, Michael van Elst  wrote:
> 
> ozak...@netbsd.org (Ryota Ozaki) writes:
> 
>> I've committed a possible fix.  Could you try it?
> 
>> Thanks,
>> ozaki-r
> 
> 
> I just got a NULL pointer dereference in tcp_ctloutput where
> the previous check for inp == NULL is also missing.
> 
> [ 24837.756043] fp c0016794db70 tcp_ctloutput() at c02ec4b4 
> netbsd:tcp_ctloutput+0x94
> [ 24837.756043] fp c0016794dcc0 tcp_ctloutput_wrapper() at 
> c02d2680 netbsd:tcp_ctloutput_wrapper+-0x31150
> [ 24837.756043] fp c0016794dcf0 sosetopt() at c0603cbc 
> netbsd:sosetopt+0x78
> [ 24837.756043] fp c0016794ddb0 sys_setsockopt() at c060b0fc 
> netbsd:sys_setsockopt+0x7c
> [ 24837.766041] fp c0016794de20 syscall() at c00b30fc 
> netbsd:syscall+0x19c
> 
> That's:
> 
> int
> tcp_ctloutput(int op, struct socket *so, struct sockopt *sopt)
> {
> ...
>   s = splsoftnet();
>inp = sotoinpcb(so);
> ...
>}
>tp = intotcpcb(inp); <-
> 
>switch (op) {

... and Syzcaller (https://syzkaller.appspot.com/netbsd) has a
bunch of new tcp related crashes starting ~2 days before ...

--
J. Hannken-Illjes - hann...@mailbox.org


signature.asc
Description: Message signed with OpenPGP

Re: 9.99.104: panic in tcp_shutdown_wrapper

2022-10-29 Thread Michael van Elst

ozak...@netbsd.org (Ryota Ozaki) writes:

>I've committed a possible fix.  Could you try it?

>Thanks,
>  ozaki-r


I just got a NULL pointer dereference in tcp_ctloutput where
the previous check for inp == NULL is also missing.

[ 24837.756043] fp c0016794db70 tcp_ctloutput() at c02ec4b4 
netbsd:tcp_ctloutput+0x94
[ 24837.756043] fp c0016794dcc0 tcp_ctloutput_wrapper() at c02d2680 
netbsd:tcp_ctloutput_wrapper+-0x31150
[ 24837.756043] fp c0016794dcf0 sosetopt() at c0603cbc 
netbsd:sosetopt+0x78
[ 24837.756043] fp c0016794ddb0 sys_setsockopt() at c060b0fc 
netbsd:sys_setsockopt+0x7c
[ 24837.766041] fp c0016794de20 syscall() at c00b30fc 
netbsd:syscall+0x19c

That's:

int   
tcp_ctloutput(int op, struct socket *so, struct sockopt *sopt)
{
...
s = splsoftnet();
inp = sotoinpcb(so);
...
}
tp = intotcpcb(inp); <-

switch (op) {

Re: 9.99.104: panic in tcp_shutdown_wrapper

2022-10-29 Thread Ryota Ozaki

Hi,

I've committed a possible fix.  Could you try it?

Thanks,
  ozaki-r

On Sun, Oct 30, 2022 at 12:17 AM Thomas Klausner  wrote:
>
> Hi!
>
> A couple hours later, my shell was in an NFS mounted directory (probably idle 
> for some time) and I tried tab-completing an entry, and it panicked again.
> Same location as below.
>
> Hand copied:
> tcp_shutdown_wrapper+0x20
> nfs_disconnect+0x69
> nfs_reconnect+0x1a
> nfs_request+0x7fb
> nfs_access+0x1ed
> VOP_ACCESS+0x61
> nfs_lookup+052f
> VOP_LOOKUP+0x8a
> lookup_once+0x1a6
> namei_tryemulroot+0xb00
> namei+0x29
> vn_open+0x133
> do_open+0xc3
> do_sys_openat+0x74
> sys_open+0x24
> syscall+0x196
>
>  Thomas
>
> > On 29.10.2022, at 11:53, Thomas Klausner  wrote:
> >
> > Hi!
> >
> > I’ve upgraded from 9.99.100 (stable) to 9.99.104 this morning (kernel + 
> > user land, but packages still the old ones built on 9.99.100 in case it 
> > matters).
> > A couple hours later I started transmission-gtk and the machine immediately 
> > panicked.
> >
> > Hand copied:
> >
> > uvm_fault(0xf8b04ab6d8f0, 0x0, 1) -> e
> > Fatal page fault in supervisor mode
> > Trap type 6 code 0 rip 0x80b06b82 cs 0x8 rflags 0x10246 cr2 0x38 
> > ilevel 0 rsp 0xfc62191caaaf0
> > Curlwp 0xff8b08ac6d040 pid 6904.22757 lowest kstack 0xfc62191ca62c0
> > Kernel: page fault trap, code = 0
> > Stopped in pid 6904.22757 (transmission-gtk) at 
> > netbsd:tcp_shutdown_wrapper+0x20
> > : movq 38(%rax), %r14
> > tcp_shutdown_wrapper() at netbsd:tcp_shutdown_wrapper:0x20
> > nfs_disconnect() at netbsd:nfs_disconnect+0x69
> > nfs_reconnect() at netbsd:nfs_reconnect+0x1a
> > nfs_request() at netbsd:nfs_request+0x7fb
> > nfs_statvfs() at netbsd:nfs_statvfs+0x173
> > VFS_STATVFS() at netbsd:VFS_STATVFS+0x22
> > dostatvfs() at netbsd:dostatvfs+0x132
> > do_sys_getvfsstat() at netbsd:do_sys_getvfsstat+0x9f
> > sys___getvfsstat90() at netbsd:sys___getvfsstat90+0x2b
> > syscall() at netbsd:syscall+0x196
> >
> > I have nfs mounted some shares from a Synology station.
> >
> > Ideas? Perhaps the pcb merge changes from this week?
> > Thomas
>

