Subject: kern/24713: ping -c 1 -s 60000 will panic if DIAGNOSTIC
To: None <gnats-bugs@gnats.netbsd.org>
From: Darrin B. Jewell <dbj@netbsd.org>
List: netbsd-bugs
Date: 03/09/2004 01:01:51
>Number: 24713
>Category: kern
>Synopsis: ping -c 1 -s 60000 will panic if DIAGNOSTIC
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Mar 09 06:07:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator: Darrin B. Jewell
>Release: netbsd-current, updated via cvs ~20040306T0344Z
>Organization:
>Environment:
System: NetBSD 1.6ZK NetBSD 1.6ZK (GENERIC.DIAGNOSTIC) #0: Tue Mar 9 00:37:07 EST 2004
dbj@Quiteria:/u3/ephemeral/t/obj.i386/sys/arch/i386/compile/GENERIC.DIAGNOSTIC i386
Architecture: i386
Machine: i386
>Description:
# ping -c 1 -s 60000 localhost
PING localhost (127.0.0.1): 60000 data bytes
panic: kernel diagnostic assertion "n == NULL || m->m_type == n->m_type" failed:
file "/u3/work/t/src/sys/kern/uipc_mbuf.c", line 677
Stopped in pid 370.1 (ping) at netbsd:cpu_Debugger+0x4: leave
db> t
cpu_Debugger(c10e5c40,5,c,c10e2000,c10e2300) at netbsd:cpu_Debugger+0x4
panic(c0737080,c06a0f8f,c0701680,c07016c0,2a5) at netbsd:panic+0x11d
__main(c06a0f8f,c07016c0,2a5,c0701680,c1308fd8) at netbsd:__main
m_adj(c10e2000,c10e2300,8,282,c0795280) at netbsd:m_adj
ip_reass(c130802c,c10e5780,c079539c,c1308000,c10e2044) at netbsd:ip_reass+0x36e
ip_input(c10e2300,0,c10e2100,c10e2200,0) at netbsd:ip_input+0x4d1
ipintr(1583,c10e2200,0,cb4cbe5c,c037916a) at netbsd:ipintr+0x71
DDB lost frame for netbsd:Xsoftnet+0x40, trying 0xcb4cbe00
Xsoftnet() at netbsd:Xsoftnet+0x40
--- interrupt ---
0:
db> x 0xcb4cbe00-8
netbsd:usb_all_tasks+0xad09020: cb4cbe0c
db> t cb4cbe0c
sosend(c12de000,c10e2100,cb4cbea4,c10e2200,0) at netbsd:sosend+0x406
sendit(cb3e9994,3,cb4cbf14,0,cb4cbf5c) at netbsd:sendit+0x124
sys_sendto(cb3ba840,cb4cbf64,cb4cbf5c,0,cb4cbfa4) at netbsd:sys_sendto+0x54
syscall_plain() at netbsd:syscall_plain+0x7e
--- syscall (number 133) ---
0x480fa6f3:
db>
(gdb) info line *(ip_reass+0x36e)
Line 1206 of "/u3/work/t/src/sys/netinet/ip_input.c" starts at address 0xc01258ba <ip_reass+878>
and ends at 0xc01258c3 <ip_reass+887>.
(gdb) list *(ip_reass+0x36e)
0xc01258ba is in ip_reass (/u3/work/t/src/sys/netinet/ip_input.c:1206).
1201 t = m->m_next;
1202 m->m_next = 0;
1203 m_cat(m, t);
1204 nq = TAILQ_NEXT(q, ipqe_q);
1205 pool_put(&ipqent_pool, q);
1206 for (q = nq; q != NULL; q = nq) {
1207 t = q->ipqe_m;
1208 nq = TAILQ_NEXT(q, ipqe_q);
1209 pool_put(&ipqent_pool, q);
1210 m_cat(m, t);
(gdb) list /u3/work/t/src/sys/kern/uipc_mbuf.c:677
672 */
673 void
674 m_cat(struct mbuf *m, struct mbuf *n)
675 {
676
677 KASSERT(n == NULL || m->m_type == n->m_type);
678
679 while (m->m_next)
680 m = m->m_next;
681 while (n) {
(gdb) info line *(sosend+0x406)
Line 168 of "intr.h" starts at address 0xc0379161 <sosend+1021> and ends at 0xc0379172 <sosend+1038>.
(gdb) info line *(sosend+1020)
Line 814 of "/u3/work/t/src/sys/kern/uipc_socket.c" starts at address 0xc0379139 <sosend+981>
and ends at 0xc0379161 <sosend+1021>.
(gdb) list *(sosend+1020)
0xc0379160 is in sosend (/u3/work/t/src/sys/kern/uipc_socket.c:814).
809
810 release:
811 sbunlock(&so->so_snd);
812 out:
813 if (top)
814 m_freem(top);
815 if (control)
816 m_freem(control);
817 return (error);
818 }
(gdb)
>How-To-Repeat:
compile a kernel with DIAGNOSTIC option turned on
run 'ping -c 1 -s 60000 localhost'
The same thing occurs if I ping the ip address of a local
tlp(4) interface.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted: