kern/51767: reproducable kernel stack overflow(?!)

[martin%NetBSD.org@localhost]

>Number:         51767
>Category:       kern
>Synopsis:       reproducable kernel stack overflow(?!)
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jan 03 15:10:00 +0000 2017
>Originator:     Martin Husemann
>Release:        NetBSD 7.99.54
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD night-owl.duskware.de 7.99.53 NetBSD 7.99.53 (NIGHT-OWL) #450: Wed Dec 28 12:18:50 CET 2016 martin%night-owl.duskware.de@localhost:/usr/src/sys/arch/amd64/compile/NIGHT-OWL amd64
Architecture: x86_64
Machine: amd64

... but the crash happens with a newer .54 kernel!

>Description:

ssh'ing to a machine that still has the SACK bug which recently got fixed
(not sure if this is relevant) and doing a cvs update there crashes
my machine ~instantly.

stack overflow detected; terminated
...
vpanic()
snprintf()
ssp_init()
tcp_output()+0x231e
tcp_input()+0x10b2
ipintr()

and the source lines are:
0xffffffff804f11d8 is in tcp_output (../../../../netinet/tcp_output.c:592).
587     #endif
588             uint64_t *tcps;
589     
590     #ifdef DIAGNOSTIC
591             if (tp->t_inpcb && tp->t_in6pcb)
592                     panic("tcp_output: both t_inpcb and t_in6pcb are set");
593     #endif
594             so = NULL;
595             ro = NULL;
596             if (tp->t_inpcb) {

0xffffffff804ecabc is in tcp_input (../../../../netinet/tcp_input.c:3027).
3022             * Return any desired output.
3023             */
3024            if (needoutput || (tp->t_flags & TF_ACKNOW)) {
3025                    KERNEL_LOCK(1, NULL);
3026                    (void) tcp_output(tp);
3027                    KERNEL_UNLOCK_ONE(NULL);
3028            }
3029            if (tcp_saveti)
3030                    m_freem(tcp_saveti);
3031    


>How-To-Repeat:
s/a

>Fix:
n/a