From owner-freebsd-net@FreeBSD.ORG  Sun Sep 26 15:58:26 2010
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 77DFD106566C
	for <freebsd-net@freebsd.org>; Sun, 26 Sep 2010 15:58:26 +0000 (UTC)
	(envelope-from to.my.trociny@gmail.com)
Received: from mail-ew0-f54.google.com (mail-ew0-f54.google.com
	[209.85.215.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 090F48FC0C
	for <freebsd-net@freebsd.org>; Sun, 26 Sep 2010 15:58:25 +0000 (UTC)
Received: by ewy22 with SMTP id 22so1269022ewy.13
	for <freebsd-net@freebsd.org>; Sun, 26 Sep 2010 08:58:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:from:to:subject:date
	:message-id:user-agent:mime-version:content-type
	:content-transfer-encoding;
	bh=JgvzYMWTnFy6Fem3rbNQWF09+8W66CcOQICjIT+PVbA=;
	b=Lwmhfir5SKyb9Vxb9w5aVZdzk/aAGqTqN39mjuLeYV/rKj0APAjxRlG0ErwWO3a0tX
	lxlhNQKigHkDoK9nQm7XxyKWQ8dEwgn5ijCh2WAOY05YJZzI2+YIBI+nwYr8+LlcM0tc
	N6pTVKrDGtXOEstmXEl6qN+/z488KQVArJOHg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=from:to:subject:date:message-id:user-agent:mime-version
	:content-type:content-transfer-encoding;
	b=Skf66xP8UZycpDs4OkCnHWR7lh3OGomTeKW+H1Z2M/Tswds3rSRjvxnRnQAAasO/M9
	TOyrmDDenV4Ob0atj8DrP5gnRi2L9NMXykVtZwBLCCEsAL3GlzoBFwJh1m+eBHObZv6m
	49x1DVBxI9sIFm1vA65l9kJpjkl1MwLqAONsI=
Received: by 10.213.43.80 with SMTP id v16mr2140078ebe.80.1285514994165;
	Sun, 26 Sep 2010 08:29:54 -0700 (PDT)
Received: from localhost (vpn-193-138-133-219.customer.onet.com.ua
	[193.138.133.219])
	by mx.google.com with ESMTPS id u9sm6834401eeh.11.2010.09.26.08.29.52
	(version=TLSv1/SSLv3 cipher=RC4-MD5);
	Sun, 26 Sep 2010 08:29:53 -0700 (PDT)
From: Mikolaj Golub <to.my.trociny@gmail.com>
To: freebsd-net@freebsd.org
Date: Sun, 26 Sep 2010 18:29:48 +0300
Message-ID: <86zkv4cykz.fsf@kopusha.home.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 8bit
Subject: ieee80211_crypto_tkip: panic: not enough data, data_len 2 space 1
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Sep 2010 15:58:26 -0000

Hi,

Today I had the following panic on 8.1-STABLE #4.

panic: not enough data, data_len 2 space 1

(kgdb) bt
#0  doadump () at pcpu.h:231
#1  0xc04ed9c9 in db_fncall (dummy1=-1064377286, dummy2=0, dummy3=-1, dummy4=0xf808b4c8 "Ü´\bø")
    at /usr/src/sys/ddb/db_command.c:548
#2  0xc04eddff in db_command (last_cmdp=0xc0e2005c, cmd_table=0x0, dopager=0)
    at /usr/src/sys/ddb/db_command.c:445
#3  0xc04edeb4 in db_command_script (command=0xc0e20f64 "call doadump")
    at /usr/src/sys/ddb/db_command.c:516
#4  0xc04f2070 in db_script_exec (scriptname=0xf808b5d4 "kdb.enter.panic", warnifnotfound=Variable "warnifnotfound" is not available.
)
    at /usr/src/sys/ddb/db_script.c:302
#5  0xc04f2157 in db_script_kdbenter (eventname=0xc0cdbb4a "panic")
    at /usr/src/sys/ddb/db_script.c:324
#6  0xc04efe38 in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_main.c:228
#7  0xc08ee2b6 in kdb_trap (type=3, code=0, tf=0xf808b710) at /usr/src/sys/kern/subr_kdb.c:535
#8  0xc0c0246b in trap (frame=0xf808b710) at /usr/src/sys/i386/i386/trap.c:690
#9  0xc0be31ec in calltrap () at /usr/src/sys/i386/i386/exception.s:166
#10 0xc08ee43a in kdb_enter (why=0xc0cdbb4a "panic", msg=0xc0cdbb4a "panic") at cpufunc.h:71
#11 0xc08bdb16 in panic (fmt=0xc0cee385 "not enough data, data_len %zu space %u\n")
    at /usr/src/sys/kern/kern_shutdown.c:573
#12 0xc0994c04 in michael_mic (ctx=Variable "ctx" is not available.
) at /usr/src/sys/net80211/ieee80211_crypto_tkip.c:897
#13 0xc0994e04 in tkip_enmic (k=0xc8d440cc, m=0xc6ba2900, force=0)
    at /usr/src/sys/net80211/ieee80211_crypto_tkip.c:229
#14 0xc09b6d2d in ieee80211_encap (vap=0xc738e000, ni=0xc8d44000, m=Variable "m" is not available.
) at ieee80211_crypto.h:218
#15 0xc09b7b9e in ieee80211_start (ifp=0xc7ac8800)
    at /usr/src/sys/net80211/ieee80211_output.c:354
#16 0xc096b252 in if_start (ifp=0xc7ac8800) at /usr/src/sys/net/if.c:3345
#17 0xc096bf1f in if_transmit (ifp=0xc7ac8800, m=0xc8d75700) at /usr/src/sys/net/if.c:3357
#18 0xc0973b10 in ether_output_frame (ifp=0xc7ac8800, m=0xc8d75700)
    at /usr/src/sys/net/if_ethersubr.c:452
#19 0xc097462e in ether_output (ifp=0xc7ac8800, m=0xc8d75700, dst=0xc8ef71b0, ro=0xf808b9f4)
    at /usr/src/sys/net/if_ethersubr.c:423
#20 0xc09b7c6d in ieee80211_output (ifp=0xc7ac8800, m=0xc8d75700, dst=0xc8ef71b0, ro=0xf808b9f4)
    at /usr/src/sys/net80211/ieee80211_output.c:406
#21 0xc09deee9 in ip_output (m=0xc8d75700, opt=0x0, ro=0xf808b9f4, flags=Variable "flags" is not available.
)
    at /usr/src/sys/netinet/ip_output.c:634
#22 0xc0a43bc0 in tcp_output (tp=0xcae23000) at /usr/src/sys/netinet/tcp_output.c:1190
#23 0xc0a4f8be in tcp_usr_send (so=0xca44bb44, flags=0, m=0xc8aef100, nam=0x0, control=0x0, 
    td=0xcbd8f000) at tcp_offload.h:282
#24 0xc0929fdd in sosend_generic (so=0xca44bb44, addr=0x0, uio=0xf808bc58, top=0xc8aef100, 
    control=0x0, flags=0, td=0xcbd8f000) at /usr/src/sys/kern/uipc_socket.c:1260
#25 0xc092580f in sosend (so=0xca44bb44, addr=0x0, uio=0xf808bc58, top=0x0, control=0x0, 
    flags=0, td=0xcbd8f000) at /usr/src/sys/kern/uipc_socket.c:1304
#26 0xc090b263 in soo_write (fp=0xc9ce80e0, uio=0xf808bc58, active_cred=0xc8f86300, flags=0, 
    td=0xcbd8f000) at /usr/src/sys/kern/sys_socket.c:102
#27 0xc0904015 in dofilewrite (td=0xcbd8f000, fd=11, fp=0xc9ce80e0, auio=0xf808bc58, offset=-1, 
    flags=0) at file.h:239
#28 0xc0905788 in kern_writev (td=0xcbd8f000, fd=11, auio=0xf808bc58)
    at /usr/src/sys/kern/sys_generic.c:446
#29 0xc090589f in write (td=0xcbd8f000, uap=0xf808bcf8) at /usr/src/sys/kern/sys_generic.c:362
#30 0xc0c01ba0 in syscall (frame=0xf808bd38) at /usr/src/sys/i386/i386/trap.c:1111
#31 0xc0be3281 in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:264
#32 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) list
892             /*
893              * Catch degenerate cases like mbuf[4*n+1 bytes] followed by
894              * mbuf[2 bytes].  I don't believe these should happen; if they
895              * do then we'll need more involved logic.
896              */
897             KASSERT(data_len <= space,
898                 ("not enough data, data_len %zu space %u\n", data_len, space));
899     
900             /* Last block and padding (0x5a, 4..7 x 0) */
901             switch (data_len) {
(kgdb) p space
$1 = 1
(kgdb) p data_len
$2 = 2
(kgdb) p/x m->m_hdr
$3 = {
  mh_next = 0xc8998300, 
  mh_nextpkt = 0x0, 
  mh_data = 0xc8af0818, 
  mh_len = 0xb1, 
  mh_flags = 0x0, 
  mh_type = 0x1, 
  pad = {0xad, 0xde}
}
(kgdb) p/x m->m_hdr->mh_next->m_hdr
$4 = {
  mh_next = 0x0, 
  mh_nextpkt = 0x0, 
  mh_data = 0xc8998318, 
  mh_len = 0x1, 
  mh_flags = 0x0, 
  mh_type = 0x1, 
  pad = {0xad, 0xde}
}

So it looks like "degenerate" case happened? I had mbuf[4*44+1 bytes] followed
by mbuf[1 byte].

-- 
Mikolaj Golub