NetBSD Problem Report #49650

From t.hash425@gmail.com  Sun Feb  8 07:35:11 2015
Return-Path: <t.hash425@gmail.com>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id BF4CAA5B2E
	for <gnats-bugs@gnats.netbsd.org>; Sun,  8 Feb 2015 07:35:11 +0000 (UTC)
Message-Id: <54D70A5E.3020906@gmail.com>
Date: Sun, 08 Feb 2015 16:03:58 +0900
From: Takahiro HAYASHI <t.hash425@gmail.com>
To: gnats-bugs@gnats.NetBSD.org
Subject: ping6 -mns8000 ::1 kills kernel

>Number:         49650
>Category:       kern
>Synopsis:       ping6 -mns8000 ::1 kills kernel
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Feb 08 07:40:00 +0000 2015
>Closed-Date:    Thu Apr 23 05:36:03 +0000 2015
>Last-Modified:  Thu Apr 23 05:36:03 +0000 2015
>Originator:     Takahiro HAYASHI
>Release:        NetBSD 7.99.4 (GENERIC.201502071120Z from nyftp)
>Organization:
>Environment:
System: NetBSD 7.99.4 amd64
Architecture: x86_64
Machine: amd64
>Description:
	"ping6 -mns8000 ::1" kills kernel.
	This happens on current and netbsd-7 kernel.

# ifconfig lo0 127.0.0.1
# ping6 -mns8000 ::1
PING6(8048=40+8+8000 bytes) ::1 --> ::1
WARNING: mclpool limit reached; increase kern.mbuf.nmbclusters
fatal protection fault in supervisor mode
trap type 4 code 0 rip ffffffff802884f5 cs 8 rflags 10206 cr2 0 ilevel 4 rsp fffffe8002ef7ca0
curlwp 0xfffffe803f36d420 pid 0.3 lowest kstack 0xfffffe8002ef42c0
kernel: protection fault trap, code=0
Stopped in pid 0.3 (system) at  netbsd:cpu_in_cksum+0xa5:       movl    0(%rbx),
%ecx
db{0}> show reg
ds          30
es          184
fs          7c98
gs          6ef1
rdi         fffffe8039990e00
rsi         0
rbp         1794
rbx         8b8a898887868584
rdx         0
rcx         a7a6a5a4
rax         0
r8          f297026a46
r9          0
r10         0
r11         fffffffffffffffc
r12         fffffe803eb65e00
r13         81
r14         fffffe8002ef7ce0
r15         1f48
rip         ffffffff802884f5    cpu_in_cksum+0xa5
cs          8
rflags      10206
rsp         fffffe8002ef7ca0
ss          10
netbsd:cpu_in_cksum+0xa5:       movl    0(%rbx),%ecx
db{0}> trace
cpu_in_cksum() at netbsd:cpu_in_cksum+0xa5
fatal page fault in supervisor mode
trap type 6 code 0 rip ffffffff802ac3f0 cs 8 rflags 10246 cr2 179c ilevel 8 rsp fffffe8002ef7098
curlwp 0xfffffe803f36d420 pid 0.3 lowest kstack 0xfffffe8002ef42c0
kernel: page fault trap, code=0
Faulted in DDB; continuing...
db{0}>

>How-To-Repeat:
	ifconfig lo0 127.0.0.1 (also ipv6 address is configured), and
	then run "ping6 -mns8000 ::1"
>Fix:
	no idea.

-- 
t-hash

>Release-Note:

>Audit-Trail:
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
	netbsd-bugs@netbsd.org
Subject: Re: kern/49650: ping6 -mns8000 ::1 kills kernel
Date: Sun, 8 Feb 2015 11:52:27 +0100

 FWIW, I can not reproduce it on arm or hppa.

 Martin

From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/49650: ping6 -mns8000 ::1 kills kernel
Date: Sun, 8 Feb 2015 12:07:31 +0100

 On sparc64 I can reproduce it:

 PING6(8048=40+8+8000 bytes) ::1 --> ::1
 panic: m_copym0 overrun 492 -1802135913
 Stopped in pid 0.3 (system) at  netbsd:cpu_Debugger+0x4:        nop
 db{0}> bt                                                          
 db{0}> mach stack
 Window 0 frame64 0x1b02633c0 locals, ins:
 1 1818b60 18196b0 17aed08 17aed40 ffffffffffffffff a 2
 1827a90 1b02635b8 1cd6c00 1cd7f20 1cd8000 104 1b0262c71=sp 14668e4=pc:netbsd:pan
 ic+0x24                                                                        
 Window 1 frame64 0x1b0263470 locals, ins:
 4482000603 0 ffffffffffffffff 1 e0048000 ffffffffffffffff a 2
 1827a90 1ec ffffffff94959697 1 1c95800 103b454a0 1b0262d31=sp 150aab0=pc:netbsd:
 m_copym0+0x450                                                                 
 Window 2 frame64 0x1b0263530 locals, ins:
 1ec 1ce0000 0 9000001 fffffe 7ff6 0 1194addb0
 1173a5630 4f8 0 1 0 1194adcb0 1b0262df1=sp 124a700=pc:netbsd:ip6_output+0x1580
 Window 3 frame64 0x1b02635f0 locals, ins:                                     
 1cb5c00 10477c008 104accd68 1f70 1173a4898 10499d4e8 104accd10 0
 0 3a 28 4f8 4d0 1b0263788 1b0263021=sp 117e6b8=pc:netbsd:icmp6_reflect+0x1f8
 Window 4 frame64 0x1b0263820 locals, ins:                                   
 1f48 0 0 9000001 fffffe 7ff6 0 1173a4c30 
 104accd10 1b0263900 81 104accd70 104accd80 104accd68 1b0263161=sp 1180588=pc:net
 bsd:icmp6_input+0xee8                                                          
 Window 5 frame64 0x1b0263960 locals, ins:
 80 30 1050f0824 0 1cb1000 0 0 28         
 28 1b0263bc4 1f48 104acca10 103b4d200 104acd410 1b0263311=sp 1243178=pc:netbsd:i
 p6_input+0x7f8                                                                 

 and this corresponds to the following source lines:

         /*
          * To avoid a "too big" situation at an intermediate router
          * and the path MTU discovery process, specify the IPV6_MINMTU flag.
          * Note that only echo and node information replies are affected,
          * since the length of ICMP6 errors is limited to the minimum MTU.
          */
         if (ip6_output(m, NULL, NULL, IPV6_MINMTU, NULL, NULL, &outif) != 0 &&
             outif)
                 icmp6_ifstat_inc(outif, ifs6_out_error);

         if (outif)
                 icmp6_ifoutstat_inc(outif, type, code);

 in icmp6.c:icmp6_reflect.

 Martin

State-Changed-From-To: open->analyzed
State-Changed-By: mlelstv@NetBSD.org
State-Changed-When: Sun, 08 Feb 2015 22:17:30 +0000
State-Changed-Why:


From: Takahiro HAYASHI <t.hash425@gmail.com>
To: gnats-bugs@NetBSD.org, kern-bug-people@netbsd.org, 
 gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc: 
Subject: Re: kern/49650: ping6 -mns8000 ::1 kills kernel
Date: Mon, 09 Feb 2015 19:00:01 +0900

 In article https://mail-index.netbsd.org/source-changes/2015/02/08/msg062994.html

 > Log Message:
 > Correct m_len calculation for m_dup() with mbuf clusters.
 > Fixes kern/49650.

 Thank you for fixing problem.
 My {HEAD,netbsd-7}/{amd64,i386} and netbsd-7/evbarm-earmv6hf for RPI kernel
 with this patch survive after ping6.


 -- 
 t-hash

State-Changed-From-To: analyzed->closed
State-Changed-By: snj@NetBSD.org
State-Changed-When: Thu, 23 Apr 2015 05:36:03 +0000
State-Changed-Why:
mlelstv fixed this in revision 1.161 of sys/kern/uipc_mbuf.c, and it was
pulled up to netbsd-7 in ticket 501.


>Unformatted:

 The panics were caused by mbufs corrupted by wrong length calculation
 in m_dup().

 Fixed in in sys/kern/uipc_mbuf.c 1.161.

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.