Bug #1696

panic by setsockopt

Added by akr over 6 years ago. Updated over 6 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:


Target version:-


I found that following program causes kernel panic.

% uname -mrsv
DragonFly 2.4.1-RELEASE DragonFly v2.4.1-RELEASE #14: Wed Sep 30 18:12:31 PDT
2009 :/usr/obj/usr/src-misc/sys/GENERIC i386
% cat t.c
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

int main(int argc, char *argv[])
int s;
int ret;
int tmp;

s = socket(AF_INET, SOCK_STREAM, 0);
if (s == -1) { perror("socket"); exit(1); }

ret = setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &tmp, 0);
if (ret == -1) { perror("setsockopt"); exit(1); }

return 0;
% gcc t.c
% ./a.out

debugger is started on the console.
The message is follows.
(Since I cannot use copy&paste here, this message may be not a exact copy.)

panic: assertion: !sopt->sopt_val || kva_p(sopt->sopt_val) in soopt_to_kbuf
Trace beginning at frame 0xd450abe4
panic(d450ac08,4,c23d6c20,d1c873b0,d450ac14) at panic+0x8c
panic(0c576283,c05cef2c,c05558f0,d450aca4,d450ac2c) at panic+0x8c
sopt_to_kbuf(d450aca4,d450ac68,4,4,d450ac78) at soopt_to_kbuf+0x47
sooptcopyin(d450aca4,d450ac68,4,4,d440ac78) at sooptcopyin+0x14
sosetopt(c23d6c20,d450aca4,cdfed7a0,d450acf0,0) at sosetopt+0x146
kern_estsockopt(3,d450aca4,1,ffff,4) at kern_setsockopt+0x4e
sys_setsockopt(d450acf0,6,1e87,0,d05abb98) at sys_setsockopt+0x75
syscall2(d450ad40) at syscall2+0x1ef
Xint0x80_syscall() at Xint0x80_syscall+0x36
Stopped at Debugger+0x34: movb $0,in_Debugger,4260


#1 Updated by alexh over 6 years ago

Fixed in b8237e23e62603fbf8951cfb7763999e1404afc2. I encountered this problem
already while updating the linuxulator but forgot to check if it also affected
the native {get,set}sockopt syscalls.

Thanks for the notice,
Alex Hornung

#2 Updated by Anonymous over 6 years ago

I also added a test case to catch any future regression:


Also available in: Atom PDF