Date: Sun, 3 Dec 1995 22:19:27 +0200 From: Heikki Suonsivu <hsu@clinet.fi> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/862: more access to freed mbufs Message-ID: <199512032019.WAA11147@katiska.clinet.fi> Resent-Message-ID: <199512032020.MAA21037@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 862 >Category: kern >Synopsis: more access to freed mbufs >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Dec 3 12:20:04 PST 1995 >Last-Modified: >Originator: Heikki Suonsivu >Organization: Clinet, Espoo, Finland >Release: FreeBSD 2.2-CURRENT i386 >Environment: Dec 3 19:02:20 katiska /kernel: FreeBSD 2.2-CURRENT #2: Sun Nov 26 06:35:44 EET 1995 Dec 3 19:02:20 katiska /kernel: hsu@katiska.clinet.fi:/usr/current/src/sys/compile/CLINETSERVER Dec 3 19:02:20 katiska /kernel: CPU: 90-MHz Pentium 735\90 (Pentium-class CPU) Dec 3 19:02:20 katiska /kernel: Origin = "GenuineIntel" Id = 0x524 Stepping=4 Dec 3 19:02:20 katiska /kernel: Features=0x1bf<FPU,VME,PSE,MCE,CX8,APIC> Dec 3 19:02:19 katiska /kernel: real memory = 67108864 (65536K bytes) Dec 3 19:02:19 katiska /kernel: avail memory = 62394368 (60932K bytes) Dec 3 19:02:19 katiska /kernel: Probing for devices on the ISA bus: Dec 3 19:02:19 katiska /kernel: vt0 at 0x60-0x6f irq 1 on motherboard Dec 3 19:02:19 katiska /kernel: vt0: tvga 8900cl, 80/132 col, mono, 8 scr, mf2-kbd, [R3.20-b24] Dec 3 19:02:19 katiska /kernel: ed0 at 0x280-0x29f irq 5 maddr 0xd8000 msize 16384 on isa Dec 3 19:02:20 katiska /kernel: ed0: address 00:00:c0:cd:b9:a3, type WD8013EPC (16 bit) Dec 3 19:02:20 katiska /kernel: lpt0 at 0x378-0x37f irq 7 on isa Dec 3 19:02:20 katiska /kernel: lpt0: Interrupt-driven port Dec 3 19:02:20 katiska /kernel: lp0: TCP/IP capable interface Dec 3 19:02:20 katiska /kernel: lpt1 not found at 0xffffffff Dec 3 19:02:20 katiska /kernel: lpt2 not found at 0xffffffff Dec 3 19:02:20 katiska /kernel: sio0 at 0x3f8-0x3ff irq 4 on isa Dec 3 19:02:20 katiska /kernel: sio0: type 16550A Dec 3 19:02:20 katiska /kernel: sio1 at 0x2f8-0x2ff irq 3 on isa Dec 3 19:02:20 katiska /kernel: sio1: type 16550A Dec 3 19:02:20 katiska /kernel: sio2 not found at 0x3e8 Dec 3 19:02:20 katiska /kernel: sio3 not found at 0x2e8 Dec 3 19:02:20 katiska /kernel: pca0 on isa Dec 3 19:02:20 katiska /kernel: pca0: PC speaker audio driver Dec 3 19:02:20 katiska /kernel: bt0 not found at 0x330 Dec 3 19:02:20 katiska /kernel: aha0 not found at 0x330 Dec 3 19:02:20 katiska /kernel: wdc0 not found at 0x1f0 Dec 3 19:02:20 katiska /kernel: fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa Dec 3 19:02:20 katiska /kernel: fdc0: NEC 72065B Dec 3 19:02:20 katiska /kernel: fd0: 1.44MB 3.5in Dec 3 19:02:21 katiska /kernel: mcd0: timeout getting status Dec 3 19:02:21 katiska /kernel: mcd0 not found at 0x300 Dec 3 19:02:21 katiska /kernel: npx0 on motherboard Dec 3 19:02:21 katiska /kernel: npx0: INT 16 interface Dec 3 19:02:21 katiska /kernel: matcdc0 not found at 0xffffffff Dec 3 19:02:21 katiska /kernel: matcdc1 not found at 0xffffffff Dec 3 19:02:21 katiska /kernel: matcdc2 not found at 0xffffffff Dec 3 19:02:21 katiska /kernel: matcdc3 not found at 0xffffffff Dec 3 19:02:21 katiska /kernel: Probing for devices on the PCI bus: Dec 3 19:02:21 katiska /kernel: chip0 <Intel 82434NX (Neptune) PCI cache memory controller> rev 17 on pci0:0 Dec 3 19:02:21 katiska /kernel: chip1 <Intel 82378IB PCI-ISA bridge> rev 67 on pci0:2 Dec 3 19:02:21 katiska /kernel: ncr0 <ncr 53c810 scsi> rev 2 int a irq 9 on pci0:12 Dec 3 19:02:21 katiska /kernel: ncr0 waiting for scsi devices to settle Dec 3 19:02:21 katiska /kernel: (ncr0:0:0): "SEAGATE ST15230N 0298" type 0 fixed SCSI 2 Dec 3 19:02:21 katiska /kernel: sd0(ncr0:0:0): Direct-Access Dec 3 19:02:21 katiska /kernel: sd0(ncr0:0:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8. Dec 3 19:02:21 katiska /kernel: 4095MB (8386733 512 byte sectors) Dec 3 19:02:21 katiska /kernel: sd0(ncr0:0:0): with 3992 cyls, 19 heads, and an average 110 sectors/track Dec 3 19:02:21 katiska /kernel: (ncr0:3:0): "SEAGATE ST31200N 9348" type 0 fixed SCSI 2 Dec 3 19:02:22 katiska /kernel: sd3(ncr0:3:0): Direct-Access Dec 3 19:02:22 katiska /kernel: sd3(ncr0:3:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8. Dec 3 19:02:22 katiska /kernel: 1011MB (2072435 512 byte sectors) Dec 3 19:02:22 katiska /kernel: sd3(ncr0:3:0): with 2700 cyls, 9 heads, and an average 85 sectors/track Dec 3 19:02:22 katiska /kernel: (ncr0:4:0): "HP C1533A 9503" type 1 removable SCSI 2 Dec 3 19:02:22 katiska /kernel: st4(ncr0:4:0): Sequential-Access Dec 3 19:02:22 katiska /kernel: st4(ncr0:4:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8. Dec 3 19:02:22 katiska /kernel: density code 0x24, variable blocks, write-enabled Dec 3 19:02:22 katiska /kernel: ncr1 <ncr 53c810 scsi> rev 1 int a irq 9 on pci0:14 Dec 3 19:02:22 katiska /kernel: ncr1 waiting for scsi devices to settle Dec 3 19:02:22 katiska /kernel: (ncr1:3:0): "SEAGATE ST15230N 0168" type 0 fixed SCSI 2 Dec 3 19:02:22 katiska /kernel: sd7(ncr1:3:0): Direct-Access Dec 3 19:02:22 katiska /kernel: sd7(ncr1:3:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8. Dec 3 19:02:22 katiska /kernel: 4095MB (8386733 512 byte sectors) Dec 3 19:02:22 katiska /kernel: sd7(ncr1:3:0): with 3992 cyls, 19 heads, and an average 110 sectors/track Dec 3 19:02:22 katiska /kernel: changing root device to sd0a Dec 3 19:02:22 katiska /kernel: new masks: bio c0000240, tty c00300ba, net c00300ba Dec 3 19:02:22 katiska /kernel: WARNING: / was not properly dismounted. Dec 3 19:02:20 katiska /kernel: FreeBSD 2.2-CURRENT #2: Sun Nov 26 06:35:44 EET 1995 Dec 3 19:02:20 katiska /kernel: hsu@katiska.clinet.fi:/usr/current/src/sys/compile/CLINETSERVER Dec 3 19:02:20 katiska /kernel: CPU: 90-MHz Pentium 735\90 (Pentium-class CPU) Dec 3 19:02:20 katiska /kernel: Origin = "GenuineIntel" Id = 0x524 Stepping=4 Dec 3 19:02:20 katiska /kernel: Features=0x1bf<FPU,VME,PSE,MCE,CX8,APIC> Dec 3 19:02:19 katiska /kernel: real memory = 67108864 (65536K bytes) Dec 3 19:02:19 katiska /kernel: avail memory = 62394368 (60932K bytes) Dec 3 19:02:19 katiska /kernel: Probing for devices on the ISA bus: Dec 3 19:02:19 katiska /kernel: vt0 at 0x60-0x6f irq 1 on motherboard Dec 3 19:02:19 katiska /kernel: vt0: tvga 8900cl, 80/132 col, mono, 8 scr, mf2-kbd, [R3.20-b24] Dec 3 19:02:19 katiska /kernel: ed0 at 0x280-0x29f irq 5 maddr 0xd8000 msize 16384 on isa Dec 3 19:02:20 katiska /kernel: ed0: address 00:00:c0:cd:b9:a3, type WD8013EPC (16 bit) Dec 3 19:02:20 katiska /kernel: lpt0 at 0x378-0x37f irq 7 on isa Dec 3 19:02:20 katiska /kernel: lpt0: Interrupt-driven port Dec 3 19:02:20 katiska /kernel: lp0: TCP/IP capable interface Dec 3 19:02:20 katiska /kernel: lpt1 not found at 0xffffffff Dec 3 19:02:20 katiska /kernel: lpt2 not found at 0xffffffff Dec 3 19:02:20 katiska /kernel: sio0 at 0x3f8-0x3ff irq 4 on isa Dec 3 19:02:20 katiska /kernel: sio0: type 16550A Dec 3 19:02:20 katiska /kernel: sio1 at 0x2f8-0x2ff irq 3 on isa Dec 3 19:02:20 katiska /kernel: sio1: type 16550A Dec 3 19:02:20 katiska /kernel: sio2 not found at 0x3e8 Dec 3 19:02:20 katiska /kernel: sio3 not found at 0x2e8 Dec 3 19:02:20 katiska /kernel: pca0 on isa Dec 3 19:02:20 katiska /kernel: pca0: PC speaker audio driver Dec 3 19:02:20 katiska /kernel: bt0 not found at 0x330 Dec 3 19:02:20 katiska /kernel: aha0 not found at 0x330 Dec 3 19:02:20 katiska /kernel: wdc0 not found at 0x1f0 Dec 3 19:02:20 katiska /kernel: fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa Dec 3 19:02:20 katiska /kernel: fdc0: NEC 72065B Dec 3 19:02:20 katiska /kernel: fd0: 1.44MB 3.5in Dec 3 19:02:21 katiska /kernel: mcd0: timeout getting status Dec 3 19:02:21 katiska /kernel: mcd0 not found at 0x300 Dec 3 19:02:21 katiska /kernel: npx0 on motherboard Dec 3 19:02:21 katiska /kernel: npx0: INT 16 interface Dec 3 19:02:21 katiska /kernel: matcdc0 not found at 0xffffffff Dec 3 19:02:21 katiska /kernel: matcdc1 not found at 0xffffffff Dec 3 19:02:21 katiska /kernel: matcdc2 not found at 0xffffffff Dec 3 19:02:21 katiska /kernel: matcdc3 not found at 0xffffffff Dec 3 19:02:21 katiska /kernel: Probing for devices on the PCI bus: Dec 3 19:02:21 katiska /kernel: chip0 <Intel 82434NX (Neptune) PCI cache memory controller> rev 17 on pci0:0 Dec 3 19:02:21 katiska /kernel: chip1 <Intel 82378IB PCI-ISA bridge> rev 67 on pci0:2 Dec 3 19:02:21 katiska /kernel: ncr0 <ncr 53c810 scsi> rev 2 int a irq 9 on pci0:12 Dec 3 19:02:21 katiska /kernel: ncr0 waiting for scsi devices to settle Dec 3 19:02:21 katiska /kernel: (ncr0:0:0): "SEAGATE ST15230N 0298" type 0 fixed SCSI 2 Dec 3 19:02:21 katiska /kernel: sd0(ncr0:0:0): Direct-Access Dec 3 19:02:21 katiska /kernel: sd0(ncr0:0:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8. Dec 3 19:02:21 katiska /kernel: 4095MB (8386733 512 byte sectors) Dec 3 19:02:21 katiska /kernel: sd0(ncr0:0:0): with 3992 cyls, 19 heads, and an average 110 sectors/track Dec 3 19:02:21 katiska /kernel: (ncr0:3:0): "SEAGATE ST31200N 9348" type 0 fixed SCSI 2 Dec 3 19:02:22 katiska /kernel: sd3(ncr0:3:0): Direct-Access Dec 3 19:02:22 katiska /kernel: sd3(ncr0:3:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8. Dec 3 19:02:22 katiska /kernel: 1011MB (2072435 512 byte sectors) Dec 3 19:02:22 katiska /kernel: sd3(ncr0:3:0): with 2700 cyls, 9 heads, and an average 85 sectors/track Dec 3 19:02:22 katiska /kernel: (ncr0:4:0): "HP C1533A 9503" type 1 removable SCSI 2 Dec 3 19:02:22 katiska /kernel: st4(ncr0:4:0): Sequential-Access Dec 3 19:02:22 katiska /kernel: st4(ncr0:4:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8. Dec 3 19:02:22 katiska /kernel: density code 0x24, variable blocks, write-enabled Dec 3 19:02:22 katiska /kernel: ncr1 <ncr 53c810 scsi> rev 1 int a irq 9 on pci0:14 Dec 3 19:02:22 katiska /kernel: ncr1 waiting for scsi devices to settle Dec 3 19:02:22 katiska /kernel: (ncr1:3:0): "SEAGATE ST15230N 0168" type 0 fixed SCSI 2 Dec 3 19:02:22 katiska /kernel: sd7(ncr1:3:0): Direct-Access Dec 3 19:02:22 katiska /kernel: sd7(ncr1:3:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8. Dec 3 19:02:22 katiska /kernel: 4095MB (8386733 512 byte sectors) Dec 3 19:02:22 katiska /kernel: sd7(ncr1:3:0): with 3992 cyls, 19 heads, and an average 110 sectors/track Dec 3 19:02:22 katiska /kernel: changing root device to sd0a Dec 3 19:02:22 katiska /kernel: new masks: bio c0000240, tty c00300ba, net c00300ba Dec 3 19:02:22 katiska /kernel: WARNING: / was not properly dismounted. Runs news, httpd and users. innd has been compiled with mmap on. >Description: Self-explanatory; crash dumps are available as ftp://clinet.fi/pub/FreeBSD/crashdumps/*.36.gz Current directory is /m/katiska/news/crash/ Reading symbol data from /m/katiska/news/crash/kernel.36...done. IdlePTD 26d000 panic: m_copydata current pcb at 21bd44 Reading in symbols for ../../i386/i386/machdep.c...done. (kgdb) bt #0 boot (howto=256) (../../i386/i386/machdep.c line 925) #1 0xf0115367 in panic (...) #2 0xf0120b21 in m_copydata (...) #3 0xf015e9b5 in tcp_output (...) #4 0xf015dc4e in tcp_input (...) #5 0xf0156045 in ip_input:ipintr (...) #6 0xf01c6f0d in exception:swi_net_next (-272630140) #7 0xf01170b5 in select (...) #8 0xf01d09f3 in syscall (...) (kgdb) up Reading in symbols for ../../kern/subr_prf.c...done. #1 0xf0115367 in panic (fmt=(char *) 