Date: Sun, 11 Jan 2004 14:59:44 -0500 (EST) From: David Gilbert <dgilbert@dclg.ca> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/61215: off-by-one error likely in ip_fragment() Message-ID: <20040111195944.0AB1A1D1FB8@canoe.dclg.ca> Resent-Message-ID: <200401112000.i0BK0bhf070739@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 61215 >Category: kern >Synopsis: off-by-one error likely in ip_fragment() >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Jan 11 12:00:36 PST 2004 >Closed-Date: >Last-Modified: >Originator: David Gilbert >Release: FreeBSD 5.2-CURRENT i386 >Organization: DaveG.ca >Environment: System: FreeBSD canoe.dclg.ca 5.2-CURRENT FreeBSD 5.2-CURRENT #3: Fri Jan 2 13:57:59 EST 2004 dgilbert@canoe.dclg.ca:/usr/src/sys/i386/compile/CANOE i386 As above, but the problem machine was cvsup'd on the 9th. >Description: It would appear that GRE calling ip_fragment() is leading to an an immediate crash. The machine in question crashes dependably during boot. The following is the backtrace: panic messages: --- panic: m_copym, offset > size of mbuf chain #0 doadump () at /usr/src/sys/kern/kern_shutdown.c:240 #1 0xc0508512 in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:372 #2 0xc0508868 in panic () at /usr/src/sys/kern/kern_shutdown.c:550 #3 0xc0544fa5 in m_copym (m=0x0, off0=1500, len=1480, wait=4) at /usr/src/sys/kern/uipc_mbuf.c:211 #4 0xc059b941 in ip_fragment (ip=0xc1e919e8, m_frag=0xdf92c9e0, mtu=-1041688000, if_hwassist_flags=0, sw_csum=1) at /usr/src/sys/netinet/ip_output.c:1219 #5 0xc059b55f in ip_output (m0=0x1, opt=0xc1e919e8, ro=0xc5f8edfc, flags=0, imo=0x0, inp=0x0) at /usr/src/sys/netinet/ip_output.c:1047 #6 0xc611054f in gre_output (ifp=0xc5f8ec00, m=0xc1e91900, dst=0xc1e919e8, rt=0xc612ce00) at /usr/src/sys/net/if_gre.c:372 #7 0xc059b4f0 in ip_output (m0=0x1, opt=0xc2b2a00e, ro=0xdf92cb7c, flags=1, imo=0x0, inp=0x0) at /usr/src/sys/netinet/ip_output.c:1021 #8 0xc059a3c6 in ip_forward (m=0xc1e8bb00, srcrt=0, next_hop=0x0) at /usr/src/sys/netinet/ip_input.c:1929 #9 0xc0598db0 in ip_input (m=0xc1e8bb00) at /usr/src/sys/netinet/ip_input.c:739 #10 0xc057bc7e in netisr_processqueue (ni=0xc074a718) at /usr/src/sys/net/netisr.c:152 #11 0xc057c093 in swi_net (dummy=0x0) at /usr/src/sys/net/netisr.c:257 #12 0xc04f5112 in ithread_loop (arg=0xc1e74500) at /usr/src/sys/kern/kern_intr.c:544 #13 0xc04f4104 in fork_exit (callout=0xc04f4f80 <ithread_loop>, arg=0x0, frame=0x0) at /usr/src/sys/kern/kern_fork.c:796 >How-To-Repeat: configure an if_gre tunnel over an ethernet link. I havn't confirmed yet whether the cause depends on the machine in question being a router ... but it would most certainly influence it. >Fix: None yet. I have some thoughts. It looks like there's some stack corruption. in frame 4, mtu=-1041688000 and m = 0x0 in frame 3. Some values make sense and others do not. Dave. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040111195944.0AB1A1D1FB8>