NetBSD Problem Report #29531
From apz@server2.apz.fi Sat Feb 26 05:14:40 2005
Return-Path: <apz@server2.apz.fi>
Received: from server2.apz.fi (dsl-lprgw4pa0.dial.inet.fi [80.222.223.160])
by narn.netbsd.org (Postfix) with ESMTP id 0605863B104
for <gnats-bugs@gnats.NetBSD.org>; Sat, 26 Feb 2005 05:14:35 +0000 (UTC)
Message-Id: <20050226051433.1BC523E38D1@server2.apz.fi>
Date: Sat, 26 Feb 2005 07:14:33 +0200 (EET)
From: apz-list@2304.org
Reply-To: apz-list@2304.org
To: gnats-bugs@netbsd.org
Subject: Active FTP support with NAT causes panic
X-Send-Pr-Version: 3.95
>Number: 29531
>Category: kern
>Synopsis: Active FTP support with NAT causes panic
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Feb 26 05:15:00 +0000 2005
>Last-Modified: Sun Feb 27 17:36:00 +0000 2005
>Originator: Ari Sovijärvi
>Release: NetBSD 2.0
>Organization:
Private
>Environment:
System: NetBSD server2 2.0 NetBSD 2.0 (TAME-III) #0: Sun Feb 13 08:31:27 EET 2005 root@server2:/usr/obj/sys/arch/i386/compile/TAME i386
Architecture: i386
Machine: i386
>Description:
I'm using this machine as a NAT, and the related settings are:
map vr0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map vr0 192.168.1.0/24 -> 0/32 portmap tcp/udp 40000:60000
map vr0 192.168.1.0/24 -> 0/32
I was transferring files with a Windows' WS_FTP, as the FTP connection
froze. I reconnected and resumed the transfer, but after a minute or
so it froze again and the NAT box had paniced.
Here's the output from trace: http://apz.fi/tmp/trace.jpg
>How-To-Repeat:
Enable active FTP support, use FTP from any machine behind the NAT.
>Fix:
Unknown. Workaround: disable active FTP support and use
passive FTP.
>Audit-Trail:
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/29531: Active FTP support with NAT causes panic
Date: Sat, 26 Feb 2005 08:01:12 +0100
On Sat, Feb 26, 2005 at 05:15:00AM +0000, apz-list@2304.org wrote:
> Here's the output from trace: http://apz.fi/tmp/trace.jpg
What is the panic message itself?
Martin
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/29531: Active FTP support with NAT causes panic
Date: Sat, 26 Feb 2005 08:13:58 +0100
Also, could you try to boot -d, then set ippr_ftp_debug=5 and capture all
the output (via a serial console?) - and make it crash again?
Martin
From: Arto Selonen <arto@selonen.org>
To: gnats-bugs@netbsd.org
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org, apz-list@2304.org, martin@duskware.de
Subject: Re: kern/29531: Active FTP support with NAT causes panic
Date: Sat, 26 Feb 2005 11:24:22 +0200 (EET)
Hi!
On Sat, 26 Feb 2005 apz-list@2304.org wrote:
>> Number: 29531
>> Category: kern
>> Synopsis: Active FTP support with NAT causes panic
>> Confidential: no
>> Severity: serious
>> Priority: medium
>> Description:
> I'm using this machine as a NAT, and the related settings are:
>
> map vr0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
> map vr0 192.168.1.0/24 -> 0/32 portmap tcp/udp 40000:60000
> map vr0 192.168.1.0/24 -> 0/32
>
> I was transferring files with a Windows' WS_FTP, as the FTP connection
> froze. I reconnected and resumed the transfer, but after a minute or
> so it froze again and the NAT box had paniced.
>
> Here's the output from trace: http://apz.fi/tmp/trace.jpg
I've seen the same kind of panics twice now with NetBSD-current 2.99.15
from ~20050131. I haven't been able to trigger it with simple FTP tests,
so I assumed it was related to another problem (see kern/29529).
I have a crash dump of the first panic, if somebody is interested.
The panic message was something about m_copydata, but I don't have the
details at hand right now.
Hope this helps,
Artsi
--
#######======------ http://www.selonen.org/arto/ --------========########
Everstinkuja 5 B 35 Don't mind doing it.
FIN-02600 Espoo arto@selonen.org Don't mind not doing it.
Finland tel +358 50 560 4826 Don't know anything about it.
From: Hauke Fath <hauke@Espresso.Rhein-Neckar.DE>
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@NetBSD.org, gnats-admin@NetBSD.org,
netbsd-bugs@NetBSD.org
Subject: Re: kern/29531: Active FTP support with NAT causes panic
Date: Sat, 26 Feb 2005 14:27:15 +0100
At 5:15 Uhr +0000 26.2.2005, apz-list@2304.org wrote:
>>Number: 29531
>>Category: kern
>>Synopsis: Active FTP support with NAT causes panic
Looks remotely similar to PR 25702...
hauke
--
/~\ The ASCII Ribbon Campaign
\ / No HTML/RTF in email
X No Word docs in email
/ \ Respect for open standards
From: Pavel Cahyna <pavel.cahyna@st.cuni.cz>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/29531: Active FTP support with NAT causes panic
Date: Sat, 26 Feb 2005 18:46:16 +0100
On Sat, 26 Feb 2005 05:15:00 +0000, apz-list wrote:
> I was transferring files with a Windows' WS_FTP, as the FTP
connection
> froze. I reconnected and resumed the transfer, but after a
> minute or so it froze again and the NAT box had paniced.
>
> Here's the output from trace: http://apz.fi/tmp/trace.jpg
I am also seeing this on a 2.0_BETA machine:
panic: m_copydata
cpu_Debugger(c0a82cc0,c0c9c154,c0e65e00,28,0) at netbsd:cpu_Debugger+0x4
panic(c0691d6e,c0c9c1cc,28,28,33) at netbsd:panic+0x11d
m_cat(c0c9c100,78,2b,c0d1d310,c0c9c100) at netbsd:m_cat
ippr_ftp_process(c0a82cc0,c0e65e00,c0d1d200,1,c0c9c100) at netbsd:ippr_ftp_process+0x1ce
ippr_ftp_in(c0a82cc0,c0c9eb80,c0e65e00,0,c0bb2200) at netbsd:ippr_ftp_in+0x4e
appr_check(c0a82cc0,c0e65e00,15006804,c0a82cbc,c0a82cc0) at netbsd:appr_check+0x152
fr_natin(c0a82cc0,c0e65e00,1,1,14) at netbsd:fr_natin+0x166
fr_checknatin(c0a82cc0,c0a82cbc,c0a82cc0,28,0) at netbsd:fr_checknatin+0xca
fr_check(c0c9c154,14,c0b81034,0,c0a82dd8) at netbsd:fr_check+0x53a
fr_check_wrapper(0,c0a82dd8,c0b81034,1,c0c9c100) at netbsd:fr_check_wrapper+0x56
pfil_run_hooks(c0767900,c0a82e40,c0b81034,1,4) at netbsd:pfil_run_hooks+0x5b
ip_input(c0c9c100,c04e6435,c0a82e6c,1,0) at netbsd:ip_input+0x8af
ipintr(ddf50010,30,5f10010,10,c0a7f000) at netbsd:ipintr+0xfa
DDB lost frame for netbsd:Xsoftnet+0x40, trying 0xc0a82e70
Xsoftnet() at netbsd:Xsoftnet+0x40
--- interrupt ---
0x246:
Not all IPFilter updates are applied, though. Specifically, ticket #833
was not applied. But since this happens on release too, it is probably not
relevant. I disabled the ftp-proxy and told people to use active FTP as a
workaround.
From: Pavel Cahyna <pavel.cahyna@st.cuni.cz>
To: gnats-bugs@netbsd.org, Arto Selonen <arto@selonen.org>
Cc:
Subject: Re: kern/29531: Active FTP support with NAT causes panic
Date: Sat, 26 Feb 2005 18:58:05 +0100
On Sat, 26 Feb 2005 09:25:01 +0000, Arto Selonen wrote:
> I've seen the same kind of panics twice now with NetBSD-current 2.99.15
> from ~20050131. I haven't been able to trigger it with simple FTP tests,
> so I assumed it was related to another problem (see kern/29529).
>
> I have a crash dump of the first panic, if somebody is interested.
> The panic message was something about m_copydata, but I don't have the
> details at hand right now.
The panic message could be interesting. In my case, this was simply:
panic: m_copydata, but you are running -current, where this message was
made non-ambiguous.
Note: you can retrieve the log from the crash dump with dmesg -N ... -M ...
and the panic message should be there.
Bye Pavel
From: Arto Selonen <arto@selonen.org>
To: Pavel Cahyna <pavel.cahyna@st.cuni.cz>
Cc: gnats-bugs@netbsd.org
Subject: Re: kern/29531: Active FTP support with NAT causes panic
Date: Sat, 26 Feb 2005 21:05:26 +0200 (EET)
Hi!
On Sat, 26 Feb 2005, Pavel Cahyna wrote:
> On Sat, 26 Feb 2005 09:25:01 +0000, Arto Selonen wrote:
>> I have a crash dump of the first panic, if somebody is interested.
>> The panic message was something about m_copydata, but I don't have the
>> details at hand right now.
>
> Note: you can retrieve the log from the crash dump with dmesg -N ... -M ...
> and the panic message should be there.
Ah, didn't think of that. Here is the panic message from dmesg output:
panic: m_copydata: m == 0, len 3
Artsi
--
#######======------ http://www.selonen.org/arto/ --------========########
Everstinkuja 5 B 35 Don't mind doing it.
FIN-02600 Espoo arto@selonen.org Don't mind not doing it.
Finland tel +358 50 560 4826 Don't know anything about it.
From: Darren Reed <darrenr@NetBSD.org>
To: apz-list@2304.org
Cc: gnats-bugs@netbsd.org, martin@netbsd.org, arto@selonen.org
Subject: Re: kern/29531
Date: Sun, 27 Feb 2005 17:08:26 +0000
If you're running -current and seeing a panic message with m_copydata,
please apply the patch below to /sys/kern/uipc_mbuf.c.
I'm after more information as, by all counts, everything should be fine.
Darren
*** uipc_mbuf.c.dist 2005-01-25 08:25:09.000000000 +1100
--- uipc_mbuf.c 2005-02-21 03:57:01.000000000 +1100
***************
*** 670,691 ****
void
m_copydata(struct mbuf *m, int off, int len, void *vp)
{
unsigned count;
char *cp = vp;
! if (off < 0 || len < 0)
panic("m_copydata: off %d, len %d", off, len);
while (off > 0) {
! if (m == 0)
panic("m_copydata: m == 0, off %d", off);
if (off < m->m_len)
break;
off -= m->m_len;
m = m->m_next;
}
while (len > 0) {
! if (m == 0)
panic("m_copydata: m == 0, len %d", len);
count = min(m->m_len - off, len);
memcpy(cp, mtod(m, caddr_t) + off, count);
len -= count;
--- 670,714 ----
void
m_copydata(struct mbuf *m, int off, int len, void *vp)
{
+ int _off = off, _len = len;
+ struct mbuf *_m = m;
+ void *_vp = vp;
unsigned count;
char *cp = vp;
! if (off < 0 || len < 0) {
! printf("m_copydata(%p,%d,%d,%p)\n", _m, _off, _len, _vp);
panic("m_copydata: off %d, len %d", off, len);
+ }
while (off > 0) {
! if (m == 0) {
! struct mbuf *n;
! int l;
!
! for (l = 0, n = m; n != NULL; n = n->m_next)
! l += n->m_len;
! printf("m_copydata(%p[%x,%d/%d],%d,%d,%p)\n",
! _m, _m->m_flags, _m->m_pkthdr.len, l,
! _off, _len, _vp);
panic("m_copydata: m == 0, off %d", off);
+ }
if (off < m->m_len)
break;
off -= m->m_len;
m = m->m_next;
}
while (len > 0) {
! if (m == 0) {
! struct mbuf *n;
! int l;
!
! for (l = 0, n = m; n != NULL; n = n->m_next)
! l += n->m_len;
! printf("m_copydata(%p[%x,%d/%d],%d,%d,%p)\n",
! _m, _m->m_flags, _m->m_pkthdr.len, l,
! _off, _len, _vp);
panic("m_copydata: m == 0, len %d", len);
+ }
count = min(m->m_len - off, len);
memcpy(cp, mtod(m, caddr_t) + off, count);
len -= count;
From: Darren Reed <darrenr@NetBSD.org>
To: apz-list@2304.org
Cc:
Subject: Re: kern/29531
Date: Sun, 27 Feb 2005 17:29:10 +0000
Please also apply this patch to ip_ftp_pxy.c
Darren
Index: ip_ftp_pxy.c
===================================================================
RCS file: /devel/CVS/IP-Filter/ip_ftp_pxy.c,v
retrieving revision 2.88.2.10
diff -c -r2.88.2.10 ip_ftp_pxy.c
*** ip_ftp_pxy.c 4 Feb 2005 10:22:54 -0000 2.88.2.10
--- ip_ftp_pxy.c 27 Feb 2005 17:20:02 -0000
***************
*** 286,292 ****
if (inc < 0)
m_adj(m, inc);
# ifdef M_PKTHDR
! if (!(m->m_flags & M_PKTHDR))
m->m_pkthdr.len += inc;
# endif
# endif
--- 286,292 ----
if (inc < 0)
m_adj(m, inc);
# ifdef M_PKTHDR
! if ((m->m_flags & M_PKTHDR) != 0)
m->m_pkthdr.len += inc;
# endif
# endif
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.