[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

tdb_delete() can panic (in June 6th anoncvs)

To: tech@openbsd.org
Subject: tdb_delete() can panic (in June 6th anoncvs)
From: henric@ncal.verio.com
Date: Sun, 06 Jun 1999 22:45:41 -0700


When I tried using "ipsecadm new esp ...", I got the following panic:

vm_fault(0xf0a49700, 0, 1, 0) -> 1
kernel: page fault trap, code=0
Stopped at      _tdb_delete+0x73:       movl    0(%edx,%ebx,4),%eax
ddb> trace
_tdb_delete(f0984a00,0,2,f0211274,f0a4ba00) at _tdb_delete+0x73
_pfkeyv2_send(f0a4bb00,f0a4ba00,90,f01f2408,f0a4a900) at
_pfkeyv2_send+0x97e
_pfkey_sendup(f0a4a900,f0a4bb00,f0a40000,2,c0000000) at
_pfkey_sendup+0x163
_raw_usrreq(f0a4bb00,9,f0a4a900,0,0) at _raw_usrreq+0x15e
_pfkey_sendup(f0a4bb00,9,f0a4a900,0,0) at _pfkey_sendup+0x348
_sosend(f0a4bb00,0,f5152f18,f0a4a900,0) at _sosend+0x60f
_soo_write(f0a44700,f5152f18,f0a4a880,f0a49100,f5152f80) at
_soo_write+0x1f
_sys_writev(f0a49100,f5152f88,f5152f80,f01feb34,0) at _sys_writev+0x14d
_syscall() at _syscall+0x242
--- syscall (number 121) ---
0x718f:
ddb> boot sync

After some poking about with the kenel core dump, I tracked it down to
the following:  tdb_delete() does not like an uninitialized "tdbh".  
In my case, pfkeyv2_send() called tdb_delete() before the tdb hash table
was initialized.  I wasn't clever enough to copy the kernel .gdb file to
the /var/crash directory before rebuilding the kernel, but I think the
offending tdb_delete() call was the one on line 892 of net/pfkeyv2.c
(which would suggest the parameters to ipsecadm were wrong--however, I
would argue that a kernel panic is not a good diagnostic for a userland
command-line typo...).

Perhaps "tdbh" should be explicitly initialized somewhere...?  As a
quick workaround, I wrapped an "if(tdbh)" around the dangerous part of
tdb_delete():

/usr/src/sys/netinet>cvs -q -d anoncvs@anoncvs5.usa.openbsd.org:/cvs
diff -wud
Index: ip_ipsp.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_ipsp.c,v
retrieving revision 1.45
diff -w -u -d -r1.45 ip_ipsp.c
--- ip_ipsp.c   1999/06/04 22:40:36     1.45
+++ ip_ipsp.c   1999/06/07 05:29:13
@@ -846,6 +846,8 @@
     hashval &= tdb_hashmask;

     s = spltdb();
+    if(tdbh)
+    {
     if (tdbh[hashval] == tdbp)
     {
        tdbpp = tdbp;
@@ -858,6 +860,7 @@
            tdbpp->tdb_hnext = tdbp->tdb_hnext;
            tdbpp = tdbp;
        }
+    }

     /*
      * If there was something before us in the chain pointing to us,

Prev by Date: Pppd: Lost Compress Sync
Next by Date: Re: stuff that goes into GENERIC
Prev by thread: Pppd: Lost Compress Sync
Next by thread: XF86 and IO problem
Index(es):
- Date
- Thread