Subject: crash boom bah
To: None <amiga-dev@netbsd.org>
From: Tim Newsham <newsham@zang.kcc.hawaii.edu>
List: amiga-dev
Date: 11/02/1994 23:15:37
while experimenting with features that are new to me
I created a program that crashes my machine with an
mmu fault each time I run it. The program tries to send
a file descriptor over a socket with sendmsg(). If you
give it an arg it will try to receive it, this part doesnt
panic the machine.
I did a quick trace in the debugger to see where the kernel
was and the events that led up to the call to panic are:
syscall, close, closef, soo_close, coclose, uipc_usrreg,
unp_detach, sorflush, addrerr
and then on to the mmu handling code and to mmu fault.
The error reported in sorflush was sorflush+e0. Disassembling
sorflush shows that this is the address of the rts.
If you see errors in the file remember I was experimenting
with something I dont know (and couldnt even finish it
because of the bug :).
----
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/uio.h>
int lmode = 0;
char *path = "/tmp/s";
error(str)
char *str;
{
perror(str);
exit(1);
}
main(argc, argv)
char **argv;
{
struct sockaddr ad;
struct msghdr mh;
struct cmsghdr *cmh;
struct iovec iov;
char cmh_buf[100], buf[100];
int *data, fd, s, i, len;
cmh = (struct cmsghdr *)cmh_buf;
mh.msg_iov = &iov;
mh.msg_iovlen = 1;
iov.iov_base = (caddr_t)buf;
iov.iov_len = 100;
if(argc > 1)
lmode = 1;
s = socket(AF_UNIX, SOCK_DGRAM, 0);
if(s < 0)
error("socket");
if(lmode) {
/* io vector */
iov.iov_base = (caddr_t)buf;
iov.iov_len = 100;
/* build request */
mh.msg_name = (caddr_t) path;
mh.msg_namelen = strlen(path);
mh.msg_iov = &iov;
mh.msg_iovlen = 1;
mh.msg_control = (caddr_t)cmh;
mh.msg_controllen = 100;
mh.msg_flags = 0;
len = recvmsg(s, &mh, 0);
printf("len %d\n", len);
printf("cmh len: %d\n", cmh->cmsg_len);
data = (int *) ((char *)cmh + sizeof(struct cmsghdr));
len = cmh->cmsg_len - sizeof(struct cmsghdr);
if(len > 5)
len = 5;
for(i = 0; i < len; i++)
printf("%d\n", data[i]);
} else {
fd = open("/tmp/abc", O_CREAT|O_WRONLY|O_TRUNC, 06660);
if(fd < 0)
error("/tmp/abc");
/* build control message */
cmh = (struct cmsghdr *)cmh_buf;
data = (int *) ((char *)cmh + sizeof(struct cmsghdr));
*data++ = fd;
cmh->cmsg_len = (u_int)data - (u_int)cmh;
cmh->cmsg_level = SOL_SOCKET;
cmh->cmsg_type = SCM_RIGHTS;
/* io vector */
iov.iov_base = (caddr_t)buf;
iov.iov_len = 100;
/* build message */
mh.msg_name = (caddr_t) path;
mh.msg_namelen = strlen(path);
mh.msg_iov = &iov;
mh.msg_iovlen = 1;
mh.msg_control = (caddr_t)cmh;
mh.msg_controllen = (u_int)data - (u_int)cmh_buf;
sendmsg(s, &mh, 0);
close(fd);
}
close(s);
return(0);
}