Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 15 Apr 2007 21:37:41 -0700
From:      "Kip Macy" <kip.macy@gmail.com>
To:        "Kris Kennaway" <kris@obsecurity.org>
Cc:        current@freebsd.org, net@freebsd.org
Subject:   Re: GPF in ether_output -> m_tag_locate
Message-ID:  <b1fa29170704152137j4a84d32crdb82d888b8e19923@mail.gmail.com>
In-Reply-To: <20070416034001.GA32090@xor.obsecurity.org>
References:  <20070416033047.GA31857@xor.obsecurity.org> <20070416034001.GA32090@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Please print out the mbuf's m_hdr and pkthdr.

 -Kip

On 4/15/07, Kris Kennaway <kris@obsecurity.org> wrote:
> On Sun, Apr 15, 2007 at 11:30:47PM -0400, Kris Kennaway wrote:
> > On an 8-core amd64 running up-to-date CVS sources:
> >
> > > Fatal trap 9: general protection fault while in kernel mode
> > > cpuid =3D 7; apic id =3D 07
> > > instruction pointer     =3D 0x8:0xffffffff802a7800
> > > stack pointer           =3D 0x10:0xffffffffabc61960
> > > frame pointer           =3D 0x10:0xffffffffabc61970
> > > code segment            =3D base 0x0, limit 0xfffff, type 0x1b
> > >                         =3D DPL 0, pres 1, long 1, def32 0, gran 1
> > > processor eflags        =3D interrupt enabled, resume, IOPL =3D 0
> > > current process         =3D 19 (swi4: clock sio)
> > > Tracing pid 19 tid 100005 td 0xffffff00b9a7f000
> > > m_tag_locate() at m_tag_locate+0x20
> > > ether_output() at ether_output+0x2ec
> > > ip_output() at ip_output+0x9b5
> > > udp_output() at udp_output+0x594
> > > udp_send() at udp_send+0x1c
> > > nfs_timer() at nfs_timer+0x7de
> > > softclock() at softclock+0x319
> > > ithread_execute_handlers() at ithread_execute_handlers+0x15d
> > > ithread_loop() at ithread_loop+0x69
> > > fork_exit() at fork_exit+0x93
> > > fork_trampoline() at fork_trampoline+0xe
> > > --- trap 0, rip =3D 0, rsp =3D 0xffffffffabc61d30, rbp =3D 0 ---
>
> #9  0xffffffff802a7800 in m_tag_locate (m=3D0xffffff0033956a00, cookie=3D=
0, type=3D21, t=3D0x5f73736e0e000000) at ../../../kern/uipc_mbuf2.c:393
>         p =3D (struct m_tag *) 0x5f73736e0e000000
> #10 0xffffffff802ed9dc in ether_output (ifp=3D0xffffff0000900800, m=3D0xf=
fffff0033956a00, dst=3D0xffffffffabc61a38, rt0=3D0x0) at mbuf.h:950
>         type =3D 8
>         error =3D 865430226
>         hdrcmplt =3D 0
>         esrc =3D "\000\b\220\000\000=FF"
>         edst =3D "\000\002=B3\027>\021"
>         eh =3D (struct ether_header *) 0xffffff0033956ad2
>         loop_copy =3D 1
> #11 0xffffffff80304345 in ip_output (m=3D0xffffff0033956a00, opt=3D0x0, r=
o=3D0xffffffffabc61a30, flags=3D0, imo=3D0x0, inp=3D0xffffff00152a9e38)
>     at ../../../netinet/ip_output.c:561
>         ip =3D (struct ip *) 0xffffff0033956ae0
>         ifp =3D (struct ifnet *) 0xffffff0000900800
>         m0 =3D (struct mbuf *) 0x0
>         hlen =3D 20
>         mtu =3D 1500
>         len =3D 0
>         error =3D 0
>         dst =3D (struct sockaddr_in *) 0xffffffffabc61a38
>         ia =3D (struct in_ifaddr *) 0xffffff001583e600
>         isbroadcast =3D 234881024
>         sw_csum =3D 0
>         iproute =3D {ro_rt =3D 0xffffff00949320f0, ro_dst =3D {sa_len =3D=
 16 '\020', sa_family =3D 2 '\002', sa_data =3D "\000\000=CC\230=BF=E2\000\=
000\000\000\000\000\000"}}
>         odst =3D {s_addr =3D 0}
> #12 0xffffffff80317c24 in udp_output (inp=3D0xffffff00152a9e38, m=3D0xfff=
fff0033956a00, addr=3D0x0, control=3D0xffffff0033956ae0, td=3D0xffffff00b9a=
7f000)
>     at ../../../netinet/udp_usrreq.c:934
>         ui =3D (struct udpiphdr *) 0xffffff0033956ae0
>         len =3D 0
>         faddr =3D {s_addr =3D 3804207308}
>         laddr =3D {s_addr =3D 3871316172}
>         cm =3D (struct cmsghdr *) 0x0
>         src =3D {sin_len =3D 0 '\0', sin_family =3D 0 '\0', sin_port =3D =
22405, sin_addr =3D {s_addr =3D 4294967040}, sin_zero =3D "\001\000\000\000=
\000\000\000"}
>         error =3D 55
>         ipflags =3D 0
>         fport =3D 264
>         lport =3D 4355
>         unlock_udbinfo =3D 0
> #13 0xffffffff8031874c in udp_send (so=3D0xffffff0033956a00, flags=3D0, m=
=3D0x0, addr=3D0x0, control=3D0x5f73736e0e000000, td=3D0xffffff00152a9e38)
>     at ../../../netinet/udp_usrreq.c:1116
>         inp =3D (struct inpcb *) 0xffffff0033956a00
> #14 0xffffffff8032ff8e in nfs_timer (arg=3D0xffffff0033956a00) at pcpu.h:=
168
>         rep =3D (struct nfsreq *) 0xffffff0008250600
>         m =3D (struct mbuf *) 0xffffff0057854a00
>         so =3D (struct socket *) 0xffffff00157d7bb8
>         nmp =3D (struct nfsmount *) 0xffffff001575f000
>         timeo =3D 234881024
>         error =3D 1468353024
>         now =3D {tv_sec =3D 89409, tv_usec =3D 181305}
>
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b1fa29170704152137j4a84d32crdb82d888b8e19923>