NetBSD Problem Report #29531

From apz@server2.apz.fi  Sat Feb 26 05:14:40 2005
Return-Path: <apz@server2.apz.fi>
Received: from server2.apz.fi (dsl-lprgw4pa0.dial.inet.fi [80.222.223.160])
	by narn.netbsd.org (Postfix) with ESMTP id 0605863B104
	for <gnats-bugs@gnats.NetBSD.org>; Sat, 26 Feb 2005 05:14:35 +0000 (UTC)
Message-Id: <20050226051433.1BC523E38D1@server2.apz.fi>
Date: Sat, 26 Feb 2005 07:14:33 +0200 (EET)
From: apz-list@2304.org
Reply-To: apz-list@2304.org
To: gnats-bugs@netbsd.org
Subject: Active FTP support with NAT causes panic
X-Send-Pr-Version: 3.95

>Number:         29531
>Category:       kern
>Synopsis:       Active FTP support with NAT causes panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Feb 26 05:15:00 +0000 2005
>Last-Modified:  Sun Feb 27 17:36:00 +0000 2005
>Originator:     Ari Sovijärvi
>Release:        NetBSD 2.0
>Organization:
Private	
>Environment:
System: NetBSD server2 2.0 NetBSD 2.0 (TAME-III) #0: Sun Feb 13 08:31:27 EET 2005 root@server2:/usr/obj/sys/arch/i386/compile/TAME i386
Architecture: i386
Machine: i386
>Description:
        I'm using this machine as a NAT, and the related settings are: 

        map vr0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
        map vr0 192.168.1.0/24 -> 0/32 portmap tcp/udp 40000:60000
        map vr0 192.168.1.0/24 -> 0/32

        I was transferring files with a Windows' WS_FTP, as the FTP connection
        froze. I reconnected and resumed the transfer, but after a minute or 
        so it froze again and the NAT box had paniced.

        Here's the output from trace: http://apz.fi/tmp/trace.jpg
>How-To-Repeat:
        Enable active FTP support, use FTP from any machine behind the NAT.
>Fix:
        Unknown. Workaround: disable active FTP support and use
        passive FTP.

>Audit-Trail:
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: kern/29531: Active FTP support with NAT causes panic
Date: Sat, 26 Feb 2005 08:01:12 +0100

 On Sat, Feb 26, 2005 at 05:15:00AM +0000, apz-list@2304.org wrote:
 >         Here's the output from trace: http://apz.fi/tmp/trace.jpg

 What is the panic message itself?

 Martin

From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: kern/29531: Active FTP support with NAT causes panic
Date: Sat, 26 Feb 2005 08:13:58 +0100

 Also, could you try to boot -d, then set ippr_ftp_debug=5 and capture all
 the output (via a serial console?) - and make it crash again?

 Martin

From: Arto Selonen <arto@selonen.org>
To: gnats-bugs@netbsd.org
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
	netbsd-bugs@netbsd.org, apz-list@2304.org, martin@duskware.de
Subject: Re: kern/29531: Active FTP support with NAT causes panic
Date: Sat, 26 Feb 2005 11:24:22 +0200 (EET)

 Hi!

 On Sat, 26 Feb 2005 apz-list@2304.org wrote:

 >> Number:         29531
 >> Category:       kern
 >> Synopsis:       Active FTP support with NAT causes panic
 >> Confidential:   no
 >> Severity:       serious
 >> Priority:       medium

 >> Description:
 >        I'm using this machine as a NAT, and the related settings are:
 >
 >        map vr0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
 >        map vr0 192.168.1.0/24 -> 0/32 portmap tcp/udp 40000:60000
 >        map vr0 192.168.1.0/24 -> 0/32
 >
 >        I was transferring files with a Windows' WS_FTP, as the FTP connection
 >        froze. I reconnected and resumed the transfer, but after a minute or
 >        so it froze again and the NAT box had paniced.
 >
 >        Here's the output from trace: http://apz.fi/tmp/trace.jpg

 I've seen the same kind of panics twice now with NetBSD-current 2.99.15 
 from ~20050131. I haven't been able to trigger it with simple FTP tests,
 so I assumed it was related to another problem (see kern/29529).

 I have a crash dump of the first panic, if somebody is interested.
 The panic message was something about m_copydata, but I don't have the
 details at hand right now.


 Hope this helps,
  		Artsi
 -- 
 #######======------  http://www.selonen.org/arto/  --------========########
 Everstinkuja 5 B 35                               Don't mind doing it.
 FIN-02600 Espoo        arto@selonen.org         Don't mind not doing it.
 Finland              tel +358 50 560 4826     Don't know anything about it.

From: Hauke Fath <hauke@Espresso.Rhein-Neckar.DE>
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@NetBSD.org, gnats-admin@NetBSD.org,
	netbsd-bugs@NetBSD.org
Subject: Re: kern/29531: Active FTP support with NAT causes panic
Date: Sat, 26 Feb 2005 14:27:15 +0100

 At 5:15 Uhr +0000 26.2.2005, apz-list@2304.org wrote:
 >>Number:         29531
 >>Category:       kern
 >>Synopsis:       Active FTP support with NAT causes panic

 Looks remotely similar to PR 25702...

 	hauke

 --
 /~\  The ASCII Ribbon Campaign
 \ /    No HTML/RTF in email
  X     No Word docs in email
 / \  Respect for open standards


From: Pavel Cahyna <pavel.cahyna@st.cuni.cz>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: kern/29531: Active FTP support with NAT causes panic
Date: Sat, 26 Feb 2005 18:46:16 +0100

 On Sat, 26 Feb 2005 05:15:00 +0000, apz-list wrote:

 >         I was transferring files with a Windows' WS_FTP, as the FTP
 connection
 >         froze. I reconnected and resumed the transfer, but after a
 >         minute or so it froze again and the NAT box had paniced.
 >         
 >         Here's the output from trace: http://apz.fi/tmp/trace.jpg

 I am also seeing this on a 2.0_BETA machine:

 panic: m_copydata
 cpu_Debugger(c0a82cc0,c0c9c154,c0e65e00,28,0) at netbsd:cpu_Debugger+0x4
 panic(c0691d6e,c0c9c1cc,28,28,33) at netbsd:panic+0x11d
 m_cat(c0c9c100,78,2b,c0d1d310,c0c9c100) at netbsd:m_cat
 ippr_ftp_process(c0a82cc0,c0e65e00,c0d1d200,1,c0c9c100) at netbsd:ippr_ftp_process+0x1ce
 ippr_ftp_in(c0a82cc0,c0c9eb80,c0e65e00,0,c0bb2200) at netbsd:ippr_ftp_in+0x4e
 appr_check(c0a82cc0,c0e65e00,15006804,c0a82cbc,c0a82cc0) at netbsd:appr_check+0x152
 fr_natin(c0a82cc0,c0e65e00,1,1,14) at netbsd:fr_natin+0x166
 fr_checknatin(c0a82cc0,c0a82cbc,c0a82cc0,28,0) at netbsd:fr_checknatin+0xca
 fr_check(c0c9c154,14,c0b81034,0,c0a82dd8) at netbsd:fr_check+0x53a
 fr_check_wrapper(0,c0a82dd8,c0b81034,1,c0c9c100) at netbsd:fr_check_wrapper+0x56
 pfil_run_hooks(c0767900,c0a82e40,c0b81034,1,4) at netbsd:pfil_run_hooks+0x5b
 ip_input(c0c9c100,c04e6435,c0a82e6c,1,0) at netbsd:ip_input+0x8af
 ipintr(ddf50010,30,5f10010,10,c0a7f000) at netbsd:ipintr+0xfa
 DDB lost frame for netbsd:Xsoftnet+0x40, trying 0xc0a82e70
 Xsoftnet() at netbsd:Xsoftnet+0x40
 --- interrupt ---
 0x246:

 Not all IPFilter updates are applied, though. Specifically, ticket #833
 was not applied. But since this happens on release too, it is probably not
 relevant. I disabled the ftp-proxy and told people to use active FTP as a
 workaround.

From: Pavel Cahyna <pavel.cahyna@st.cuni.cz>
To: gnats-bugs@netbsd.org, Arto Selonen <arto@selonen.org>
Cc: 
Subject: Re: kern/29531: Active FTP support with NAT causes panic
Date: Sat, 26 Feb 2005 18:58:05 +0100

 On Sat, 26 Feb 2005 09:25:01 +0000, Arto Selonen wrote:

 >  I've seen the same kind of panics twice now with NetBSD-current 2.99.15 
 >  from ~20050131. I haven't been able to trigger it with simple FTP tests,
 >  so I assumed it was related to another problem (see kern/29529).
 >  
 >  I have a crash dump of the first panic, if somebody is interested.
 >  The panic message was something about m_copydata, but I don't have the
 >  details at hand right now.

 The panic message could be interesting. In my case, this was simply:
 panic: m_copydata, but you are running -current, where this message was
 made non-ambiguous.

 Note: you can retrieve the log from the crash dump with dmesg -N ... -M ... 
 and the panic message should be there.

 Bye	Pavel

From: Arto Selonen <arto@selonen.org>
To: Pavel Cahyna <pavel.cahyna@st.cuni.cz>
Cc: gnats-bugs@netbsd.org
Subject: Re: kern/29531: Active FTP support with NAT causes panic
Date: Sat, 26 Feb 2005 21:05:26 +0200 (EET)

 Hi!

 On Sat, 26 Feb 2005, Pavel Cahyna wrote:
 > On Sat, 26 Feb 2005 09:25:01 +0000, Arto Selonen wrote:
 >>  I have a crash dump of the first panic, if somebody is interested.
 >>  The panic message was something about m_copydata, but I don't have the
 >>  details at hand right now.
 >
 > Note: you can retrieve the log from the crash dump with dmesg -N ... -M ...
 > and the panic message should be there.

 Ah, didn't think of that. Here is the panic message from dmesg output:

 panic: m_copydata: m == 0, len 3


 Artsi
 -- 
 #######======------  http://www.selonen.org/arto/  --------========########
 Everstinkuja 5 B 35                               Don't mind doing it.
 FIN-02600 Espoo        arto@selonen.org         Don't mind not doing it.
 Finland              tel +358 50 560 4826     Don't know anything about it.

From: Darren Reed <darrenr@NetBSD.org>
To: apz-list@2304.org
Cc: gnats-bugs@netbsd.org, martin@netbsd.org, arto@selonen.org
Subject: Re: kern/29531
Date: Sun, 27 Feb 2005 17:08:26 +0000

 If you're running -current and seeing a panic message with m_copydata,
 please apply the patch below to /sys/kern/uipc_mbuf.c.

 I'm after more information as, by all counts, everything should be fine.

 Darren

 *** uipc_mbuf.c.dist	2005-01-25 08:25:09.000000000 +1100
 --- uipc_mbuf.c	2005-02-21 03:57:01.000000000 +1100
 ***************
 *** 670,691 ****
   void
   m_copydata(struct mbuf *m, int off, int len, void *vp)
   {
   	unsigned count;
   	char *cp = vp;

 ! 	if (off < 0 || len < 0)
   		panic("m_copydata: off %d, len %d", off, len);
   	while (off > 0) {
 ! 		if (m == 0)
   			panic("m_copydata: m == 0, off %d", off);
   		if (off < m->m_len)
   			break;
   		off -= m->m_len;
   		m = m->m_next;
   	}
   	while (len > 0) {
 ! 		if (m == 0)
   			panic("m_copydata: m == 0, len %d", len);
   		count = min(m->m_len - off, len);
   		memcpy(cp, mtod(m, caddr_t) + off, count);
   		len -= count;
 --- 670,714 ----
   void
   m_copydata(struct mbuf *m, int off, int len, void *vp)
   {
 + 	int _off = off, _len = len;
 + 	struct mbuf *_m = m;
 + 	void *_vp = vp;
   	unsigned count;
   	char *cp = vp;

 ! 	if (off < 0 || len < 0) {
 ! 		printf("m_copydata(%p,%d,%d,%p)\n", _m, _off, _len, _vp);
   		panic("m_copydata: off %d, len %d", off, len);
 + 	}
   	while (off > 0) {
 ! 		if (m == 0) {
 ! 			struct mbuf *n;
 ! 			int l;
 ! 
 ! 			for (l = 0, n = m; n != NULL; n = n->m_next)
 ! 				l += n->m_len;
 ! 			printf("m_copydata(%p[%x,%d/%d],%d,%d,%p)\n",
 ! 				_m, _m->m_flags, _m->m_pkthdr.len, l,
 ! 				_off, _len, _vp);
   			panic("m_copydata: m == 0, off %d", off);
 + 		}
   		if (off < m->m_len)
   			break;
   		off -= m->m_len;
   		m = m->m_next;
   	}
   	while (len > 0) {
 ! 		if (m == 0) {
 ! 			struct mbuf *n;
 ! 			int l;
 ! 
 ! 			for (l = 0, n = m; n != NULL; n = n->m_next)
 ! 				l += n->m_len;
 ! 			printf("m_copydata(%p[%x,%d/%d],%d,%d,%p)\n",
 ! 				_m, _m->m_flags, _m->m_pkthdr.len, l,
 ! 				_off, _len, _vp);
   			panic("m_copydata: m == 0, len %d", len);
 + 		}
   		count = min(m->m_len - off, len);
   		memcpy(cp, mtod(m, caddr_t) + off, count);
   		len -= count;

From: Darren Reed <darrenr@NetBSD.org>
To: apz-list@2304.org
Cc: 
Subject: Re: kern/29531
Date: Sun, 27 Feb 2005 17:29:10 +0000

 Please also apply this patch to ip_ftp_pxy.c

 Darren

 Index: ip_ftp_pxy.c
 ===================================================================
 RCS file: /devel/CVS/IP-Filter/ip_ftp_pxy.c,v
 retrieving revision 2.88.2.10
 diff -c -r2.88.2.10 ip_ftp_pxy.c
 *** ip_ftp_pxy.c	4 Feb 2005 10:22:54 -0000	2.88.2.10
 --- ip_ftp_pxy.c	27 Feb 2005 17:20:02 -0000
 ***************
 *** 286,292 ****
   	if (inc < 0)
   		m_adj(m, inc);
   #  ifdef	M_PKTHDR
 ! 	if (!(m->m_flags & M_PKTHDR))
   		m->m_pkthdr.len += inc;
   #  endif
   # endif
 --- 286,292 ----
   	if (inc < 0)
   		m_adj(m, inc);
   #  ifdef	M_PKTHDR
 ! 	if ((m->m_flags & M_PKTHDR) != 0)
   		m->m_pkthdr.len += inc;
   #  endif
   # endif

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.