Subject: kern/3408: spp_output causes vm_fault anytime
To: None <gnats-bugs@gnats.netbsd.org>
From: None <koji@math.human.nagoya-u.ac.jp>
List: netbsd-bugs
Date: 03/29/1997 20:25:29
>Number:         3408
>Category:       kern
>Synopsis:       spp_output causes vm_fault anytime
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Mar 29 04:20:04 1997
>Last-Modified:
>Originator:     Koji Imada - je4owb/2
>Organization:
Mathematics Group of Graduate School of Human
	Infomatics, Nagoya University, Japan.
>Release:        1.2_BETA
>Environment:
	
System: NetBSD bimota 1.2 NetBSD 1.2 (BIMOTA) #0: Fri Mar 28 07:10:55 JST 1997 koji@bimota:/mnt2/NetBSD/usr/NetBSD/src/sys/arch/i386/compile/BIMOTA i386


>Description:
	When initiating spp connection, spp_output which try to send 
	first packet causes vm_fault any time. Also host listening to
	spp connection(AF_NS, SOCK_STREAM/SOCK_SEQPACKET) would
	panic(vm_fault) when responding spp connection. This problem
	remains in current of Mar. 23, 1997 too.
>How-To-Repeat:
	Set xns address to network interface using ifconfg. Then, Just 
	make spp(AF_NS, SOCK_STREAM/SOCK_SEQPACKET) connection to any
	host. It's enough to cause vm_fault.
>Fix:
	Apply following diffs

*** sys/netns/spp_usrreq.c.orig	Fri Mar 28 05:52:10 1997
--- sys/netns/spp_usrreq.c	Fri Mar 28 05:53:15 1997
***************
*** 742,751 ****
  #endif
  {
  	register struct sppcb *cb = NULL;
! 	struct socket *so = cb->s_nspcb->nsp_socket;
  	register struct mbuf *m;
  	register struct spidp *si = (struct spidp *) 0;
! 	register struct sockbuf *sb = &so->so_snd;
  	int len = 0, win, rcv_win;
  	short span, off, recordp = 0;
  	u_short alo;
--- 742,751 ----
  #endif
  {
  	register struct sppcb *cb = NULL;
! 	struct socket *so;
  	register struct mbuf *m;
  	register struct spidp *si = (struct spidp *) 0;
! 	register struct sockbuf *sb;
  	int len = 0, win, rcv_win;
  	short span, off, recordp = 0;
  	u_short alo;
***************
*** 761,766 ****
--- 761,768 ----
  	cb = va_arg(ap, struct sppcb *);
  	va_end(ap);
  
+ 	so = cb->s_nspcb->nsp_socket;
+ 	sb = &so->so_snd;
  
  	if (m0) {
  		int mtu = cb->s_mtu;

>Audit-Trail:
>Unformatted: