From owner-freebsd-bugs@FreeBSD.ORG  Sun Jan 11 12:00:40 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E580D16A4D0
	for <freebsd-bugs@hub.freebsd.org>;
	Sun, 11 Jan 2004 12:00:39 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6279243D41
	for <freebsd-bugs@hub.freebsd.org>;
	Sun, 11 Jan 2004 12:00:37 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	i0BK0bFR070740	for <freebsd-bugs@freefall.freebsd.org>;
	Sun, 11 Jan 2004 12:00:37 -0800 (PST)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i0BK0bhf070739;
	Sun, 11 Jan 2004 12:00:37 -0800 (PST)
	(envelope-from gnats)
Resent-Date: Sun, 11 Jan 2004 12:00:37 -0800 (PST)
Resent-Message-Id: <200401112000.i0BK0bhf070739@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	David Gilbert <dgilbert@dclg.ca>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A0B1816A4CE
	for <freebsd-gnats-submit@freebsd.org>;
	Sun, 11 Jan 2004 11:59:48 -0800 (PST)
Received: from sizone.org (mortar.sizone.org [65.126.154.242])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2281543D2F
	for <freebsd-gnats-submit@freebsd.org>;
	Sun, 11 Jan 2004 11:59:47 -0800 (PST)
	(envelope-from dgilbert@daveg.ca)
Received: by sizone.org (Postfix, from userid 66)
	id 553B0307C6; Sun, 11 Jan 2004 14:59:46 -0500 (EST)
Received: by canoe.dclg.ca (Postfix, from userid 101)
	id 0AB1A1D1FB8; Sun, 11 Jan 2004 14:59:44 -0500 (EST)
Message-Id: <20040111195944.0AB1A1D1FB8@canoe.dclg.ca>
Date: Sun, 11 Jan 2004 14:59:44 -0500 (EST)
From: David Gilbert <dgilbert@dclg.ca>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: kern/61215: off-by-one error likely in ip_fragment()
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: David Gilbert <dgilbert@dclg.ca>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Jan 2004 20:00:40 -0000


>Number:         61215
>Category:       kern
>Synopsis:       off-by-one error likely in ip_fragment()
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jan 11 12:00:36 PST 2004
>Closed-Date:
>Last-Modified:
>Originator:     David Gilbert
>Release:        FreeBSD 5.2-CURRENT i386
>Organization:
DaveG.ca
>Environment:
System: FreeBSD canoe.dclg.ca 5.2-CURRENT FreeBSD 5.2-CURRENT #3: Fri Jan 2 13:57:59 EST 2004 dgilbert@canoe.dclg.ca:/usr/src/sys/i386/compile/CANOE i386


As above, but the problem machine was cvsup'd on the 9th.
>Description:
It would appear that GRE calling ip_fragment() is leading to an
an immediate crash.  The machine in question crashes dependably
during boot.  The following is the backtrace:

panic messages:
---
panic: m_copym, offset > size of mbuf chain

#0  doadump () at /usr/src/sys/kern/kern_shutdown.c:240
#1  0xc0508512 in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:372
#2  0xc0508868 in panic () at /usr/src/sys/kern/kern_shutdown.c:550
#3  0xc0544fa5 in m_copym (m=0x0, off0=1500, len=1480, wait=4)
    at /usr/src/sys/kern/uipc_mbuf.c:211
#4  0xc059b941 in ip_fragment (ip=0xc1e919e8, m_frag=0xdf92c9e0, 
    mtu=-1041688000, if_hwassist_flags=0, sw_csum=1)
    at /usr/src/sys/netinet/ip_output.c:1219
#5  0xc059b55f in ip_output (m0=0x1, opt=0xc1e919e8, ro=0xc5f8edfc, flags=0, 
    imo=0x0, inp=0x0) at /usr/src/sys/netinet/ip_output.c:1047
#6  0xc611054f in gre_output (ifp=0xc5f8ec00, m=0xc1e91900, dst=0xc1e919e8, 
    rt=0xc612ce00) at /usr/src/sys/net/if_gre.c:372
#7  0xc059b4f0 in ip_output (m0=0x1, opt=0xc2b2a00e, ro=0xdf92cb7c, flags=1, 
    imo=0x0, inp=0x0) at /usr/src/sys/netinet/ip_output.c:1021
#8  0xc059a3c6 in ip_forward (m=0xc1e8bb00, srcrt=0, next_hop=0x0)
    at /usr/src/sys/netinet/ip_input.c:1929
#9  0xc0598db0 in ip_input (m=0xc1e8bb00)
    at /usr/src/sys/netinet/ip_input.c:739
#10 0xc057bc7e in netisr_processqueue (ni=0xc074a718)
    at /usr/src/sys/net/netisr.c:152
#11 0xc057c093 in swi_net (dummy=0x0) at /usr/src/sys/net/netisr.c:257
#12 0xc04f5112 in ithread_loop (arg=0xc1e74500)
    at /usr/src/sys/kern/kern_intr.c:544
#13 0xc04f4104 in fork_exit (callout=0xc04f4f80 <ithread_loop>, arg=0x0, 
    frame=0x0) at /usr/src/sys/kern/kern_fork.c:796

>How-To-Repeat:
configure an if_gre tunnel over an ethernet link.  I havn't confirmed
yet whether the cause depends on the machine in question being a
router ... but it would most certainly influence it.
>Fix:

None yet.  I have some thoughts.

It looks like there's some stack corruption.  in frame 4, mtu=-1041688000
and m = 0x0 in frame 3.  Some values make sense and others do not.

Dave.


>Release-Note:
>Audit-Trail:
>Unformatted: