Re: kern/40570

[Antti Kantee <pooka%cs.hut.fi@localhost>]

The following reply was made to PR kern/40570; it has been noted by GNATS.

From: Antti Kantee <pooka%cs.hut.fi@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: kern/40570
Date: Sun, 8 Feb 2009 18:42:40 +0200

 Ok, it's an error branch error.  I extracted the necessary stuff from
 puffs_portal.c and made it use rump syscalls:
 
 pain-rustique:47:~> cc crash.c -g -lrump -lrumpvfs -lrumpnet -lrumpnet_local 
-lrumpnet_net -lrumpuser -lpthread
 pain-rustique:48:~> ./a.out
 sysctl_createv: sysctl_locate(disknames) returned 2
 sysctl_createv: sysctl_locate(iostatnames) returned 2
 sysctl_createv: sysctl_locate(iostats) returned 2
 rn_init: radix functions require max_keylen be set
 Segmentation fault (core dumped)
 pain-rustique:49:~> gdb a.out a.out.core                                       
 GNU gdb 6.5
 [...]
 Program terminated with signal 11, Segmentation fault.
 #0  0xbbbd11e0 in fd_putfile (fd=1231231)
     at 
/usr/allsrc/src/sys/rump/librump/rumpkern/../../../kern/kern_descrip.c:380
 380             ff = fdp->fd_ofiles[fd];
 (gdb) print fd
 $1 = 1231231
 
 So it tries to put a garbage value.  With uipc_ussreq.c rev 1.120 included
 in librumpnet_local:
 
 pain-rustique:50:~> ./a.out 
 sysctl_createv: sysctl_locate(disknames) returned 2
 sysctl_createv: sysctl_locate(iostatnames) returned 2
 sysctl_createv: sysctl_locate(iostats) returned 2
 rn_init: radix functions require max_keylen be set
 a.out: sendmsg: Bad file descriptor
 pain-rustique:51:~> 
 
 Test program (if someone's bored, this is a good base for a AF_LOCAL
 regression test .. ):
 === snip ===
 #include <sys/types.h>
 #include <sys/socket.h>
 
 #include <rump/rump.h>
 #include <rump/rump_syscalls.h>
 
 #include <err.h>
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 #include <util.h>
 
 static int
 sendfd(int s, int fd, int error)
 {
        struct cmsghdr *cmp;
        struct msghdr msg;
        struct iovec iov;
        ssize_t n;
        int rv;
 
        rv = 0;
        cmp = malloc(CMSG_LEN(sizeof(int)));
 
        iov.iov_base = &error;
        iov.iov_len = sizeof(int);
 
        cmp->cmsg_level = SOL_SOCKET;
        cmp->cmsg_type = SCM_RIGHTS;
        cmp->cmsg_len = CMSG_LEN(sizeof(int));
 
        msg.msg_iov = &iov;
        msg.msg_iovlen = 1;
        msg.msg_name = NULL;
        msg.msg_namelen = 0;
        msg.msg_control = cmp;
        msg.msg_controllen = CMSG_LEN(sizeof(int));
        *(int *)CMSG_DATA(cmp) = fd;
 
        n = rump_sys_sendmsg(s, &msg, 0);
        warn("sendmsg");
        if (n == -1)
                rv = errno;
        else if (n < sizeof(int))
                rv = EPROTO;
 
        free(cmp);
        return rv;
 }
 
 int
 main()
 {
        int s[2];
        int fd, error = 0;
        int data;
 
        rump_init();
 
        if (rump_sys_socketpair(AF_LOCAL, SOCK_STREAM, 0, s) == -1)
                err(1, "socket");
 
        sendfd(s[1], 1231231, error);
 }
 === snip ===