NetBSD Problem Report #30098
From www@netbsd.org Sat Apr 30 12:09:21 2005
Return-Path: <www@netbsd.org>
Received: by narn.netbsd.org (Postfix, from userid 31301)
id 5D3FB63B116; Sat, 30 Apr 2005 12:09:21 +0000 (UTC)
Message-Id: <20050430120921.5D3FB63B116@narn.netbsd.org>
Date: Sat, 30 Apr 2005 12:09:21 +0000 (UTC)
From: k3rag3z@wp.pl
Reply-To: k3rag3z@wp.pl
To: gnats-bugs@netbsd.org
Subject: nmap causes kern panic in m_pulldown on sparc64
X-Send-Pr-Version: www-1.0
>Number: 30098
>Category: kern
>Synopsis: nmap causes kern panic in m_pulldown on sparc64
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Apr 30 12:10:00 +0000 2005
>Closed-Date: Fri May 06 09:43:47 +0000 2005
>Last-Modified: Sat May 07 00:10:01 +0000 2005
>Originator: Adam T. Zegarek
>Release: 2.0.2
>Organization:
>Environment:
System: NetBSD sparc.lan 2.0.2 NetBSD 2.0.2 (GENERIC) #0: Wed Mar 23 01:40:44 UTC 2005 builds@works.netbsd.org:/home/builds/ab/netbsd-2-0-2-RELEASE/sparc64/200503220140Z-obj/home/builds/ab/netbsd-2-0-2-RELEASE/src/sys/arch/sparc64/compile/GENERIC sparc64
Architecture: sparc64
Machine: sparc64
Sun Ultra 5/10 UPA/PCI (UltraSPARC-IIi 270MHZ), Keyboard present
Openboot 3.15, 64 MB memory installed, Serial #1067312
Ethernet address 8:0:20:a2:db:d8, host ID: 80a2bd8
>Description:
Whenever running nmap-3.81 on 10.0.0.4 (oneself) the kernel panics with "m_pulldown malfunction".
# nmap -sS -sV -P0 -O -vvv -f 10.0.0.4
10.0.0.4 is the DHCP address of the machine obtained from an ADSL router (Thomson 510).
Machine runs OpenSSHd at start-up, installed from a package for NetBSD-2.0/sparc64.
The crash is repetitive. It happens every time with these nmap switches. I haven't been able to single out the only culprit for this misbehaviour.
The panic occurs both when nmap is run localy or via ssh.
>How-To-Repeat:
- Install NetBSD 2.0.2 from sparc64.iso
- Install and run openssh (openssh-3.9.1nb5) from packages from 2.0 Release.
- Grab the pkgsrc (# $NetBSD: Packages.txt,v 1.366 2004/11/30 21:05:24 jlam Exp $).
- Install net/nmap (deafult compilation, without additional options)
- Run as root:
# nmap -sS -sV -P0 -O -vvv -f 10.0.0.4
- Observe:
Starting nmap 3.81 ( http://www.insecure.org/nmap ) at 2005-04-29 20:33 CEST
Initiatining SYN Stealth Scan againts 10.0.0.4 [1663 ports] at 20:33
Increasing send delay for 10.0.0.4 from 0 to 5 due to 22 out of 73 dropped probes since last increase
Increasing send delay for 10.0.0.4 from 5 to 10 due to max_successful_tryno increase to 4
The SYN Stealth Scan took 35.88s to scan 1663 ports.
Initiating service scan against 1 service on 10.0.0.4 at 20:33
The service scan took 0.93s to scan 1 service on 1 host.
For OOScan assuming that port 22 is open and 1 is closed and neither are firewalled.
panic: m_pulldown malfunction
kdb breakpoint at 1335d28
Stopped in pid 6628.1 (nmap) at netbsd:cpu_Debugger+0x4: nop
(gdb)
- Info from gdb:
# gdb /netbsd
(gdb) x 1335d28
0x1335d28 <cpu_Debugger>: 0x91d02001
- nmap:
% ldd `which nmap`
/usr/pkg/bin/nmap:
-lpcre.0 => /usr/pkg/lib/libpcre.so.0
-lpcap.1 => /usr/lib/libpcap.so.1
-lssl.3 => /usr/lib/libssl.so.3
-lcrypto.2 => /usr/lib/libcrypto.so.2
-lstdc++.5 => /usr/lib/libstdc++.so.5
-lm.0 => /usr/lib/libm.so.0
-lgcc_s.1 => /usr/lib/libgcc_s.so.1
-lc.12 => /usr/lib/libc.so.12
% nmap -V
nmap version 3.81 ( http://www.insecure.org/nmap/ )
>Fix:
Workaround: do not use nmap with these switches to scan oneself.
>Release-Note:
>Audit-Trail:
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/30098: nmap causes kern panic in m_pulldown on sparc64
Date: Sun, 1 May 2005 20:22:13 +0200
On Sat, Apr 30, 2005 at 12:10:00PM +0000, k3rag3z@wp.pl wrote:
> The crash is repetitive. It happens every time with these nmap switches.
FWIW, I can't reproduce the problem on a -current sparc64 machine.
I also can't reproduce it with a sparc or i386 2.0.2 machine.
Martin
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/30098: nmap causes kern panic in m_pulldown on sparc64
Date: Sun, 1 May 2005 23:28:38 +0200
FYI: I can reproduce this on the 2.0 branch with sparc64 machines.
Martin
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/30098: nmap causes kern panic in m_pulldown on sparc64
Date: Mon, 2 May 2005 10:15:45 +0200
The panic happens in tcp_input.c line 938:
/*
* tcp_input() has been modified to use tlen to mean the TCP data
* length throughout the function. Other functions can use
* m->m_pkthdr.len as the basis for calculating the TCP data length.
* rja
*/
if (off > sizeof (struct tcphdr)) {
IP6_EXTHDR_GET(th, struct tcphdr *, m, toff, off);
if (th == NULL) {
tcpstat.tcps_rcvshort++;
return;
}
inside the IP6_EXTHDR_GET macro.
#define IP6_EXTHDR_GET(val, typ, m, off, len) \
do { \
struct mbuf *t; \
int tmp; \
if ((m)->m_len >= (off) + (len)) \
(val) = (typ)(mtod((m), caddr_t) + (off)); \
else { \
t = m_pulldown((m), (off), (len), &tmp); \
if (t) { \
if (t->m_len < tmp + (len)) { \
after m_pulldown t->m_len is 16, tmp is 0, off is 20 and len is 20 too.
t->m_flags is 0x402 (M_CANFASTFWD|M_PKTHDR) and the (funny) lengths
of the mbufs in the chain are: 16, 8, 8, 8.
I already tried uipc_mbuf2.c rev. 1.17, but that did not fix it.
Anyone remember what might have fixed this post 2.0?
Martin
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/30098: nmap causes kern panic in m_pulldown on sparc64
Date: Tue, 3 May 2005 13:10:24 +0200
So, what happens is that m_pulldown in kern/uipc_mbuf2.c:180 does this:
if ((off == 0 || offp) && M_LEADINGSPACE(n->m_next) >= hlen &&
!sharedcluster) {
n->m_next->m_data -= hlen;
n->m_next->m_len += hlen;
memcpy(mtod(n->m_next, caddr_t), mtod(n, caddr_t) + off, hlen);
n->m_len -= hlen;
n = n->m_next;
off = 0;
goto ok;
}
Now in our case n->m_next has 8 bytes, and enough leading space. So we go into
this if, and prepend 8 bytes from n to n->m_next. That makes it contain 16
bytes, but we want 20 - the "goto ok" is optimistic, we need to check for
this case and pull down something from the next mbuf, right?
A brute force fix is to disable this optimization:
Index: uipc_mbuf2.c
===================================================================
RCS file: /cvsroot/src/sys/kern/uipc_mbuf2.c,v
retrieving revision 1.17
diff -u -r1.17 uipc_mbuf2.c
--- uipc_mbuf2.c 21 Jul 2004 12:09:43 -0000 1.17
+++ uipc_mbuf2.c 3 May 2005 11:02:33 -0000
@@ -178,7 +178,7 @@
goto ok;
}
if ((off == 0 || offp) && M_LEADINGSPACE(n->m_next) >= hlen &&
- !sharedcluster) {
+ !sharedcluster && n->m_next->m_len >= tlen) {
n->m_next->m_data -= hlen;
n->m_next->m_len += hlen;
memcpy(mtod(n->m_next, caddr_t), mtod(n, caddr_t) + off, hlen);
Or is this worth a real fix?
Martin
From: Martin Husemann <martin@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: PR/30098 CVS commit: src/sys/kern
Date: Fri, 6 May 2005 09:40:40 +0000 (UTC)
Module Name: src
Committed By: martin
Date: Fri May 6 09:40:40 UTC 2005
Modified Files:
src/sys/kern: uipc_mbuf2.c
Log Message:
In m_pulldown avoid a prepend to the next mbuf in the chain if the result
would still not have all data we want continous.
Fixes PR kern/30098.
To generate a diff of this commit:
cvs rdiff -r1.18 -r1.19 src/sys/kern/uipc_mbuf2.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: martin@netbsd.org
State-Changed-When: Fri, 06 May 2005 09:43:47 +0000
State-Changed-Why:
Fixed the root cause in -current and requested pullup.
Thanks for the report!
From: Soren Jacobsen <snj@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: PR/30098 CVS commit: [netbsd-2] src/sys/kern
Date: Fri, 6 May 2005 23:45:38 +0000 (UTC)
Module Name: src
Committed By: snj
Date: Fri May 6 23:45:38 UTC 2005
Modified Files:
src/sys/kern [netbsd-2]: uipc_mbuf2.c
Log Message:
Pull up revision 1.19 (requested by martin in ticket #1503):
In m_pulldown avoid a prepend to the next mbuf in the chain if the result
would still not have all data we want continous.
Fixes PR kern/30098.
To generate a diff of this commit:
cvs rdiff -r1.16 -r1.16.4.1 src/sys/kern/uipc_mbuf2.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Soren Jacobsen <snj@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: PR/30098 CVS commit: [netbsd-2-0] src/sys/kern
Date: Fri, 6 May 2005 23:50:23 +0000 (UTC)
Module Name: src
Committed By: snj
Date: Fri May 6 23:50:22 UTC 2005
Modified Files:
src/sys/kern [netbsd-2-0]: uipc_mbuf2.c
Log Message:
Pull up revision 1.19 (requested by martin in ticket #1503):
In m_pulldown avoid a prepend to the next mbuf in the chain if the result
would still not have all data we want continous.
Fixes PR kern/30098.
To generate a diff of this commit:
cvs rdiff -r1.16 -r1.16.2.1 src/sys/kern/uipc_mbuf2.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Soren Jacobsen <snj@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: PR/30098 CVS commit: [netbsd-3] src/sys/kern
Date: Sat, 7 May 2005 00:09:16 +0000 (UTC)
Module Name: src
Committed By: snj
Date: Sat May 7 00:09:16 UTC 2005
Modified Files:
src/sys/kern [netbsd-3]: uipc_mbuf2.c
Log Message:
Pull up revision 1.19 (requested by martin in ticket #254):
In m_pulldown avoid a prepend to the next mbuf in the chain if the result
would still not have all data we want continous.
Fixes PR kern/30098.
To generate a diff of this commit:
cvs rdiff -r1.18 -r1.18.2.1 src/sys/kern/uipc_mbuf2.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.