From nobody@FreeBSD.org  Wed May 10 16:54:24 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1FB3B16A76D
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 10 May 2006 16:54:24 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DA54243D5A
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 10 May 2006 16:54:23 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k4AGsNrr056718
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 10 May 2006 16:54:23 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k4AGsNw6056717;
	Wed, 10 May 2006 16:54:23 GMT
	(envelope-from nobody)
Message-Id: <200605101654.k4AGsNw6056717@www.freebsd.org>
Date: Wed, 10 May 2006 16:54:23 GMT
From: Nick Wood <nwood@prohosting.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: page fault on 6.1-RC2 ip_ctloutput
X-Send-Pr-Version: www-2.3

>Number:         97095
>Category:       kern
>Synopsis:       page fault on 6.1-RC2 ip_ctloutput
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    rwatson
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed May 10 17:00:42 GMT 2006
>Closed-Date:    Mon Aug 14 14:32:27 GMT 2006
>Last-Modified:  Mon Aug 14 14:32:27 GMT 2006
>Originator:     Nick Wood
>Release:        6.1-RC2
>Organization:
ProHosting
>Environment:
FreeBSD mail-da-5.... 6.1-RC2 FreeBSD 6.1-RC2 #0: Fri May  5 07:27:28 MDT 2006     nwood@mail-da-5....:/usr/obj/usr/src/sys/LOCAL  i386
>Description:
Several busy qmail servers are crashing on a regular basis - 1 to 3 times a day.

The running process has usually been tcpserver from the ucspi-tcp-0.88_2 port.  It has been cmd5checkpw (pop authentication) once.

Differences from GENERIC
----------------------
#cpu            I486_CPU
#cpu            I586_CPU
cpu             I686_CPU
ident           MAIL_6_1

# PH Options
options         SUIDDIR
options         QUOTA
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=10
options         NMBCLUSTERS=65536
options         KVA_PAGES="640"
options         VM_KMEM_SIZE_MAX=(512*1048576)
options         VM_KMEM_SIZE_SCALE=2

options         ASR_COMPAT

options         SHMMAXPGS=131072
options         SEMMNI=128
options         SEMMNS=512
options         SEMUME=100
options         SEMMNU=256
----------------------

Backtrace
----------------------
(kgdb) bt
#0  doadump () at pcpu.h:165
#1  0x6064e239 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:402
#2  0x6064e4d0 in panic (fmt=0x60894857 "%s") at /usr/src/sys/kern/kern_shutdown.c:558
#3  0x608496d4 in trap_fatal (frame=0x9c8f7ad8, eva=172) at /usr/src/sys/i386/i386/trap.c:836
#4  0x6084943b in trap_pfault (frame=0x9c8f7ad8, usermode=0, eva=172) at /usr/src/sys/i386/i386/trap.c:744
#5  0x60849079 in trap (frame=
      {tf_fs = 1619263496, tf_es = 1627652136, tf_ds = 40, tf_edi = 55, tf_esi = 0, tf_ebp = -1668318412, tf_isp = -1668318460, tf_ebx = -1668318064, tf_edx = 1738397568, tf_ecx = 0, tf_eax = 4, tf_trapno = 12, tf_err = 2, tf_eip = 1617891744, tf_cs = 32, tf_eflags = 66182, tf_esp = 1835631104, tf_ss = 0})
    at /usr/src/sys/i386/i386/trap.c:434
#6  0x6083890a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#7  0x606f11a0 in ip_ctloutput (so=0x4, sopt=0x9c8f7c90) at atomic.h:146
#8  0x6070123b in tcp_ctloutput (so=0x66b34858, sopt=0x9c8f7c90) at /usr/src/sys/netinet/tcp_usrreq.c:1038
#9  0x60687c04 in sosetopt (so=0x66b34858, sopt=0x9c8f7c90) at /usr/src/sys/kern/uipc_socket.c:1560
#10 0x6068ce95 in kern_setsockopt (td=0x679dd780, s=0, level=4, name=4, val=0x679dd780, valseg=UIO_USERSPACE,
    valsize=0) at /usr/src/sys/kern/uipc_syscalls.c:1351
#11 0x6068cdc6 in setsockopt (td=0x679dd780, uap=0x4) at /usr/src/sys/kern/uipc_syscalls.c:1307
#12 0x608499eb in syscall (frame=
      {tf_fs = 1606352955, tf_es = 59, tf_ds = 1606352955, tf_edi = 1606413432, tf_esi = 3, tf_ebp = 1606413224, tf_isp = -1668317852, tf_ebx = 0, tf_edx = 2, tf_ecx = 134545464, tf_eax = 105, tf_trapno = 12, tf_err = 2, tf_eip = 672065711, tf_cs = 51, tf_eflags = 514, tf_esp = 1606413180, tf_ss = 59})
    at /usr/src/sys/i386/i386/trap.c:981
#13 0x6083895f in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200
#14 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
----------------------
>How-To-Repeat:
Run a busy qmail server on FreeBSD 6.1...
>Fix:

>Release-Note:
>Audit-Trail:

From: Maxim Konovalov <maxim@macomnet.ru>
To: Nick Wood <nwood@prohosting.com>
Cc: bug-followup@freebsd.org
Subject: Re: kern/97095: page fault on 6.1-RC2 ip_ctloutput
Date: Wed, 10 May 2006 22:19:47 +0400 (MSD)

 Hello,
 
 What was the panicstr?  Type "p panicstr" in kgdb.  "bt full" might be
 useful too.
 
 -- 
 Maxim Konovalov

From: Nick Wood <nwood@prohosting.com>
To: bug-followup@FreeBSD.org,nwood@prohosting.com
Cc:  
Subject: Re: kern/97095: page fault on 6.1-RC2 ip_ctloutput
Date: Thu, 11 May 2006 07:49:02 -0600

 (kgdb) p panicstr
 $1 =3D 0x60984700 "page fault"
 
 
 #7  0x606f11a0 in ip_ctloutput (so=3D0x4, sopt=3D0x9c8f7c90) at atomic.h:146
          m =3D (struct mbuf *) 0x6d698200
          inp =3D (struct inpcb *) 0x0
          error =3D 55
          optval =3D 0
 #8  0x6070123b in tcp_ctloutput (so=3D0x66b34858,=20
 sopt=3D0x9c8f7c90) at /usr/src/sys/netinet/tcp_usrreq.c:1038
          error =3D 0
          opt =3D 4
          optval =3D 1617295058
          inp =3D (struct inpcb *) 0x67f3e168
          tp =3D (struct tcpcb *) 0x669e5a80
          ti =3D {tcpi_state =3D 128 '\200',=20
 __tcpi_ca_state =3D 90 'Z', __tcpi_retransmits =3D=20
 158 '\236', __tcpi_probes =3D 102 'f',
    __tcpi_backoff =3D 224 '=E0', tcpi_options =3D 100=20
 'd', tcpi_snd_wscale =3D 8 '\b', tcpi_rcv_wscale =3D 9 '\t',
    __tcpi_rto =3D 1721654228, __tcpi_ato =3D 0,=20
 __tcpi_snd_mss =3D 1721653888, __tcpi_rcv_mss =3D 1715025312,
    __tcpi_unacked =3D 4294967295, __tcpi_sacked =3D=20
 2626648968, __tcpi_lost =3D 1617296199, __tcpi_retrans =3D 1721653888,
    __tcpi_fackets =3D 0, __tcpi_last_data_sent =3D=20
 1715025312, __tcpi_last_ack_sent =3D 1721653888,
    __tcpi_last_data_recv =3D 4294967295,=20
 __tcpi_last_ack_recv =3D 2626648992, __tcpi_pmtu =3D 1617294955,
    __tcpi_rcv_ssthresh =3D 1721653888, __tcpi_rtt =3D=20
 0, __tcpi_rttvar =3D 1721653888, tcpi_snd_ssthresh =3D 4294967295,
    tcpi_snd_cwnd =3D 2626649004, __tcpi_advmss =3D=20
 1617250531, __tcpi_reordering =3D 1721653888, __tcpi_rcv_rtt =3D 1738397568,
 ---Type <return> to continue, or q <return> to quit---
    tcpi_rcv_space =3D 1738397568, tcpi_snd_wnd =3D=20
 2626649024, tcpi_snd_bwnd =3D 582, __tcpi_pad =3D {1725562016, 2626649032,
      1617346244, 2626649056, 1617348583,=20
 1718879432, 1718879432, 1718879432, 0, 2626649084, 1617249887, 1718879432,
      1718879432, 0, 2626649144, 1617375598,=20
 1718879544, 0, 1, 40, 1620600032, 1721653844, 1718879432, 1718879432, 40,
      1718879616, 40, 0, 1718793920, 2626649276, 40, 1738397908}}
 
Responsible-Changed-From-To: freebsd-bugs->rwatson 
Responsible-Changed-By: rwatson 
Responsible-Changed-When: Sun May 14 02:59:24 UTC 2006 
Responsible-Changed-Why:  
Grab ownership of this PR. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=97095 

From: Avleen Vig <lists-freebsd@silverwraith.com>
To: bug-followup@freebsd.org, nwood@prohosting.com
Cc:  
Subject: Re: kern/97095: page fault on 6.1-RC2 ip_ctloutput
Date: Sun, 28 May 2006 14:42:32 -0700

 I'm having the same problem, this is what I sent to hackers@ today:
 
 
 Ok, I finally got a core file with the crash :-)
 Where's what some of kgdb tells me.
 All I can tell, is that the bug happened somewhere around trying to set
 a TOS value for an outbound network packet?
 Help please?
 
 
 [root@gooseberry] ~ # kgdb -c /var/crash/vmcore.0 /usr/obj/usr/src/sys/GOOSEBERR
 Y/kernel.debug
 [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Unde
 fined symbol "ps_pglobal_lookup"]
 GNU gdb 6.1.1 [FreeBSD]
 Copyright 2004 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain conditions.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "i386-marcel-freebsd".
        
 Unread portion of the kernel message buffer:
        
        
 Fatal trap 12: page fault while in kernel mode
 fault virtual address   = 0x58
 fault code              = supervisor write, page not present
 instruction pointer     = 0x20:0xc05efa9a
 stack pointer           = 0x28:0xd6cb7ae0
 frame pointer           = 0x28:0xd6cb7b10
 code segment            = base 0x0, limit 0xfffff, type 0x1b
                         = DPL 0, pres 1, def32 1, gran 1
 processor eflags        = interrupt enabled, resume, IOPL = 0
 current process         = 20115 (python)
 trap number             = 12
 panic: page fault
 Uptime: 10d6h22m19s
 Dumping 511 MB (2 chunks)
   chunk 0: 1MB (159 pages) ... ok
   chunk 1: 511MB (130800 pages) 495 479 463 447 431 415 399 383 367 351 335 319 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15
 
 #0  doadump () at pcpu.h:165
 165     pcpu.h: No such file or directory.
         in pcpu.h
 (kgdb) where
 #0  doadump () at pcpu.h:165
 #1  0xc0553492 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:402
 #2  0xc05537ac in panic (fmt=0xc071873f "%s")
     at /usr/src/sys/kern/kern_shutdown.c:558
 #3  0xc06fc00c in trap_fatal (frame=0xd6cb7aa0, eva=0)
     at /usr/src/sys/i386/i386/trap.c:836
 #4  0xc06fbd17 in trap_pfault (frame=0xd6cb7aa0, usermode=0, eva=88)
     at /usr/src/sys/i386/i386/trap.c:744
 #5  0xc06fb94d in trap (frame=
       {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = 0, tf_esi = -691307388, tf_ebp = -691307760, tf_isp = -691307828, tf_ebx = 0, tf_edx = -691307120, tf_ecx = 0, tf_eax = 8, tf_trapno = 12, tf_err = 2, tf_eip = -1067517286, tf_cs = 32, tf_eflags = 66183, tf_esp = -691307388, tf_ss = -691307784})
     at /usr/src/sys/i386/i386/trap.c:434
 #6  0xc06e994a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
 #7  0xc05efa9a in ip_ctloutput (so=0x8, sopt=0xd6cb7c84)
     at /usr/src/sys/netinet/ip_output.c:1210
     at /usr/src/sys/netinet/ip_output.c:1210
 #8  0xc0601ad1 in tcp_ctloutput (so=0xc57aede8, sopt=0xd6cb7c84)
     at /usr/src/sys/netinet/tcp_usrreq.c:1038
 #9  0xc05971a7 in sosetopt (so=0xc57aede8, sopt=0xd6cb7c84)
     at /usr/src/sys/kern/uipc_socket.c:1560
 #10 0xc059cec9 in kern_setsockopt (td=0xc4b03900, s=8, level=8, name=8,
     val=0xbfbfab68, valseg=UIO_USERSPACE, valsize=0)
     at /usr/src/sys/kern/uipc_syscalls.c:1351
 #11 0xc059cdee in setsockopt (td=0x8, uap=0xd6cb7d90)
     at /usr/src/sys/kern/uipc_syscalls.c:1307
 #12 0xc06fc322 in syscall (frame=
       {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = -1077957792, tf_esi = -1077957784, tf_ebp = -1077957768, tf_isp = -691307164, tf_ebx = 708028888, tf_edx = 170620760, tf_ecx = -1077958488, tf_eax = 105, tf_trapno = 22, tf_err = 2, tf_eip = 673659967, tf_cs = 51, tf_eflags = 662, tf_esp = -1077957844, tf_ss = 59})
     at /usr/src/sys/i386/i386/trap.c:981
 #13 0xc06e999f in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200
 #14 0x00000033 in ?? ()
 
 
 (kgdb) up 7
 #7  0xc05efa9a in ip_ctloutput (so=0x8, sopt=0xd6cb7c84)
     at /usr/src/sys/netinet/ip_output.c:1210
 1210                                    inp->inp_ip_tos = optval;
 
 (kgdb) p optval
 $1 = 8
 
 (kgdb) p inp
 $2 = (struct inpcb *) 0x0
 
 (kgdb) p inp->inp_ip_tos
 There is no member named inp_ip_tos.
 
 (kgdb) p inp->inp_depend4.inp4_ip_tos
 Cannot access memory at address 0x58
 
 **** Here I went up one more, to #8:
 
 (kgdb) up 1
 #8  0xc0601ad1 in tcp_ctloutput (so=0xc57aede8, sopt=0xd6cb7c84)
     at /usr/src/sys/netinet/tcp_usrreq.c:1038
 1038                    error = ip_ctloutput(so, sopt);
 
 (kgdb) p *so
 $14 = {so_count = 1, so_type = 1, so_options = 4, so_linger = 0,
   so_state = 8448, so_qstate = 0, so_pcb = 0x0, so_proto = 0xc076e588,
   so_head = 0x0, so_incomp = {tqh_first = 0x0, tqh_last = 0x0}, so_comp = {
     tqh_first = 0x0, tqh_last = 0x0}, so_list = {tqe_next = 0x0,
     tqe_prev = 0xc3baa5b4}, so_qlen = 0, so_incqlen = 0, so_qlimit = 0,
   so_timeo = 0, so_error = 54, so_sigio = 0x0, so_oobmark = 0, so_aiojobq = {
     tqh_first = 0x0, tqh_last = 0xc57aee30}, so_rcv = {sb_sel = {si_thrlist = {
         tqe_next = 0x0, tqe_prev = 0x0}, si_thread = 0x0, si_note = {
         kl_list = {slh_first = 0x0}, kl_lock = 0xc0535980 <knlist_mtx_lock>,
         kl_unlock = 0xc05359b0 <knlist_mtx_unlock>,
         kl_locked = 0xc05359e0 <knlist_mtx_locked>, kl_lockarg = 0xc57aee5c},
       si_flags = 0}, sb_mtx = {mtx_object = {lo_class = 0xc0764584,
         lo_name = 0xc07312d1 "so_rcv", lo_type = 0xc07312d1 "so_rcv",
         lo_flags = 196608, lo_list = {tqe_next = 0x0, tqe_prev = 0x0},
         lo_witness = 0x0}, mtx_lock = 4, mtx_recurse = 0}, sb_state = 32,
     sb_mb = 0x0, sb_mbtail = 0x0, sb_lastrecord = 0x0, sb_cc = 0,
     sb_hiwat = 65700, sb_mbcnt = 0, sb_mbmax = 525600, sb_ctl = 0,
     sb_lowat = 1, sb_timeo = 0, sb_flags = 0}, so_snd = {sb_sel = {
       si_thrlist = {tqe_next = 0x0, tqe_prev = 0x0}, si_thread = 0x0,
       si_note = {kl_list = {slh_first = 0x0},
         kl_lock = 0xc0535980 <knlist_mtx_lock>,
         kl_unlock = 0xc05359b0 <knlist_mtx_unlock>,
         kl_locked = 0xc05359e0 <knlist_mtx_locked>, kl_lockarg = 0xc57aeed4},
       si_flags = 0}, sb_mtx = {mtx_object = {lo_class = 0xc0764584,
         lo_name = 0xc07312ca "so_snd", lo_type = 0xc07312ca "so_snd",
         lo_flags = 196608, lo_list = {tqe_next = 0x0, tqe_prev = 0x0},
         lo_witness = 0x0}, mtx_lock = 4, mtx_recurse = 0}, sb_state = 16,
     sb_mb = 0x0, sb_mbtail = 0x0, sb_lastrecord = 0x0, sb_cc = 0,
     sb_hiwat = 33580, sb_mbcnt = 0, sb_mbmax = 268640, sb_ctl = 0,
     sb_lowat = 2048, sb_timeo = 0, sb_flags = 0}, so_upcall = 0,
   so_upcallarg = 0x0, so_cred = 0xc54fc880, so_label = 0x0,
   so_peerlabel = 0x0, so_gencnt = 1765445, so_emuldata = 0x0, so_accf = 0x0}
 
 (kgdb) p *sopt
 $15 = {sopt_dir = SOPT_SET, sopt_level = 0, sopt_name = 3,
   sopt_val = 0xbfbfab68, sopt_valsize = 4, sopt_td = 0xc4b03900}
State-Changed-From-To: open->patched 
State-Changed-By: rwatson 
State-Changed-When: Thu Jun 1 10:26:31 UTC 2006 
State-Changed-Why:  
This bug is believed fixed in 7-CURRENT as a result of the recent (April) 
significant reworking of the socket and protocol reference models.  These 
changes are scheduled for a merge to RELENG_6 in early July, as they are 
in testing in 7.x currently.  I will investigate whether there is an easy 
short term workaround that could be applied, but this is made tricky by 
the fact that the lock required to prevent this race is not known at the 
ip_ctloutput() layer, only the calling layer, tcp_ctloutput().  I'll 
follow up on this in the near future. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=97095 

From: Robert Watson <rwatson@FreeBSD.org>
To: Avleen Vig <lists-freebsd@silverwraith.com>
Cc: bug-followup@freebsd.org
Subject: Re: kern/97095: page fault on 6.1-RC2 ip_ctloutput
Date: Wed, 28 Jun 2006 10:13:15 +0100 (BST)

 On Sun, 28 May 2006, Avleen Vig wrote:
 
 > I'm having the same problem, this is what I sent to hackers@ today:
 
 I had originally planned to merge a larger set of changes that eliminates this 
 problem entirely from 7.x to 6.x, but since that is a relatively high risk set 
 of changes, I have produced a smaller patch for RELENG_6 for this issue, which 
 is attached below.
 
    http://www.watson.org/~robert/freebsd/netperf/20060628-ip_ctloutput.diff
 
 This does not close the race, but narrows it significantly by avoiding caching 
 a potentially volatile pointer across blocking user space memory copies in 
 many common cases, and should significantly reduce the chances of this race 
 occuring, especially under high memory load.
 
 Index: ip_output.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/netinet/ip_output.c,v
 retrieving revision 1.242.2.9
 diff -u -r1.242.2.9 ip_output.c
 --- ip_output.c	4 Jun 2006 10:19:34 -0000	1.242.2.9
 +++ ip_output.c	28 Jun 2006 09:03:14 -0000
 @@ -1154,7 +1154,7 @@
   	struct socket *so;
   	struct sockopt *sopt;
   {
 -	struct	inpcb *inp = sotoinpcb(so);
 +	struct	inpcb *inp;
   	int	error, optval;
 
   	error = optval = 0;
 @@ -1187,6 +1187,7 @@
   				m_free(m);
   				break;
   			}
 + 			inp = sotoinpcb(so);
   			INP_LOCK(inp);
   			error = ip_pcbopts(inp, sopt->sopt_name, m);
   			INP_UNLOCK(inp);
 @@ -1209,6 +1210,7 @@
   			if (error)
   				break;
 
 + 			inp = sotoinpcb(so);
   			switch (sopt->sopt_name) {
   			case IP_TOS:
   				inp->inp_ip_tos = optval;
 @@ -1274,6 +1276,7 @@
   		case IP_MULTICAST_LOOP:
   		case IP_ADD_MEMBERSHIP:
   		case IP_DROP_MEMBERSHIP:
 + 			inp = sotoinpcb(so);
   			error = ip_setmoptions(inp, sopt);
   			break;
 
 @@ -1283,6 +1286,7 @@
   			if (error)
   				break;
 
 + 			inp = sotoinpcb(so);
   			INP_LOCK(inp);
   			switch (optval) {
   			case IP_PORTRANGE_DEFAULT:
 @@ -1325,6 +1329,7 @@
   			req = mtod(m, caddr_t);
   			len = m->m_len;
   			optname = sopt->sopt_name;
 + 			inp = sotoinpcb(so);
   			error = ipsec4_set_policy(inp, optname, req, len, priv);
   			m_freem(m);
   			break;
 @@ -1341,6 +1346,7 @@
   		switch (sopt->sopt_name) {
   		case IP_OPTIONS:
   		case IP_RETOPTS:
 + 			inp = sotoinpcb(so);
   			if (inp->inp_options)
   				error = sooptcopyout(sopt,
   						     mtod(inp->inp_options,
 @@ -1362,6 +1368,7 @@
   		case IP_FAITH:
   		case IP_ONESBCAST:
   		case IP_DONTFRAG:
 + 			inp = sotoinpcb(so);
   			switch (sopt->sopt_name) {
 
   			case IP_TOS:
 @@ -1427,6 +1434,7 @@
   		case IP_MULTICAST_LOOP:
   		case IP_ADD_MEMBERSHIP:
   		case IP_DROP_MEMBERSHIP:
 + 			inp = sotoinpcb(so);
   			error = ip_getmoptions(inp, sopt);
   			break;
 
 @@ -1441,7 +1449,8 @@
   				req = mtod(m, caddr_t);
   				len = m->m_len;
   			}
 -			error = ipsec4_get_policy(sotoinpcb(so), req, len, &m);
 + 			inp = sotoinpcb(so);
 +			error = ipsec4_get_policy(inp, req, len, &m);
   			if (error == 0)
   				error = soopt_mcopyout(sopt, m); /* XXX */
   			if (error == 0)
 
State-Changed-From-To: patched->feedback 
State-Changed-By: rwatson 
State-Changed-When: Mon Jul 3 23:15:21 UTC 2006 
State-Changed-Why:  
I have committed a much smaller but related patch to RELENG_6 as 
ip_output.c:1.242.2.9 -- it would be greatly appreciated if you could 
test this change and confirm whether it resolves the problem for you. 
Here's the commit message: 

rwatson     2006-07-03 23:14:29 UTC 

FreeBSD src repository 

Modified files:        (Branch: RELENG_6) 
sys/netinet          ip_output.c  
Log: 
In ip_ctloutput(), check for a NULL inpcb pointer before dereferencing, 
as this can occur with TCP if protocol-layer socket options are set or 
queried after the connection has closed.  There are still races 
associated with ip_ctloutput() and connection close with TCP, corrected 
in HEAD via a more comprehensive set of changes, but this fixes the 
trivial panic reported on several occasions. 

This is a RELENG_6_1 and RELENG_6_0 errata branch candidate. 

PR:             97095 
Tested by:      Stanislaw Halik <sthalik at tehran dot lain dot pl> 
MFC after:      3 days 

Revision    Changes    Path 
1.242.2.10  +3 -0      src/sys/netinet/ip_output.c 


http://www.freebsd.org/cgi/query-pr.cgi?pr=97095 
State-Changed-From-To: feedback->closed 
State-Changed-By: rwatson 
State-Changed-When: Mon Aug 14 14:31:13 UTC 2006 
State-Changed-Why:  
Close this PR; it has been merged to RELENG_6, and an errata patch is now in 
the RE queue for the RELENG_6_1 branch. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=97095 
>Unformatted:
