From owner-freebsd-current@FreeBSD.ORG  Sat Jan 10 15:15:20 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 16E4116A4CE
	for <freebsd-current@freebsd.org>;
	Sat, 10 Jan 2004 15:15:20 -0800 (PST)
Received: from mailtoaster1.pipeline.ch (mailtoaster1.pipeline.ch
	[62.48.0.70])	by mx1.FreeBSD.org (Postfix) with ESMTP id BB86343D2F
	for <freebsd-current@freebsd.org>;
	Sat, 10 Jan 2004 15:15:17 -0800 (PST)
	(envelope-from andre@freebsd.org)
Received: (qmail 47577 invoked from network); 10 Jan 2004 23:15:16 -0000
Received: from unknown (HELO freebsd.org) ([62.48.0.54])
          (envelope-sender <andre@freebsd.org>)
          by mailtoaster1.pipeline.ch (qmail-ldap-1.03) with SMTP
          for <dgilbert@dclg.ca>; 10 Jan 2004 23:15:16 -0000
Message-ID: <40008783.330FAFF4@freebsd.org>
Date: Sun, 11 Jan 2004 00:15:15 +0100
From: Andre Oppermann <andre@freebsd.org>
X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: David Gilbert <dgilbert@dclg.ca>
References: <16384.14322.83258.940369@canoe.dclg.ca>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
cc: freebsd-net@freebsd.org
cc: freebsd-current@freebsd.org
Subject: Re: off-by-one error in ip_fragment, recently.
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Jan 2004 23:15:20 -0000

David Gilbert wrote:
> 
> I just updated a machine that uses GRE to -CURRENT.  Upon rebooting,
> the debugger stopped at the following:
> 
> "panic: m_copym, offset > size of mbuf chain"

There are two possible ways this can happen:  The function m_copym
was called with off == 0, or off == m->m_len.  Neither is supposed
to happen (obviously) so the bug must be in ip_fragment.  Lets have
a look at that next...

> panic()
> m_copym()
> ip_fragment()
> ip_output()
> gre_output()
> ip_output()
> udp_output()
> upd_send()
> sosend()
> kern_sendit()
> sendit()
> sendto()
> syscall()
> xint0x80_syscall()
> 
> ... now I'm not sure that the error is perfectly technically
> off-by-one, but its something similar.

Is this panic reproduceable?  What kind of traffic was going on
at that time?  Or was it right away when you started using the
GRE tunnel?

Could you please open a PR with this information too?  It helps
keeping track of the progress.

-- 
Andre