Fatal trap 12 in binding V6 socket in FreeBSD 5.1-p2
Jan Mikael Melen
jmgm at iki.fi
Fri Sep 5 02:39:01 PDT 2003
Has anyone else seen that in the FreeBSD 5.1-p2 if one is binding to a socket
that has earliear been closed but the tcp connection is still in time wait
state will cause a panic in kernel with following error code:
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x6
fault code = supervisor read, page not present
instruction pointer = 0x8:0xc03aa50e
stack pointer = 0x10:0xdcc62c0c
frame pointer = 0x10:0xdcc62c54
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 33485
trap number = 12
panic: page fault
It seems that the problem is in the in6_pcbbind where the in6_pcblookup_local
is called (in6_pcb.c:231). If the socket has been closed the t->inp_socket
struct has been already freed and set null but the t exists because there
exists a state time wait still for the connection and that's why the
lookup_local will return a valid value for t. After the lookup_local has
returned the in6_pcbbinf will try to access t->inp_socket->so_options which
of course will cause a Fatal trap because it is a NULL pointer.
I've included as an attachment a patch that I have used to fix the problem and
allso as attached a short program which can be used to regenerate the problem
in unpatched FreeBSD 5.1-p2.
It seems that this problem also exists in the KAME SNAP.
BR. Jan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch.p0
Type: text/x-diff
Size: 1166 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20030905/9c94e4aa/patch.bin
More information about the freebsd-net
mailing list