NetBSD Problem Report #49650
From t.hash425@gmail.com Sun Feb 8 07:35:11 2015
Return-Path: <t.hash425@gmail.com>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id BF4CAA5B2E
for <gnats-bugs@gnats.netbsd.org>; Sun, 8 Feb 2015 07:35:11 +0000 (UTC)
Message-Id: <54D70A5E.3020906@gmail.com>
Date: Sun, 08 Feb 2015 16:03:58 +0900
From: Takahiro HAYASHI <t.hash425@gmail.com>
To: gnats-bugs@gnats.NetBSD.org
Subject: ping6 -mns8000 ::1 kills kernel
>Number: 49650
>Category: kern
>Synopsis: ping6 -mns8000 ::1 kills kernel
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Feb 08 07:40:00 +0000 2015
>Closed-Date: Thu Apr 23 05:36:03 +0000 2015
>Last-Modified: Thu Apr 23 05:36:03 +0000 2015
>Originator: Takahiro HAYASHI
>Release: NetBSD 7.99.4 (GENERIC.201502071120Z from nyftp)
>Organization:
>Environment:
System: NetBSD 7.99.4 amd64
Architecture: x86_64
Machine: amd64
>Description:
"ping6 -mns8000 ::1" kills kernel.
This happens on current and netbsd-7 kernel.
# ifconfig lo0 127.0.0.1
# ping6 -mns8000 ::1
PING6(8048=40+8+8000 bytes) ::1 --> ::1
WARNING: mclpool limit reached; increase kern.mbuf.nmbclusters
fatal protection fault in supervisor mode
trap type 4 code 0 rip ffffffff802884f5 cs 8 rflags 10206 cr2 0 ilevel 4 rsp fffffe8002ef7ca0
curlwp 0xfffffe803f36d420 pid 0.3 lowest kstack 0xfffffe8002ef42c0
kernel: protection fault trap, code=0
Stopped in pid 0.3 (system) at netbsd:cpu_in_cksum+0xa5: movl 0(%rbx),
%ecx
db{0}> show reg
ds 30
es 184
fs 7c98
gs 6ef1
rdi fffffe8039990e00
rsi 0
rbp 1794
rbx 8b8a898887868584
rdx 0
rcx a7a6a5a4
rax 0
r8 f297026a46
r9 0
r10 0
r11 fffffffffffffffc
r12 fffffe803eb65e00
r13 81
r14 fffffe8002ef7ce0
r15 1f48
rip ffffffff802884f5 cpu_in_cksum+0xa5
cs 8
rflags 10206
rsp fffffe8002ef7ca0
ss 10
netbsd:cpu_in_cksum+0xa5: movl 0(%rbx),%ecx
db{0}> trace
cpu_in_cksum() at netbsd:cpu_in_cksum+0xa5
fatal page fault in supervisor mode
trap type 6 code 0 rip ffffffff802ac3f0 cs 8 rflags 10246 cr2 179c ilevel 8 rsp fffffe8002ef7098
curlwp 0xfffffe803f36d420 pid 0.3 lowest kstack 0xfffffe8002ef42c0
kernel: page fault trap, code=0
Faulted in DDB; continuing...
db{0}>
>How-To-Repeat:
ifconfig lo0 127.0.0.1 (also ipv6 address is configured), and
then run "ping6 -mns8000 ::1"
>Fix:
no idea.
--
t-hash
>Release-Note:
>Audit-Trail:
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: Re: kern/49650: ping6 -mns8000 ::1 kills kernel
Date: Sun, 8 Feb 2015 11:52:27 +0100
FWIW, I can not reproduce it on arm or hppa.
