FreeBSD Mail Archives

Date:      Sun, 26 Sep 2010 18:29:48 +0300
From:      Mikolaj Golub <to.my.trociny@gmail.com>
To:        freebsd-net@freebsd.org
Subject:   ieee80211_crypto_tkip: panic: not enough data, data_len 2 space 1
Message-ID:  <86zkv4cykz.fsf@kopusha.home.net>

next in thread | raw e-mail | index | archive | help

Hi,

Today I had the following panic on 8.1-STABLE #4.

panic: not enough data, data_len 2 space 1

(kgdb) bt
#0  doadump () at pcpu.h:231
#1  0xc04ed9c9 in db_fncall (dummy1=-1064377286, dummy2=0, dummy3=-1, dummy4=0xf808b4c8 "Ü´\bø")
    at /usr/src/sys/ddb/db_command.c:548
#2  0xc04eddff in db_command (last_cmdp=0xc0e2005c, cmd_table=0x0, dopager=0)
    at /usr/src/sys/ddb/db_command.c:445
#3  0xc04edeb4 in db_command_script (command=0xc0e20f64 "call doadump")
    at /usr/src/sys/ddb/db_command.c:516
#4  0xc04f2070 in db_script_exec (scriptname=0xf808b5d4 "kdb.enter.panic", warnifnotfound=Variable "warnifnotfound" is not available.
)
    at /usr/src/sys/ddb/db_script.c:302
#5  0xc04f2157 in db_script_kdbenter (eventname=0xc0cdbb4a "panic")
    at /usr/src/sys/ddb/db_script.c:324
#6  0xc04efe38 in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_main.c:228
#7  0xc08ee2b6 in kdb_trap (type=3, code=0, tf=0xf808b710) at /usr/src/sys/kern/subr_kdb.c:535
#8  0xc0c0246b in trap (frame=0xf808b710) at /usr/src/sys/i386/i386/trap.c:690
#9  0xc0be31ec in calltrap () at /usr/src/sys/i386/i386/exception.s:166
#10 0xc08ee43a in kdb_enter (why=0xc0cdbb4a "panic", msg=0xc0cdbb4a "panic") at cpufunc.h:71
#11 0xc08bdb16 in panic (fmt=0xc0cee385 "not enough data, data_len %zu space %u\n")
    at /usr/src/sys/kern/kern_shutdown.c:573
#12 0xc0994c04 in michael_mic (ctx=Variable "ctx" is not available.
) at /usr/src/sys/net80211/ieee80211_crypto_tkip.c:897
#13 0xc0994e04 in tkip_enmic (k=0xc8d440cc, m=0xc6ba2900, force=0)
    at /usr/src/sys/net80211/ieee80211_crypto_tkip.c:229
#14 0xc09b6d2d in ieee80211_encap (vap=0xc738e000, ni=0xc8d44000, m=Variable "m" is not available.
) at ieee80211_crypto.h:218
#15 0xc09b7b9e in ieee80211_start (ifp=0xc7ac8800)
    at /usr/src/sys/net80211/ieee80211_output.c:354
#16 0xc096b252 in if_start (ifp=0xc7ac8800) at /usr/src/sys/net/if.c:3345
#17 0xc096bf1f in if_transmit (ifp=0xc7ac8800, m=0xc8d75700) at /usr/src/sys/net/if.c:3357
#18 0xc0973b10 in ether_output_frame (ifp=0xc7ac8800, m=0xc8d75700)
    at /usr/src/sys/net/if_ethersubr.c:452
#19 0xc097462e in ether_output (ifp=0xc7ac8800, m=0xc8d75700, dst=0xc8ef71b0, ro=0xf808b9f4)
    at /usr/src/sys/net/if_ethersubr.c:423
#20 0xc09b7c6d in ieee80211_output (ifp=0xc7ac8800, m=0xc8d75700, dst=0xc8ef71b0, ro=0xf808b9f4)
    at /usr/src/sys/net80211/ieee80211_output.c:406
#21 0xc09deee9 in ip_output (m=0xc8d75700, opt=0x0, ro=0xf808b9f4, flags=Variable "flags" is not available.
)
    at /usr/src/sys/netinet/ip_output.c:634
#22 0xc0a43bc0 in tcp_output (tp=0xcae23000) at /usr/src/sys/netinet/tcp_output.c:1190
#23 0xc0a4f8be in tcp_usr_send (so=0xca44bb44, flags=0, m=0xc8aef100, nam=0x0, control=0x0, 
    td=0xcbd8f000) at tcp_offload.h:282
#24 0xc0929fdd in sosend_generic (so=0xca44bb44, addr=0x0, uio=0xf808bc58, top=0xc8aef100, 
    control=0x0, flags=0, td=0xcbd8f000) at /usr/src/sys/kern/uipc_socket.c:1260
#25 0xc092580f in sosend (so=0xca44bb44, addr=0x0, uio=0xf808bc58, top=0x0, control=0x0, 
    flags=0, td=0xcbd8f000) at /usr/src/sys/kern/uipc_socket.c:1304
#26 0xc090b263 in soo_write (fp=0xc9ce80e0, uio=0xf808bc58, active_cred=0xc8f86300, flags=0, 
    td=0xcbd8f000) at /usr/src/sys/kern/sys_socket.c:102
#27 0xc0904015 in dofilewrite (td=0xcbd8f000, fd=11, fp=0xc9ce80e0, auio=0xf808bc58, offset=-1, 
    flags=0) at file.h:239
#28 0xc0905788 in kern_writev (td=0xcbd8f000, fd=11, auio=0xf808bc58)
    at /usr/src/sys/kern/sys_generic.c:446
#29 0xc090589f in write (td=0xcbd8f000, uap=0xf808bcf8) at /usr/src/sys/kern/sys_generic.c:362
#30 0xc0c01ba0 in syscall (frame=0xf808bd38) at /usr/src/sys/i386/i386/trap.c:1111
#31 0xc0be3281 in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:264
#32 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) list
892             /*
893              * Catch degenerate cases like mbuf[4*n+1 bytes] followed by
894              * mbuf[2 bytes].  I don't believe these should happen; if they
895              * do then we'll need more involved logic.
896              */
897             KASSERT(data_len <= space,
898                 ("not enough data, data_len %zu space %u\n", data_len, space));
899     
900             /* Last block and padding (0x5a, 4..7 x 0) */
901             switch (data_len) {
(kgdb) p space
$1 = 1
(kgdb) p data_len
$2 = 2
(kgdb) p/x m->m_hdr
$3 = {
  mh_next = 0xc8998300, 
  mh_nextpkt = 0x0, 
  mh_data = 0xc8af0818, 
  mh_len = 0xb1, 
  mh_flags = 0x0, 
  mh_type = 0x1, 
  pad = {0xad, 0xde}
}
(kgdb) p/x m->m_hdr->mh_next->m_hdr
$4 = {
  mh_next = 0x0, 
  mh_nextpkt = 0x0, 
  mh_data = 0xc8998318, 
  mh_len = 0x1, 
  mh_flags = 0x0, 
  mh_type = 0x1, 
  pad = {0xad, 0xde}
}

So it looks like "degenerate" case happened? I had mbuf[4*44+1 bytes] followed
by mbuf[1 byte].

-- 
Mikolaj Golub

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86zkv4cykz.fsf>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation