1 Reply Latest reply: Nov 26, 2009 11:22 AM by 807567 RSS

    Panic with Raw Socket-Page fault in module "ip" due to a NULL pointer deref

    807567
      I see a panic when using raw sockets with Solaris 10 10/09 (u8). I included a sample program that can cause this issue (panic happens when a udp datagram is received on port 60000). This sample code works as expected with the previous version I was using - 5/08. If I bind with a port number of 0 I don't see the panic but I don't receive anything either.

      I believe I have all the latest patches installed. I'd appreciate any assistance in resolving this. Thanks...


      ^Mpanic[cpu11]/thread=fffffe8000916c60:
      BAD TRAP: type=e (#pf Page fault) rp=fffffe80009166c0 addr=83 occurred in module "ip" due to a NULL pointer dereference

      sched:
      #pf Page fault
      Bad kernel fault at addr=0x83
      pid=0, pc=0xffffffffedf86a10, sp=0xfffffe80009167b0, eflags=0x10246
      cr0: 8005003b<pg,wp,ne,et,ts,mp,pe> cr4: 6f8<xmme,fxsr,pge,mce,pae,pse,de>
      cr2: 83 cr3: 1a345000 cr8: c
      rdi: ffffffffa7092808 rsi: ffffffffb0094e00 rdx: ffffffffa73c9d40
      rcx: 0 r8: fffffe8000916878 r9: fffffe8000916880
      rax: 0 rbx: ffffffffb0094e00 rbp: fffffe8000916800
      r10: ffffffffa7c18840 r11: ffffffffa73c9d40 r12: fffffe8000916880
      r13: ffffffff9b314000 r14: ffffffff9a70b000 r15: 0
      fsb: ffffffff80000000 gsb: ffffffff9c52d800 ds: 43
      es: 43 fs: 0 gs: 1c3
      trp: e err: 0 rip: ffffffffedf86a10
      cs: 28 rfl: 10246 rsp: fffffe80009167b0
      ss: 30

      fffffe80009165d0 unix:die+da ()
      fffffe80009166b0 unix:trap+5e6 ()
      fffffe80009166c0 unix:_cmntrap+140 ()
      fffffe8000916800 ip:ip_udp_check+b0 ()
      fffffe80009168b0 ip:ip_udp_input+15a ()
      fffffe80009169d0 ip:ip_input+c7c ()
      fffffe8000916aa0 dls:i_dls_link_rx+32e ()
      fffffe8000916af0 mac:mac_rx+71 ()
      fffffe8000916b90 bnx:bnx_recv_ring_recv+113 ()
      fffffe8000916ba0 bnx:bnx_rxpkts_intr+17 ()
      fffffe8000916bc0 bnx:bnx_intr_recv+58 ()
      fffffe8000916bf0 bnx:bnx_intr_1lvl+120 ()
      fffffe8000916c40 unix:av_dispatch_autovect+78 ()
      fffffe8000916c50 unix:intr_thread+5f ()

      EXAMPLE USED TO CAUSE ABOVE PANIC
      ------------------------------------------------------------------
      #include        <unistd.h>
      #include        <stdio.h>
      #include        <stdlib.h>
      #include        <sys/socket.h>
      #include        <arpa/inet.h>
      
      #define BUFFER_SIZE 2048
      
      int main(int argc, char *argv[])
      {
              int                     i, j, sd, iosize;
              char                    *ipbuffer;
              struct sockaddr_in      saddr, daddr;
      
              ipbuffer = calloc( 1, BUFFER_SIZE );
      
              //if ( ( sd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP) ) < 0 ) {        // Works
              if ( ( sd = socket(PF_INET, SOCK_RAW, IPPROTO_UDP) ) < 0 ) {            // Fails
                      perror("socket() error");
                      exit(-1);
              }
      
              saddr.sin_family = AF_INET;
              saddr.sin_addr.s_addr = inet_addr( "0.0.0.0" );
              saddr.sin_port = htons( 60000 );
      
              if ( bind( sd, (struct sockaddr *) &saddr, sizeof( saddr ) ) < 0 ) {
                      perror("bind() error");
                      exit(-1);
              }
      
              printf( "Awaiting inbound datagrams...\n" );
              for ( i = 1; i <= 10; i++ ) {
                      j = sizeof( daddr );
                      iosize = recvfrom( sd, ipbuffer, BUFFER_SIZE, 0, (struct sockaddr *) &daddr, &j );
      
                      printf( "Received %d bytes from %s\n", iosize, inet_ntoa( daddr.sin_addr ) );
              }
              close( sd );
              return( 0 );
      }
      ------------------------------------------------------------------