Martin
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/49650: ping6 -mns8000 ::1 kills kernel
Date: Sun, 8 Feb 2015 12:07:31 +0100
On sparc64 I can reproduce it:
PING6(8048=40+8+8000 bytes) ::1 --> ::1
panic: m_copym0 overrun 492 -1802135913
Stopped in pid 0.3 (system) at netbsd:cpu_Debugger+0x4: nop
db{0}> bt
db{0}> mach stack
Window 0 frame64 0x1b02633c0 locals, ins:
1 1818b60 18196b0 17aed08 17aed40 ffffffffffffffff a 2
1827a90 1b02635b8 1cd6c00 1cd7f20 1cd8000 104 1b0262c71=sp 14668e4=pc:netbsd:pan
ic+0x24
Window 1 frame64 0x1b0263470 locals, ins:
4482000603 0 ffffffffffffffff 1 e0048000 ffffffffffffffff a 2
1827a90 1ec ffffffff94959697 1 1c95800 103b454a0 1b0262d31=sp 150aab0=pc:netbsd:
m_copym0+0x450
Window 2 frame64 0x1b0263530 locals, ins:
1ec 1ce0000 0 9000001 fffffe 7ff6 0 1194addb0
1173a5630 4f8 0 1 0 1194adcb0 1b0262df1=sp 124a700=pc:netbsd:ip6_output+0x1580
Window 3 frame64 0x1b02635f0 locals, ins:
1cb5c00 10477c008 104accd68 1f70 1173a4898 10499d4e8 104accd10 0
0 3a 28 4f8 4d0 1b0263788 1b0263021=sp 117e6b8=pc:netbsd:icmp6_reflect+0x1f8
Window 4 frame64 0x1b0263820 locals, ins:
1f48 0 0 9000001 fffffe 7ff6 0 1173a4c30
104accd10 1b0263900 81 104accd70 104accd80 104accd68 1b0263161=sp 1180588=pc:net
bsd:icmp6_input+0xee8
Window 5 frame64 0x1b0263960 locals, ins:
80 30 1050f0824 0 1cb1000 0 0 28
28 1b0263bc4 1f48 104acca10 103b4d200 104acd410 1b0263311=sp 1243178=pc:netbsd:i
p6_input+0x7f8
and this corresponds to the following source lines:
/*
* To avoid a "too big" situation at an intermediate router
* and the path MTU discovery process, specify the IPV6_MINMTU flag.
* Note that only echo and node information replies are affected,
* since the length of ICMP6 errors is limited to the minimum MTU.
*/
if (ip6_output(m, NULL, NULL, IPV6_MINMTU, NULL, NULL, &outif) != 0 &&
outif)
icmp6_ifstat_inc(outif, ifs6_out_error);
if (outif)
icmp6_ifoutstat_inc(outif, type, code);
in icmp6.c:icmp6_reflect.
Martin
State-Changed-From-To: open->analyzed
State-Changed-By: mlelstv@NetBSD.org
State-Changed-When: Sun, 08 Feb 2015 22:17:30 +0000
State-Changed-Why:
From: Takahiro HAYASHI <t.hash425@gmail.com>
To: gnats-bugs@NetBSD.org, kern-bug-people@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc:
Subject: Re: kern/49650: ping6 -mns8000 ::1 kills kernel
Date: Mon, 09 Feb 2015 19:00:01 +0900
In article https://mail-index.netbsd.org/source-changes/2015/02/08/msg062994.html
> Log Message:
> Correct m_len calculation for m_dup() with mbuf clusters.
> Fixes kern/49650.
Thank you for fixing problem.
My {HEAD,netbsd-7}/{amd64,i386} and netbsd-7/evbarm-earmv6hf for RPI kernel
with this patch survive after ping6.
--
t-hash
State-Changed-From-To: analyzed->closed
State-Changed-By: snj@NetBSD.org
State-Changed-When: Thu, 23 Apr 2015 05:36:03 +0000
State-Changed-Why:
mlelstv fixed this in revision 1.161 of sys/kern/uipc_mbuf.c, and it was
pulled up to netbsd-7 in ticket 501.
>Unformatted:
The panics were caused by mbufs corrupted by wrong length calculation
in m_dup().
Fixed in in sys/kern/uipc_mbuf.c 1.161.
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.