From nobody@FreeBSD.org  Sat Aug 15 11:50:53 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 04513106568C
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 15 Aug 2009 11:50:53 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id E71DD8FC65
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 15 Aug 2009 11:50:52 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n7FBoqSW057200
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 15 Aug 2009 11:50:52 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n7FBoqn9057198;
	Sat, 15 Aug 2009 11:50:52 GMT
	(envelope-from nobody)
Message-Id: <200908151150.n7FBoqn9057198@www.freebsd.org>
Date: Sat, 15 Aug 2009 11:50:52 GMT
From: Bruce Cran <bruce@cran.org.uk>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [sctp] panic: mtx_lock() of destroyed mutex
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         137795
>Category:       kern
>Synopsis:       [sctp] [panic] mtx_lock() of destroyed mutex
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-net
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Aug 15 12:00:15 UTC 2009
>Closed-Date:    Mon Jul 05 00:36:50 UTC 2010
>Last-Modified:  Mon Jul 05 00:36:50 UTC 2010
>Originator:     Bruce Cran
>Release:        8.0-BETA2
>Organization:
>Environment:
FreeBSD tau.draftnet 8.0-BETA2 FreeBSD 8.0-BETA2 #0: Thu Aug 13 21:45:22 BST 2009     brucec@tau.draftnet:/usr/obj/usr/src/sys/DELL  amd64
>Description:
When running a shell script which does nothing but try to connect to another machine, the system eventually panics:

panic: mtx_lock() of destroyed mutex
@ /usr/src/sys/netinet/sctp_output.c:12767

GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are welcome to change it and/or distribute copies of it under
certain conditions. Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details. This GDB was configured as "amd64-marcel-freebsd"...

Unread portion of the kernel message buffer:
panic: mtx_lock() of destroyed mutex
@ /usr/src/sys/netinet/sctp_output.c:12767 cpuid = 1
KDB: enter: panic
Uptime: 49s
Physical memory: 4078 MB
Dumping 1251 MB:

Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address	= 0x4 1236 1220 1204 1188 1172 1156 1140
1124 1108 1092 1076 1060 1044 1028 1012 996 980 964 948 932 916 900 884
868 852 836 820 804 788 772 756 740 724 708 692 676 660 644 628 612 596
580 564 548 532 516 500 484 468 452 436 420 404 388 372 356 340 324 308
292 276 260 244 228 212 196 180 164 148 132 116 100 84 68 52 36 20 4

Reading symbols from /boot/kernel/blank_saver.ko...Reading symbols
from /boot/kernel/blank_saver.ko.symbols...done. done.
Loaded symbols for /boot/kernel/blank_saver.ko
#0  doadump () at pcpu.h:223
223	pcpu.h: No such file or directory.
	in pcpu.h
(kgdb) #0  doadump () at pcpu.h:223
#1  0xffffffff80582023 in boot (howto=260)
    at /usr/src/sys/kern/kern_shutdown.c:419
#2  0xffffffff805824ac in panic (fmt=Variable "fmt" is not available.
)
    at /usr/src/sys/kern/kern_shutdown.c:575
#3  0xffffffff80573b75 in _mtx_lock_flags (m=0x0, opts=0, 
    file=0xffffffff80980c58 "/usr/src/sys/netinet/sctp_output.c",
line=12767) at /usr/src/sys/kern/kern_mutex.c:195
#4  0xffffffff806c8252 in sctp_lower_sosend (so=0xffffff0004d19aa0,
addr=0x0, uio=0xffffff807987ca30, i_pak=Variable "i_pak" is not
available. )
    at /usr/src/sys/netinet/sctp_output.c:12767
#5  0xffffffff806ca749 in sctp_sosend (so=0xffffff0004d19aa0, addr=0x0, 
    uio=0xffffff807987ca30, top=0x0, control=0x0, flags=0, 
    p=0xffffff0004b81000) at /usr/src/sys/netinet/sctp_output.c:12336
#6  0xffffffff805f1c05 in kern_sendit (td=0xffffff0004b81000, s=3, 
    mp=0xffffff807987cb00, flags=0, control=0x0, segflg=UIO_USERSPACE)
    at /usr/src/sys/kern/uipc_syscalls.c:783
#7  0xffffffff805f1e0c in sendit (td=0xffffff0004b81000, s=3, 
    mp=0xffffff807987cb00, flags=0)
at /usr/src/sys/kern/uipc_syscalls.c:719 #8  0xffffffff805f1efd in
sendto (td=Variable "td" is not available. )
    at /usr/src/sys/kern/uipc_syscalls.c:835
#9  0xffffffff80862d3f in syscall (frame=0xffffff807987cc80)
    at /usr/src/sys/amd64/amd64/trap.c:984
#10 0xffffffff80849301 in Xfast_syscall ()
    at /usr/src/sys/amd64/amd64/exception.S:373
#11 0x0000000800c501dc in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) 
>How-To-Repeat:
Run:

cat /dev/random | ./ncat --sctp 192.168.1.80 2345

After anywhere from a few to a few hundred attempts, the system will panic.  ncat is the SCTP enabled version from http://www.roe.ch/Nmap_SCTP
>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: brucec 
Responsible-Changed-When: Sat Aug 15 12:09:35 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=137795 

