ng_snd_item: Panic?
Larry Rosenman
ler at lerctr.org
Tue Jun 25 12:59:08 UTC 2019
On 06/25/2019 4:18 am, Andrey V. Elsukov wrote:
> On 24.06.2019 23:10, Larry Rosenman wrote:
>>>> #5 0xffffffff828ee5b7 in ng_snd_item (item=0xfffff8021e3b4d80,
>>>> flags=0)
>>>> at /usr/src/sys/netgraph/ng_base.c:2252
>>>
>>> It looks like you use some netgraph based ethernet interface.
>>> The system got received ARP request and is going to send the reply,
>>> but somehow mbuf with this ARP request has initialized m_next
>>> pointer,
>>> thus it is considered as a chain of mbufs.
>>>
>>> in_arpinput() reuses received mbuf to construct the reply, but it
>>> doesn't check that an mbut is a chain. It just sets m_len and sends
>>> it.
>>> Then since you have INVARIANTS in your kernel, the netgraph code
>>> check
>>> the actual length of the chain, and it doesn't match to m_len. It
>>> panics.
>>
>>
>> so, is this a bug? Timing race? Other?
>
> I think we should determine that my assumption is correct :)
> Can you show the output of the following commands from the kgdb for
> this
> core?
>
> (kgdb) f 7
> (kgdb) p *m
> (kgdb) p *m->m_next
(kgdb) fr 7
#7 0xffffffff805b1e43 in ether_output (ifp=<optimized out>,
m=0xfffff81f59eefb00, dst=0xfffffe012628d740, ro=<optimized out>) at
/usr/src/sys/net/if_ethersubr.c:430
430 if ((error = (*ng_ether_output_p)(ifp, &m)) != 0) {
(kgdb) p *m
$1 = {{m_next = 0xfffff81086c9dd00, m_slist = {sle_next =
0xfffff81086c9dd00}, m_stailq = {stqe_next = 0xfffff81086c9dd00}},
{m_nextpkt = 0x0, m_slistpkt = {sle_next = 0x0}, m_stailqpkt =
{stqe_next = 0x0}},
m_data = 0xfffff81f59eefb72
"\004\311\331c\"\207\244\272\333)f\225\b\006", m_len = 42, m_type = 1,
m_flags = 2, {{m_pkthdr = {{snd_tag = 0x0, rcvif = 0x0}, tags =
{slh_first = 0xfffff8104c530d60}, len = 42, flowid = 0, csum_flags = 0,
fibnum = 0,
numa_domain = 255 '\377', rsstype = 0 '\000', {rcv_tstmp = 0,
{l2hlen = 0 '\000', l3hlen = 0 '\000', l4hlen = 0 '\000', l5hlen = 0
'\000', spare = 0}}, PH_per = {eight = "\000\000\000\000\000\000\000",
sixteen = {0, 0, 0, 0}, thirtytwo = {0, 0}, sixtyfour = {
0}, unintptr = {0}, ptr = 0x0}, PH_loc = {eight =
"\000\000\000\000\000\000\000", sixteen = {0, 0, 0, 0}, thirtytwo = {0,
0}, sixtyfour = {0}, unintptr = {0}, ptr = 0x0}}, {m_ext = {{ext_count =
3735929054, ext_cnt = 0xdeadc0dedeadc0de},
ext_buf = 0x200000207 <error: Cannot access memory at address
0x200000207>, ext_size = 99483648, ext_type = 0, ext_flags = 0, ext_free
= 0x872263d9c9040000, ext_arg1 = 0x608956629dbbaa4, ext_arg2 =
0x200040600080100},
m_pktdat = 0xfffff81f59eefb58
"\336\300\255\336\336\300\255\336\a\002"}}, m_dat = 0xfffff81f59eefb20
""}}
(kgdb) p *m->m_next
$2 = {{m_next = 0x0, m_slist = {sle_next = 0x0}, m_stailq = {stqe_next =
0x0}}, {m_nextpkt = 0x0, m_slistpkt = {sle_next = 0x0}, m_stailqpkt =
{stqe_next = 0x0}},
m_data = 0xfffff8002144b800
"\004\002\b\n\001tWg\001tWg\001\003\003\006\255\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336",
<incomplete sequence \332>, m_len = 1372, m_type = 1, m_flags = 1,
{{m_pkthdr = {{snd_tag = 0x0,
rcvif = 0x0}, tags = {slh_first = 0x0}, len = 0, flowid = 0,
csum_flags = 0, fibnum = 0, numa_domain = 0 '\000', rsstype = 0 '\000',
{rcv_tstmp = 0, {l2hlen = 0 '\000', l3hlen = 0 '\000', l4hlen = 0
'\000', l5hlen = 0 '\000', spare = 0}}, PH_per = {
eight = "\000\000\000\000\000\000\000", sixteen = {0, 0, 0,
0}, thirtytwo = {0, 0}, sixtyfour = {0}, unintptr = {0}, ptr = 0x0},
PH_loc = {eight = "\000\000\000\000\000\000\000", sixteen = {0, 0, 0,
0}, thirtytwo = {0, 0}, sixtyfour = {0}, unintptr = {0},
ptr = 0x0}}, {m_ext = {{ext_count = 1, ext_cnt =
0xdeadc0de00000001}, ext_buf = 0xfffff8002144b800
"\004\002\b\n\001tWg\001tWg\001\003\003\006\255\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336",
<incomplete sequence \332>,
ext_size = 2048, ext_type = 6, ext_flags = 1, ext_free = 0x0,
ext_arg1 = 0x0, ext_arg2 = 0x0}, m_pktdat = 0xfffff81086c9dd58 "\001"}},
m_dat = 0xfffff81086c9dd20 ""}}
(kgdb)
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: ler at lerctr.org
US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106
More information about the freebsd-net
mailing list