qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] Crashing in tcp_close

From: Brian Candler
Subject: Re: [Qemu-devel] Crashing in tcp_close
Date: Sat, 12 Nov 2016 09:54:57 +0000
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 
On 12/11/2016 09:33, Brian Candler wrote:

So I sent a SIGABRT, here is the backtrace:


And here is some state from the core dump:

(gdb) print so
$1 = (struct socket *) 0x564b181fc940
(gdb) print *so
$2 = {so_next = 0x564b18258c60, so_prev = 0x564b181fcb00, canary1 = -559038737, s = 28, pollfds_idx = -1, slirp = 0x564b16293a70, so_m = 0x0, so_ti = 0x564b182d9070, so_urgc = 0, fhost = { 
    ss = {ss_family = 2,
__ss_padding = "address@hidden", '\000' <repeats 19 times>, "\330|Ak\375\177\000\000\002\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\070|Ak\375\177\000\000\271\022\262\024KV\000\000\001\000\000\000\000\000\000\000\312\031\262\024KV\000\000\340|Ak\375\177\000\000\000\021\002?\323fZ\345\000\220-\030KV\000", __ss_align = 94880472217585}, sin = { 
      sin_family = 2, sin_port = 17932, sin_addr = {s_addr = 4043325540},
sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 2, sin6_port = 17932, 
      sin6_flowinfo = 4043325540, sin6_addr = {__in6_u = {
__u6_addr8 = "\000\000\000\000\000\000\000\000^\000\000\000n\000\000", __u6_addr16 = {0, 0, 0, 0, 94, 0, 110, 0}, __u6_addr32 = {0, 0, 94, 110}}}, sin6_scope_id = 0}}, lhost = { 
    ss = {ss_family = 2,
__ss_padding = "\231\246\n\000\002\017\000\000\000\000\000\000\000\000\320\t\032\030KV\000\000\000\021\002?\323fZ\345\214\304+\030KV\000\000\320\t\032\030KV\000\000\000\304+\030KV\000\000Y[\330\024KV\000\000\000|Ak\375\177\000\000\061\000\000\000KV\000\000\061\000\000\000KV\000\000\024\000\000\000\000\000\000\000E\000E\000\251\246\000@@\021{\355\n\000\002\017\n\000\002\003\000\000\000", __ss_align = 313532612711}, sin = {sin_family = 2, sin_port = 42649, sin_addr = { s_addr = 251789322}, sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 2, sin6_port = 42649, sin6_flowinfo = 251789322, sin6_addr = {__in6_u = { __u6_addr8 = "\000\000\000\000\000\000\000\000\320\t\032\030KV\000", __u6_addr16 = {0, 0, 0, 0, 2512, 6170, 22091, 0}, __u6_addr32 = {0, 0, 404359632, 22091}}}, sin6_scope_id = 1057100032}}, so_iptos = 0 '\000', so_emu = 0 '\000', so_type = 0 '\000', so_state = 1, so_tcpcb = 0x0, so_expire = 0, so_queued = 0, so_nqueued = 0, so_rcv = {sb_cc = 0, 
    sb_datalen = 9000, sb_wptr = 0x564b162898c0 "\200u(\026KV",
sb_rptr = 0x564b162898c0 "\200u(\026KV", sb_data = 0x564b162898c0 "\200u(\026KV"}, so_snd = { 
    sb_cc = 0, sb_datalen = 9000,
sb_wptr = 0x564b162e8034 "/3\204|\244n\217;\257|\260nMshG\351\373\211w\205\241\252\364Z\343", <incomplete sequence \307>, sb_rptr = 0x564b162e8034 "/3\204|\244n\217;\257|\260nMshG\351\373\211w\205\241\252\364Z\343", <incomplete sequence \307>, sb_data = 0x564b162e7cc0 "\260\230(\026KV"}, extra = 0x0, 
---Type <return> to continue, or q <return> to quit---
  canary2 = -1103113299}
(gdb) print so->slirp
$3 = (Slirp *) 0x564b16293a70
(gdb) print *(so->slirp)
$4 = {entry = {tqe_next = 0x0, tqe_prev = 0x564b154961a0 <slirp_instances>}, time_fasttimo = 0, last_slowtimo = 549524, do_slowtimo = true, in_enabled = true, in6_enabled = true, vnetwork_addr = { s_addr = 131082}, vnetwork_mask = {s_addr = 16777215}, vhost_addr = {s_addr = 33685514}, vprefix_addr6 = {__in6_u = {__u6_addr8 = "\376\300", '\000' <repeats 13 times>, __u6_addr16 = { 49406, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {49406, 0, 0, 0}}}, vprefix_len = 64 '@', vhost_addr6 = {__in6_u = {__u6_addr8 = "\376\300", '\000' <repeats 13 times>, "\002", __u6_addr16 = {49406, 0, 0, 0, 0, 0, 0, 512}, __u6_addr32 = {49406, 0, 0, 33554432}}}, vdhcp_startaddr = {s_addr = 251789322}, vnameserver_addr = {s_addr = 50462730}, vnameserver_addr6 = {__in6_u = {__u6_addr8 = "\376\300", '\000' <repeats 13 times>, "\003", __u6_addr16 = {49406, 0, 0, 0, 0, 0, 0, 768}, __u6_addr32 = {49406, 0, 0, 50331648}}}, client_ipaddr = {s_addr = 0}, client_hostname = '\000' <repeats 32 times>, restricted = 0, exec_list = 0x0, m_freelist = {qh_link = 0x564b182c9600, qh_rlink = 0x564b182c9600}, m_usedlist = { qh_link = 0x564b182d9000, qh_rlink = 0x564b182bfa00}, mbuf_alloced = 11, if_fastq = { qh_link = 0x564b16293b30, qh_rlink = 0x564b16293b30}, if_batchq = {qh_link = 0x564b16293b40, qh_rlink = 0x564b16293b40}, next_m = 0x564b16293b40, if_start_busy = false, ipq = {frag_link = { next = 0x0, prev = 0x0}, ip_link = {next = 0x564b16293b69, prev = 0x564b16293b69}, ipq_ttl = 0 '\000', ipq_p = 0 '\000', ipq_id = 0, ipq_src = {s_addr = 0}, ipq_dst = { s_addr = 0}}, ip_id = 2123, bootp_clients = {{allocated = 1, macaddr = "RT\000\022\064V"}, { allocated = 0, macaddr = "\000\000\000\000\000"} <repeats 15 times>}, bootp_filename = 0x0, vdnssearch_len = 0, vdnssearch = 0x0, tcb = {so_next = 0x564b182be7c0, so_prev = 0x564b16295ce0, canary1 = 0, s = 0, pollfds_idx = 0, slirp = 0x0, so_m = 0x0, so_ti = 0x0, so_urgc = 0, fhost = { ss = {ss_family = 0, __ss_padding = '\000' <repeats 117 times>, __ss_align = 0}, sin = { 
        sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0},
sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 0, sin6_port = 0, sin6_flowinfo = 0, sin6_addr = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}}, lhost = {ss = {ss_family = 0, __ss_padding = '\000' <repeats 117 times>, __ss_align = 0}, sin = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 0, sin6_port = 0, sin6_flowinfo = 0, sin6_addr = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, 
---Type <return> to continue, or q <return> to quit---
sin6_scope_id = 0}}, so_iptos = 0 '\000', so_emu = 0 '\000', so_type = 0 '\000', so_state = 0, so_tcpcb = 0x0, so_expire = 0, so_queued = 0, so_nqueued = 0, so_rcv = {sb_cc = 0, sb_datalen = 0, sb_wptr = 0x0, sb_rptr = 0x0, sb_data = 0x0}, so_snd = {sb_cc = 0, sb_datalen = 0, sb_wptr = 0x0, sb_rptr = 0x0, sb_data = 0x0}, extra = 0x0, canary2 = 0}, tcp_last_so = 0x564b16293c20, tcp_iss = 1920001, tcp_now = 25, udb = {so_next = 0x564b182be600, so_prev = 0x564b182bdc00, canary1 = 0, s = 0, pollfds_idx = 0, slirp = 0x0, so_m = 0x0, 
    so_ti = 0x0, so_urgc = 0, fhost = {ss = {ss_family = 0,
__ss_padding = '\000' <repeats 117 times>, __ss_align = 0}, sin = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"}, sin6 = { sin6_family = 0, sin6_port = 0, sin6_flowinfo = 0, sin6_addr = {__in6_u = { __u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}}, lhost = {ss = {ss_family = 0, __ss_padding = '\000' <repeats 117 times>, __ss_align = 0}, sin = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"}, sin6 = { sin6_family = 0, sin6_port = 0, sin6_flowinfo = 0, sin6_addr = {__in6_u = { __u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}}, so_iptos = 0 '\000', so_emu = 0 '\000', so_type = 0 '\000', so_state = 0, so_tcpcb = 0x0, so_expire = 0, so_queued = 0, so_nqueued = 0, so_rcv = {sb_cc = 0, sb_datalen = 0, sb_wptr = 0x0, sb_rptr = 0x0, sb_data = 0x0}, so_snd = {sb_cc = 0, sb_datalen = 0, sb_wptr = 0x0, sb_rptr = 0x0, sb_data = 0x0}, extra = 0x0, canary2 = 0}, udp_last_so = 0x564b182d7e00, icmp = { so_next = 0x564b16293f98, so_prev = 0x564b16293f98, canary1 = 0, s = 0, pollfds_idx = 0, slirp = 0x0, so_m = 0x0, so_ti = 0x0, so_urgc = 0, fhost = {ss = {ss_family = 0, __ss_padding = '\000' <repeats 117 times>, __ss_align = 0}, sin = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"}, sin6 = { sin6_family = 0, sin6_port = 0, sin6_flowinfo = 0, sin6_addr = {__in6_u = { __u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}}, lhost = {ss = {ss_family = 0, __ss_padding = '\000' <repeats 117 times>, __ss_align = 0}, sin = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"}, sin6 = { sin6_family = 0, sin6_port = 0, sin6_flowinfo = 0, sin6_addr = {__in6_u = { 
---Type <return> to continue, or q <return> to quit---
__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}}, so_iptos = 0 '\000', so_emu = 0 '\000', so_type = 0 '\000', so_state = 0, so_tcpcb = 0x0, so_expire = 0, so_queued = 0, so_nqueued = 0, so_rcv = {sb_cc = 0, sb_datalen = 0, sb_wptr = 0x0, sb_rptr = 0x0, sb_data = 0x0}, so_snd = {sb_cc = 0, sb_datalen = 0, sb_wptr = 0x0, sb_rptr = 0x0, sb_data = 0x0}, extra = 0x0, canary2 = 0}, icmp_last_so = 0x564b16293f98, tftp_prefix = 0x0, tftp_sessions = {{slirp = 0x0, filename = 0x0, fd = 0, client_addr = {ss_family = 0, __ss_padding = '\000' <repeats 117 times>, __ss_align = 0}, client_port = 0, block_nr = 0, timestamp = 0} <repeats 20 times>}, arp_table = {table = {{ar_hrd = 0, ar_pro = 0, ar_hln = 0 '\000', ar_pln = 0 '\000', ar_op = 0, ar_sha = "RT\000\022\064V", ar_sip = 251789322, ar_tha = "\000\000\000\000\000", ar_tip = 0}, {ar_hrd = 0, ar_pro = 0, ar_hln = 0 '\000', ar_pln = 0 '\000', ar_op = 0, ar_sha = "\000\000\000\000\000", ar_sip = 0, ar_tha = "\000\000\000\000\000", ar_tip = 0} <repeats 15 times>}, next_victim = 1}, ndp_table = {table = {{eth_addr = "RT\000\022\064V", ip_addr = {__in6_u = { __u6_addr8 = "\376\200\000\000\000\000\000\000PT\000\377\376\022\064V", __u6_addr16 = { 33022, 0, 0, 0, 21584, 65280, 4862, 22068}, __u6_addr32 = {33022, 0, 4278211664, 1446253310}}}}, {eth_addr = "\000\000\000\000\000", ip_addr = {__in6_u = { __u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}} <repeats 15 times>}, next_victim = 1}, grand = 0x564b162951c0, ra_timer = 0x564b162932d0, opaque = 0x564b16293840} 
(gdb) print so->slirp->next_m
$5 = (struct mbuf *) 0x564b16293b40
(gdb) print *(so->slirp->next_m)
$6 = {m_next = 0x564b16293b40, m_prev = 0x564b16293b40, m_nextpkt = 0x564b16293b40, m_prevpkt = 0x0, 
  m_flags = 0, m_size = 0, m_so = 0x564b16293b6900,
m_data = 0x564b16293b6900 <error: Cannot access memory at address 0x564b16293b6900>, m_len = 0, slirp = 0x84b000000000000, resolution_requested = true, expiration_date = 0, m_ext = 0x0, 
  m_dat = 0x564b16293ba0 ""}
(gdb) print so->slirp->next_m->ifq_so
There is no member named ifq_so.
(gdb) print (so->slirp->next_m)->ifq_next
There is no member named ifq_next.

<< digs through code >> Ah OK, ifq_so and ifq_next are macros.

(gdb) print so->slirp->next_m->m_so
$8 = (struct socket *) 0x564b16293b6900
(gdb) print *(so->slirp->next_m->m_so)
Cannot access memory at address 0x564b16293b6900
(gdb) print so->slirp->next_m->m_next
$9 = (struct mbuf *) 0x564b16293b40
(gdb) print *(so->slirp->next_m->m_next)
$10 = {m_next = 0x564b16293b40, m_prev = 0x564b16293b40, m_nextpkt = 0x564b16293b40, m_prevpkt = 0x0, 
  m_flags = 0, m_size = 0, m_so = 0x564b16293b6900,
m_data = 0x564b16293b6900 <error: Cannot access memory at address 0x564b16293b6900>, m_len = 0, slirp = 0x84b000000000000, resolution_requested = true, expiration_date = 0, m_ext = 0x0, 
  m_dat = 0x564b16293ba0 ""}

Looks corrupt if pointers are outside accessible areas.

(gdb) print so
$16 = (struct socket *) 0x564b181fc940
(gdb) print so->slirp->next_m->m_so
$17 = (struct socket *) 0x564b16293b6900
(gdb) print so->slirp->next_m->m_next->m_so
$18 = (struct socket *) 0x564b16293b6900
(gdb) print so->slirp->next_m->m_next->m_next->m_so
$19 = (struct socket *) 0x564b16293b6900
(gdb) print so->slirp->next_m->m_next->m_next->m_next->m_so
$20 = (struct socket *) 0x564b16293b6900
(gdb)

There's the infinite loop.

Regards,

Brian.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]