Subject: crash boom bah
To: None <amiga-dev@netbsd.org>
From: Tim Newsham <newsham@zang.kcc.hawaii.edu>
List: amiga-dev
Date: 11/02/1994 23:15:37
while experimenting with features that are new to me
I created a program that crashes my machine with an
mmu fault each time I run it.  The program tries to send
a file descriptor over a socket with sendmsg().  If you
give it an arg it will try to receive it, this part doesnt
panic the machine.

I did a quick trace in the debugger to see where the kernel
was and the events that led up to the call to panic are:

syscall, close, closef, soo_close, coclose,  uipc_usrreg,
unp_detach, sorflush, addrerr

and then on to the mmu handling code and to mmu fault.
The error reported in sorflush was sorflush+e0.  Disassembling
sorflush shows that this is the address of the rts.


If you see errors in the file remember I was experimenting
with something I dont know (and couldnt even finish it
because of the bug :).

----

#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/uio.h>

int lmode = 0;
char *path = "/tmp/s";

error(str)
char *str;
{
  perror(str);
  exit(1);
}

main(argc, argv)
char **argv;
{
  struct sockaddr ad;
  struct msghdr mh;
  struct cmsghdr *cmh;
  struct iovec iov;
  char cmh_buf[100], buf[100];
  int *data, fd, s, i, len;

  cmh = (struct cmsghdr *)cmh_buf; 
  mh.msg_iov = &iov;
  mh.msg_iovlen = 1;
  iov.iov_base = (caddr_t)buf;
  iov.iov_len = 100;

  if(argc > 1)
    lmode = 1;

  s = socket(AF_UNIX, SOCK_DGRAM, 0);
  if(s < 0)
    error("socket");

  if(lmode) {

    /* io vector */
    iov.iov_base = (caddr_t)buf;
    iov.iov_len = 100;

    /* build request */
    mh.msg_name = (caddr_t) path;
    mh.msg_namelen = strlen(path);
    mh.msg_iov = &iov;
    mh.msg_iovlen = 1;
    mh.msg_control = (caddr_t)cmh;
    mh.msg_controllen = 100;
    mh.msg_flags = 0;

    len = recvmsg(s, &mh, 0);
    printf("len %d\n", len);
    printf("cmh len: %d\n", cmh->cmsg_len);
    data = (int *) ((char *)cmh + sizeof(struct cmsghdr));
    len = cmh->cmsg_len - sizeof(struct cmsghdr);
if(len > 5)
  len = 5;
    for(i = 0; i < len; i++)
      printf("%d\n", data[i]);

  } else {

    fd = open("/tmp/abc", O_CREAT|O_WRONLY|O_TRUNC, 06660);
    if(fd < 0)
      error("/tmp/abc");

    /* build control message */
    cmh = (struct cmsghdr *)cmh_buf;
    data = (int *) ((char *)cmh + sizeof(struct cmsghdr));
    *data++ = fd;
    cmh->cmsg_len = (u_int)data - (u_int)cmh;
    cmh->cmsg_level = SOL_SOCKET;
    cmh->cmsg_type = SCM_RIGHTS;

    /* io vector */
    iov.iov_base = (caddr_t)buf;
    iov.iov_len = 100;

    /* build message */
    mh.msg_name = (caddr_t) path;
    mh.msg_namelen = strlen(path);
    mh.msg_iov = &iov;
    mh.msg_iovlen = 1;
    mh.msg_control = (caddr_t)cmh;
    mh.msg_controllen = (u_int)data - (u_int)cmh_buf;
 
    sendmsg(s, &mh, 0);
    close(fd);
  }

  close(s);
  return(0);
}