Date: Sun, 11 Jan 2004 14:59:44 -0500 (EST) From: David Gilbert <dgilbert@dclg.ca> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/61215: off-by-one error likely in ip_fragment() Message-ID: <20040111195944.0AB1A1D1FB8@canoe.dclg.ca> Resent-Message-ID: <200401112000.i0BK0bhf070739@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 61215
>Category: kern
>Synopsis: off-by-one error likely in ip_fragment()
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Jan 11 12:00:36 PST 2004
>Closed-Date:
>Last-Modified:
>Originator: David Gilbert
>Release: FreeBSD 5.2-CURRENT i386
>Organization:
DaveG.ca
>Environment:
System: FreeBSD canoe.dclg.ca 5.2-CURRENT FreeBSD 5.2-CURRENT #3: Fri Jan 2 13:57:59 EST 2004 dgilbert@canoe.dclg.ca:/usr/src/sys/i386/compile/CANOE i386
As above, but the problem machine was cvsup'd on the 9th.
>Description:
It would appear that GRE calling ip_fragment() is leading to an
an immediate crash. The machine in question crashes dependably
during boot. The following is the backtrace:
panic messages:
---
panic: m_copym, offset > size of mbuf chain
#0 doadump () at /usr/src/sys/kern/kern_shutdown.c:240
#1 0xc0508512 in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:372
#2 0xc0508868 in panic () at /usr/src/sys/kern/kern_shutdown.c:550
#3 0xc0544fa5 in m_copym (m=0x0, off0=1500, len=1480, wait=4)
at /usr/src/sys/kern/uipc_mbuf.c:211
#4 0xc059b941 in ip_fragment (ip=0xc1e919e8, m_frag=0xdf92c9e0,
mtu=-1041688000, if_hwassist_flags=0, sw_csum=1)
at /usr/src/sys/netinet/ip_output.c:1219
#5 0xc059b55f in ip_output (m0=0x1, opt=0xc1e919e8, ro=0xc5f8edfc, flags=0,
imo=0x0, inp=0x0) at /usr/src/sys/netinet/ip_output.c:1047
#6 0xc611054f in gre_output (ifp=0xc5f8ec00, m=0xc1e91900, dst=0xc1e919e8,
rt=0xc612ce00) at /usr/src/sys/net/if_gre.c:372
#7 0xc059b4f0 in ip_output (m0=0x1, opt=0xc2b2a00e, ro=0xdf92cb7c, flags=1,
imo=0x0, inp=0x0) at /usr/src/sys/netinet/ip_output.c:1021
#8 0xc059a3c6 in ip_forward (m=0xc1e8bb00, srcrt=0, next_hop=0x0)
at /usr/src/sys/netinet/ip_input.c:1929
#9 0xc0598db0 in ip_input (m=0xc1e8bb00)
at /usr/src/sys/netinet/ip_input.c:739
#10 0xc057bc7e in netisr_processqueue (ni=0xc074a718)
at /usr/src/sys/net/netisr.c:152
#11 0xc057c093 in swi_net (dummy=0x0) at /usr/src/sys/net/netisr.c:257
#12 0xc04f5112 in ithread_loop (arg=0xc1e74500)
at /usr/src/sys/kern/kern_intr.c:544
#13 0xc04f4104 in fork_exit (callout=0xc04f4f80 <ithread_loop>, arg=0x0,
frame=0x0) at /usr/src/sys/kern/kern_fork.c:796
>How-To-Repeat:
configure an if_gre tunnel over an ethernet link. I havn't confirmed
yet whether the cause depends on the machine in question being a
router ... but it would most certainly influence it.
>Fix:
None yet. I have some thoughts.
It looks like there's some stack corruption. in frame 4, mtu=-1041688000
and m = 0x0 in frame 3. Some values make sense and others do not.
Dave.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040111195944.0AB1A1D1FB8>