Re: 9.99.104: panic in tcp_shutdown_wrapper

2022-10-29 Thread Thomas Klausner

Hi!

A couple hours later, my shell was in an NFS mounted directory (probably idle 
for some time) and I tried tab-completing an entry, and it panicked again.
Same location as below.

Hand copied:
tcp_shutdown_wrapper+0x20
nfs_disconnect+0x69
nfs_reconnect+0x1a
nfs_request+0x7fb
nfs_access+0x1ed
VOP_ACCESS+0x61
nfs_lookup+052f
VOP_LOOKUP+0x8a
lookup_once+0x1a6
namei_tryemulroot+0xb00
namei+0x29
vn_open+0x133
do_open+0xc3
do_sys_openat+0x74
sys_open+0x24
syscall+0x196

 Thomas

> On 29.10.2022, at 11:53, Thomas Klausner  wrote:
> 
> Hi!
> 
> I’ve upgraded from 9.99.100 (stable) to 9.99.104 this morning (kernel + user 
> land, but packages still the old ones built on 9.99.100 in case it matters).
> A couple hours later I started transmission-gtk and the machine immediately 
> panicked.
> 
> Hand copied:
> 
> uvm_fault(0xf8b04ab6d8f0, 0x0, 1) -> e
> Fatal page fault in supervisor mode
> Trap type 6 code 0 rip 0x80b06b82 cs 0x8 rflags 0x10246 cr2 0x38 
> ilevel 0 rsp 0xfc62191caaaf0
> Curlwp 0xff8b08ac6d040 pid 6904.22757 lowest kstack 0xfc62191ca62c0
> Kernel: page fault trap, code = 0
> Stopped in pid 6904.22757 (transmission-gtk) at 
> netbsd:tcp_shutdown_wrapper+0x20
> : movq 38(%rax), %r14
> tcp_shutdown_wrapper() at netbsd:tcp_shutdown_wrapper:0x20
> nfs_disconnect() at netbsd:nfs_disconnect+0x69
> nfs_reconnect() at netbsd:nfs_reconnect+0x1a
> nfs_request() at netbsd:nfs_request+0x7fb
> nfs_statvfs() at netbsd:nfs_statvfs+0x173
> VFS_STATVFS() at netbsd:VFS_STATVFS+0x22
> dostatvfs() at netbsd:dostatvfs+0x132
> do_sys_getvfsstat() at netbsd:do_sys_getvfsstat+0x9f
> sys___getvfsstat90() at netbsd:sys___getvfsstat90+0x2b
> syscall() at netbsd:syscall+0x196
> 
> I have nfs mounted some shares from a Synology station.
> 
> Ideas? Perhaps the pcb merge changes from this week?
> Thomas

Re: 9.99.104: panic in tcp_shutdown_wrapper

Re: 9.99.104: panic in tcp_shutdown_wrapper

Re: 9.99.104: panic in tcp_shutdown_wrapper

Re: 9.99.104: panic in tcp_shutdown_wrapper

Re: 9.99.104: panic in tcp_shutdown_wrapper

Re: 9.99.104: panic in tcp_shutdown_wrapper

6 matches

Site Navigation

Mail list logo

Footer information