From: Michael Tuexen <tuexen@freebsd.org>
To: bug-followup@FreeBSD.org,
 bruce@cran.org.uk
Cc:  
Subject: Re: kern/137795: [sctp] [panic] mtx_lock() of destroyed mutex
Date: Mon, 17 Aug 2009 18:07:45 +0200

 Hi Bruce,
 
 is there running a (discard) server at 192.168.1.80, port 2345?
 
 Best regards
 Michael
 

From: Michael Tuexen <tuexen@fh-muenster.de>
To: bug-followup@FreeBSD.org,
 bruce@cran.org.uk
Cc:  
Subject: Re: kern/137795: [sctp] [panic] mtx_lock() of destroyed mutex
Date: Mon, 17 Aug 2009 21:40:33 +0200

 Hi Bruce,
 
 OK, with a server available it runs fine, but I can reproduce a crash
 when there is no server available. I'll have a look into the problem.
 
 Thanks for reporting the issue.
 
 Best regards
 Michael
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/137795: commit references a PR
Date: Tue, 18 Aug 2009 19:59:03 +0000 (UTC)

 Author: tuexen
 Date: Tue Aug 18 19:58:49 2009
 New Revision: 196364
 URL: http://svn.freebsd.org/changeset/base/196364
 
 Log:
   Fix a crash when using one-to-one stlye socket in non-blocking
   mode and there is no listening server.
   PR: 137795
   Approved by: re, rrs (mentor)
   MFC after:immediately.
 
 Modified:
   head/sys/netinet/sctp_output.c
 
 Modified: head/sys/netinet/sctp_output.c
 ==============================================================================
 --- head/sys/netinet/sctp_output.c	Tue Aug 18 16:23:09 2009	(r196363)
 +++ head/sys/netinet/sctp_output.c	Tue Aug 18 19:58:49 2009	(r196364)
 @@ -12464,7 +12464,8 @@ sctp_lower_sosend(struct socket *so,
  			error = ENOTCONN;
  			goto out_unlocked;
  		}
 -		hold_tcblock = 0;
 +		SCTP_TCB_LOCK(stcb);
 +		hold_tcblock = 1;
  		SCTP_INP_RUNLOCK(inp);
  		if (addr) {
  			/* Must locate the net structure if addr given */
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/137795: commit references a PR
Date: Tue, 18 Aug 2009 20:06:16 +0000 (UTC)

 Author: tuexen
 Date: Tue Aug 18 20:06:00 2009
 New Revision: 196365
 URL: http://svn.freebsd.org/changeset/base/196365
 
 Log:
   Fix a panic when using one-to-one style sockets in non-blocking
   mode and there is no listening server.
   PR: 137795
   Approved by: re, rrs (mentor)
 
 Modified:
   stable/8/sys/   (props changed)
   stable/8/sys/amd64/include/xen/   (props changed)
   stable/8/sys/cddl/contrib/opensolaris/   (props changed)
   stable/8/sys/contrib/dev/acpica/   (props changed)
   stable/8/sys/contrib/pf/   (props changed)
   stable/8/sys/dev/xen/xenpci/   (props changed)
   stable/8/sys/netinet/sctp_output.c
 
 Modified: stable/8/sys/netinet/sctp_output.c
 ==============================================================================
 --- stable/8/sys/netinet/sctp_output.c	Tue Aug 18 19:58:49 2009	(r196364)
 +++ stable/8/sys/netinet/sctp_output.c	Tue Aug 18 20:06:00 2009	(r196365)
 @@ -12464,7 +12464,8 @@ sctp_lower_sosend(struct socket *so,
  			error = ENOTCONN;
  			goto out_unlocked;
  		}
 -		hold_tcblock = 0;
 +		SCTP_TCB_LOCK(stcb);
 +		hold_tcblock = 1;
  		SCTP_INP_RUNLOCK(inp);
  		if (addr) {
  			/* Must locate the net structure if addr given */
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched  
State-Changed-By: brucec 
State-Changed-When: Sat Sep 19 22:27:50 UTC 2009 
State-Changed-Why:  
The fix has been committed to HEAD and RELENG_8. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=137795 
State-Changed-From-To: patched->closed  
State-Changed-By: brucec 
State-Changed-When: Mon Jul 5 00:36:28 UTC 2010 
State-Changed-Why:  
Fixed in stable/8 and head. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=137795 
>Unformatted:
