Summary: | crash with 12.1-BETA1 | ||||||
---|---|---|---|---|---|---|---|
Product: | Base System | Reporter: | Christos Chatzaras <chris> | ||||
Component: | kern | Assignee: | Michael Tuexen <tuexen> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Only Me | CC: | emaste, rrs, tuexen | ||||
Priority: | --- | Keywords: | crash | ||||
Version: | 12.1-RELEASE | ||||||
Hardware: | amd64 | ||||||
OS: | Any | ||||||
Bug Depends on: | |||||||
Bug Blocks: | 240700 | ||||||
Attachments: |
|
Description
Christos Chatzaras
2019-09-26 12:07:30 UTC
Had the same crash in another server. For now I disable SACK to see if I get more crashes or not. sysctl net.inet.tcp.sack.enable=0 Created attachment 207861 [details]
core.txt
The problem was fixed for head in https://svnweb.freebsd.org/changeset/base/352386 , which was MFCed to stable/12 in https://svnweb.freebsd.org/changeset/base/352508. I missed to MFS the fix to releng.12.1, which was branched at r352480. What happened is that overflowing the sackblks[] changed sackhint.nexthole to an invalid value which was not NULL. From the core provided: sackblks = {{ start = 0xc1f54a52, end = 0xc1f54ffe }, { start = 0xc1f5229e, end = 0xc1f5284a }, { start = 0xc1f5229e, end = 0xc1f5284a }, { start = 0xc1f5229e, end = 0xc1f5284a }, { start = 0xc1f5229e, end = 0xc1f5284a }, { start = 0xc1f51746, end = 0xc1f51cf2 }}, sackhint = { nexthole = 0xc1f5119ac1f50bee, sack_bytes_rexmit = 0x0, last_sack_ack = 0x3fe9f863, ispare = 0x0, sacked_bytes = 0xb65, _pad1 = {0x0}, _pad = {0x0} }, Since I can't get any changes in BETA2 anymore, the fix will be in BETA3 or RC1. A commit references this bug: Author: tuexen Date: Mon Sep 30 04:54:02 UTC 2019 New revision: 352886 URL: https://svnweb.freebsd.org/changeset/base/352886 Log: MFS r352508: Don't write to memory outside of the allocated array for SACK blocks. PR: 240837 Approved by: re (delphij@) Obtained from: rrs@ Sponsored by: Netflix, Inc. Changes: _U releng/12.1/ releng/12.1/sys/netinet/tcp_sack.c |