Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 15 Apr 2007 23:40:01 -0400
From:      Kris Kennaway <kris@obsecurity.org>
To:        Kris Kennaway <kris@obsecurity.org>
Cc:        current@FreeBSD.org, net@FreeBSD.org
Subject:   Re: GPF in ether_output -> m_tag_locate
Message-ID:  <20070416034001.GA32090@xor.obsecurity.org>
In-Reply-To: <20070416033047.GA31857@xor.obsecurity.org>
References:  <20070416033047.GA31857@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=unknown-8bit
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Apr 15, 2007 at 11:30:47PM -0400, Kris Kennaway wrote:
> On an 8-core amd64 running up-to-date CVS sources:
>=20
> > Fatal trap 9: general protection fault while in kernel mode
> > cpuid =3D 7; apic id =3D 07
> > instruction pointer     =3D 0x8:0xffffffff802a7800
> > stack pointer           =3D 0x10:0xffffffffabc61960
> > frame pointer           =3D 0x10:0xffffffffabc61970
> > code segment            =3D base 0x0, limit 0xfffff, type 0x1b
> >                         =3D DPL 0, pres 1, long 1, def32 0, gran 1
> > processor eflags        =3D interrupt enabled, resume, IOPL =3D 0
> > current process         =3D 19 (swi4: clock sio)
> > Tracing pid 19 tid 100005 td 0xffffff00b9a7f000
> > m_tag_locate() at m_tag_locate+0x20
> > ether_output() at ether_output+0x2ec
> > ip_output() at ip_output+0x9b5
> > udp_output() at udp_output+0x594
> > udp_send() at udp_send+0x1c
> > nfs_timer() at nfs_timer+0x7de
> > softclock() at softclock+0x319
> > ithread_execute_handlers() at ithread_execute_handlers+0x15d
> > ithread_loop() at ithread_loop+0x69
> > fork_exit() at fork_exit+0x93
> > fork_trampoline() at fork_trampoline+0xe
> > --- trap 0, rip =3D 0, rsp =3D 0xffffffffabc61d30, rbp =3D 0 ---

#9  0xffffffff802a7800 in m_tag_locate (m=3D0xffffff0033956a00, cookie=3D0,=
 type=3D21, t=3D0x5f73736e0e000000) at ../../../kern/uipc_mbuf2.c:393
        p =3D (struct m_tag *) 0x5f73736e0e000000
#10 0xffffffff802ed9dc in ether_output (ifp=3D0xffffff0000900800, m=3D0xfff=
fff0033956a00, dst=3D0xffffffffabc61a38, rt0=3D0x0) at mbuf.h:950
        type =3D 8
        error =3D 865430226
        hdrcmplt =3D 0
        esrc =3D "\000\b\220\000\000=FF"
        edst =3D "\000\002=B3\027>\021"
        eh =3D (struct ether_header *) 0xffffff0033956ad2
        loop_copy =3D 1
#11 0xffffffff80304345 in ip_output (m=3D0xffffff0033956a00, opt=3D0x0, ro=
=3D0xffffffffabc61a30, flags=3D0, imo=3D0x0, inp=3D0xffffff00152a9e38)
    at ../../../netinet/ip_output.c:561
        ip =3D (struct ip *) 0xffffff0033956ae0
        ifp =3D (struct ifnet *) 0xffffff0000900800
        m0 =3D (struct mbuf *) 0x0
        hlen =3D 20
        mtu =3D 1500
        len =3D 0
        error =3D 0
        dst =3D (struct sockaddr_in *) 0xffffffffabc61a38
        ia =3D (struct in_ifaddr *) 0xffffff001583e600
        isbroadcast =3D 234881024
        sw_csum =3D 0
        iproute =3D {ro_rt =3D 0xffffff00949320f0, ro_dst =3D {sa_len =3D 1=
6 '\020', sa_family =3D 2 '\002', sa_data =3D "\000\000=CC\230=BF=E2\000\00=
0\000\000\000\000\000"}}
        odst =3D {s_addr =3D 0}
#12 0xffffffff80317c24 in udp_output (inp=3D0xffffff00152a9e38, m=3D0xfffff=
f0033956a00, addr=3D0x0, control=3D0xffffff0033956ae0, td=3D0xffffff00b9a7f=
000)
    at ../../../netinet/udp_usrreq.c:934
        ui =3D (struct udpiphdr *) 0xffffff0033956ae0
        len =3D 0
        faddr =3D {s_addr =3D 3804207308}
        laddr =3D {s_addr =3D 3871316172}
        cm =3D (struct cmsghdr *) 0x0
        src =3D {sin_len =3D 0 '\0', sin_family =3D 0 '\0', sin_port =3D 22=
405, sin_addr =3D {s_addr =3D 4294967040}, sin_zero =3D "\001\000\000\000\0=
00\000\000"}
        error =3D 55
        ipflags =3D 0
        fport =3D 264
        lport =3D 4355
        unlock_udbinfo =3D 0
#13 0xffffffff8031874c in udp_send (so=3D0xffffff0033956a00, flags=3D0, m=
=3D0x0, addr=3D0x0, control=3D0x5f73736e0e000000, td=3D0xffffff00152a9e38)
    at ../../../netinet/udp_usrreq.c:1116
        inp =3D (struct inpcb *) 0xffffff0033956a00
#14 0xffffffff8032ff8e in nfs_timer (arg=3D0xffffff0033956a00) at pcpu.h:168
        rep =3D (struct nfsreq *) 0xffffff0008250600
        m =3D (struct mbuf *) 0xffffff0057854a00
        so =3D (struct socket *) 0xffffff00157d7bb8
        nmp =3D (struct nfsmount *) 0xffffff001575f000
        timeo =3D 234881024
        error =3D 1468353024
        now =3D {tv_sec =3D 89409, tv_usec =3D 181305}

--2oS5YaxWCcQjTEyO
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)

iD8DBQFGIvARWry0BWjoQKURAnKeAJ9QnTANZ2zmprL04wJRHSMDeLHw7gCeMNSk
W36Xbhhv1wmm8WyKt9h4+ic=
=XZ+Q
-----END PGP SIGNATURE-----

--2oS5YaxWCcQjTEyO--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070416034001.GA32090>