Fatal trap 12 in binding V6 socket in FreeBSD 5.1-p2

• Previous message: Eric W. Bates: "Re: Need help with strange routing situation"
• Next in thread: Jan Mikael Melen: "Re: Fatal trap 12 in binding V6 socket in FreeBSD 5.1-p2"
• Reply: Jan Mikael Melen: "Re: Fatal trap 12 in binding V6 socket in FreeBSD 5.1-p2"
• Maybe reply: Jan Mikael Melen: "Re: Fatal trap 12 in binding V6 socket in FreeBSD 5.1-p2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: freebsd-net@freebsd.org
Date: Fri, 5 Sep 2003 12:40:02 +0300

Has anyone else seen that in the FreeBSD 5.1-p2 if one is binding to a socket
that has earliear been closed but the tcp connection is still in time wait
state will cause a panic in kernel with following error code:
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x6
fault code = supervisor read, page not present
instruction pointer = 0x8:0xc03aa50e
stack pointer = 0x10:0xdcc62c0c
frame pointer = 0x10:0xdcc62c54
code segment = base 0x0, limit 0xfffff, type 0x1b
                                        = DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 33485
trap number = 12
panic: page fault

It seems that the problem is in the in6_pcbbind where the in6_pcblookup_local
is called (in6_pcb.c:231). If the socket has been closed the t->inp_socket
struct has been already freed and set null but the t exists because there
exists a state time wait still for the connection and that's why the
lookup_local will return a valid value for t. After the lookup_local has
returned the in6_pcbbinf will try to access t->inp_socket->so_options which
of course will cause a Fatal trap because it is a NULL pointer.

I've included as an attachment a patch that I have used to fix the problem and
allso as attached a short program which can be used to regenerate the problem
in unpatched FreeBSD 5.1-p2.

It seems that this problem also exists in the KAME SNAP.

  BR. Jan

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• text/x-diff attachment: patch.p0

• Previous message: Eric W. Bates: "Re: Need help with strange routing situation"
• Next in thread: Jan Mikael Melen: "Re: Fatal trap 12 in binding V6 socket in FreeBSD 5.1-p2"
• Reply: Jan Mikael Melen: "Re: Fatal trap 12 in binding V6 socket in FreeBSD 5.1-p2"
• Maybe reply: Jan Mikael Melen: "Re: Fatal trap 12 in binding V6 socket in FreeBSD 5.1-p2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: Blocking receive and close ... TCP does this precisely to avoid ... the socket is destroyed immediately. ... The TCP connection hangs ... But just before you enter the recv function, ... (comp.programming.threads) Re: Example network protocol implementation ... Could someone point me to an example that shows a SIMPLE network protocol ... implemented over TCP/IP inside the FreeBSD kernel. ... you call socreate to get a socket. ... (freebsd-hackers) Re: Example network protocol implementation ... Could someone point me to an example that shows a SIMPLE network protocol ... implemented over TCP/IP inside the FreeBSD kernel. ... you call socreate to get a socket. ... (freebsd-questions) Re: Cant get ntp 4.2.0 running ... >I don't know what to do any more, ntp is driving me nuts. ... >example in the Freebsd handbook does not work for me. ... How long did you wait for ntpd to synchronize to the remote server? ... IPv4 socket interface is to open a listening socket for each possible ... (comp.unix.bsd.freebsd.misc) Re: Wich FreeBSD version to install ... >> I need to build a freeBSD server. ... This machine runs an inn server, ... down TCP connection ... stuff on the sort of machines which exist in the real world. ... (comp.unix.bsd.freebsd.misc)