0xf0120af4 "m_copydata") (../../kern/subr_prf.c line 124) 124 (../../kern/subr_prf.c) (kgdb) up Reading in symbols for ../../kern/uipc_mbuf.c...done. #2 0xf0120b21 in m_copydata (m=(struct mbuf *) 0x0, off=-1, len=1, cp=(char *) 0xf17986e8 "\004") (../../kern/uipc_mbuf.c line 372) 372 (../../kern/uipc_mbuf.c) (kgdb) directory /usr/src/sys/i386/conf Source directories searched: /m/katiska/news/crash:/usr/src/sys/i386/conf (kgdb) up Reading in symbols for ../../netinet/tcp_output.c...done. #3 0xf015e9b5 in tcp_output (tp=(struct tcpcb *) 0xf182d900) (../../netinet/tcp_output.c line 476) (kgdb) down #2 0xf0120b21 in m_copydata (m=(struct mbuf *) 0x0, off=-1, len=1, cp=(char *) 0xf17986e8 "\004") (../../kern/uipc_mbuf.c line 372) (kgdb) list 367 caddr_t cp; 368 { 369 register unsigned count; 370 371 if (off < 0 || len < 0) 372 panic("m_copydata"); 373 while (off > 0) { 374 if (m == 0) 375 panic("m_copydata"); 376 if (off < m->m_len) (kgdb) print off $1 = 0 (kgdb) print len $2 = 1 (kgdb) up #3 0xf015e9b5 in tcp_output (tp=(struct tcpcb *) 0xf182d900) (../../netinet/tcp_output.c line 476) (kgdb) print so $3 = (struct socket *) 0xf180c800 (kgdb) print so->so_snd.sb_md There is no field named sb_md. (kgdb) print so->so_snd.sb_mb $4 = (struct mbuf *) 0x0 (kgdb) print off $5 = -1 (kgdb) print len $6 = 1 (kgdb) list 471 goto out; 472 } 473 m->m_data += max_linkhdr; 474 m->m_len = hdrlen; 475 if (len <= MHLEN - hdrlen - max_linkhdr) { 476 m_copydata(so->so_snd.sb_mb, off, (int) len, 477 mtod(m, caddr_t) + hdrlen); 478 m->m_len += len; 479 } else { 480 m->m_next = m_copy(so->so_snd.sb_mb, off, (int) len); (kgdb) print m $7 = (struct mbuf *) 0xf1798680 (kgdb) print *m $8 = {m_hdr = {mh_next = 0x0, mh_nextpkt = 0x0, mh_len = 60, mh_data = 0xf17986ac "\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336", mh_type = 2, mh_flags = 2}, M_dat = {MH = {MH_pkthdr = {len = -559038242, rcvif = 0xdeadc0de}, MH_dat = {MH_ext = {ext_buf = 0xdeadc0de <Address 0xdeadc0de out of bounds>, ext_free = 0xdeadc0de, ext_size = 0xdeadc0de}, MH_databuf = {"\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\000P\005m\020)\003\217\000\0044\223P\020@\000\366\004\000\000\000\000\000\000M\000\000\000\000\000\a\361\001\001\013\006\000\000\0028\004\000\000\000\204\361\2720\006\000\000\000\006", '\000' <repeats 11 times>}}}, M_databuf = {"\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\000P\005m\020)\003\217\000\0044\223P\0! 20@\000\366\004\000\000\000\000\000\000M\000\000\000\000\000\a\361\001\001\013\006\000\000\0028\004\000\000\000\204\361\2720\006\000\000\000\006", '\000' <repeats 11 times>}}} (kgdb) >How-To-Repeat: I don't know what triggers it, but for some reason it has been triggered at least 8 times today. >Fix: unknown. >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199512032019.WAA11147>