panic: m_copydata: len -7 < 0

Greg Steuck Fri, 19 Nov 2010 23:24:12 -0800

Believe it or not, I just got this reproduced with a patch to print
the mbuf (courtesy of Claudio).


Running 4.8-sparc64 with the 2 patches below. Here's the output. Maybe
this will give somebody an idea about why such weird mbufs are making
it to wi_start.

This one is the real offender that would have crashed the kernel had
it not been for my work around part of the patch that just discarded
it:

Dropping too short packet: 7 bytes 1 timesmbuf 0x40006bb0d60
m_type: 1       m_flags: 20b<M_EXT,M_PKTHDR,M_CLUSTER,M_MCAST>
m_next: 0x0     m_nextpkt: 0x0
m_data: 0x40006cc9002   m_len: 7
m_dat: 0x40006bb0d80 m_pktdat: 0x40006bb0db8
m_pkthdr.len: 7 m_ptkhdr.rcvif: 0x400006f4048   m_ptkhdr.rdomain: 0
m_ptkhdr.tags: 0x0      m_pkthdr.tagsset: 0
m_pkthdr.csum_flags: 0  m_pkthdr.ether_vtag: 0
m_pkthdr.pf.flags: 0
m_pkthdr.pf.hdr: 0x0    m_pkthdr.pf.statekey: 0x0
m_pkthdr.pf.qid:        0 m_pkthdr.pf.tag: 0
m_pkthdr.pf.routed: 0
m_ext.ext_buf: 0x40006cc9000    m_ext.ext_size: 2048
m_ext.ext_type: 0       m_ext.ext_backend: 0
m_ext.ext_ifp: 0x0
m_ext.ext_free: 0x0     m_ext.ext_arg: 0x0
m_ext.ext_nextref: 0x40006bb1e60        m_ext.ext_prevref: 0x40006bb1e60

Patches:

--- sys/dev/ic/if_wi.c.orig     Fri Jul  9 16:41:52 2010
+++ sys/dev/ic/if_wi.c  Fri Nov 19 21:05:39 2010
@@ -2336,6 +2336,8 @@
        return 0;
 }

+void m_print(struct mbuf *);
+
 void
 wi_start(struct ifnet *ifp)
 {
@@ -2445,6 +2447,11 @@
                            (m0->m_pkthdr.len -
                             sizeof(struct ether_header)) + 18);
                } else {
+                  if (m0->m_pkthdr.len >= sizeof(struct ether_header)) {
+                          static int fire_trigger = 0;
+                          if (fire_trigger++ == 3) {
+                                  m_print(m0);
+                          }
                        m_copydata(m0, sizeof(struct ether_header),
                            m0->m_pkthdr.len - sizeof(struct ether_header),
                            (caddr_t)&sc->wi_txbuf);
@@ -2456,6 +2463,14 @@
                            (caddr_t)&sc->wi_txbuf,
                            (m0->m_pkthdr.len -
                             sizeof(struct ether_header)) + 2);
+                  } else {
+                       static int dropped_packets = 0;
+                       dropped_packets++;
+                       printf("Dropping too short packet: %d bytes %d
times",
+                              m0->m_pkthdr.len,
+                              dropped_packets);
+                       m_print(m0);
+                  }
                }
        } else {
                tx_frame.wi_dat_len = htole16(m0->m_pkthdr.len);

This one straight from Claudio's email:

--- uipc_mbuf.c 5 Oct 2010 13:29:40 -0000       1.145
+++ uipc_mbuf.c 28 Oct 2010 11:58:11 -0000
@@ -1370,3 +1370,49 @@ m_dup_pkthdr(struct mbuf *to, struct mbu

        return (0);
 }
+
+#ifdef DDB
+void m_print(struct mbuf *);
+
+void
+m_print(struct mbuf *m)
+{
+       printf("mbuf %p\n", m);
+       printf("m_type: %hi\tm_flags: %b\n", m->m_type, m->m_flags,
+           "\20\1M_EXT\2M_PKTHDR\3M_EOR\4M_CLUSTER\5M_PROTO1\6M_VLANTAG"
+           "\7M_LOOP\10M_FILDROP\11M_BCAST\12M_MCAST\13M_CONF\14M_AUTH"
+           "\15M_TUNNEL\16M_AUTH_AH\17M_LINK0");
+       printf("m_next: %p\tm_nextpkt: %p\n", m->m_next, m->m_nextpkt);
+       printf("m_data: %p\tm_len: %u\n", m->m_data, m->m_len);
+       printf("m_dat: %p m_pktdat: %p\n", m->m_dat, m->m_pktdat);
+       if (m->m_flags & M_PKTHDR) {
+               printf("m_pkthdr.len: %i\tm_ptkhdr.rcvif: %p\t"
+                   "m_ptkhdr.rdomain: %u\n", m->m_pkthdr.len,
+                   m->m_pkthdr.rcvif, m->m_pkthdr.rdomain);
+               printf("m_ptkhdr.tags: %p\tm_pkthdr.tagsset: %hx\n",
+                   SLIST_FIRST(&m->m_pkthdr.tags), m->m_pkthdr.tagsset);
+               printf("m_pkthdr.csum_flags: %hx\tm_pkthdr.ether_vtag:
%hu\n",
+                   m->m_pkthdr.csum_flags, m->m_pkthdr.ether_vtag);
+               printf("m_pkthdr.pf.flags: %b\n",
+                   m->m_pkthdr.pf.flags, "\20\1GENERATED\2FRAGCACHE"
+                   "\3TRANSLATE_LOCALHOST\4DIVERTED\5DIVERTED_PACKET"
+                   "\6PF_TAG_REROUTE");
+               printf("m_pkthdr.pf.hdr: %p\tm_pkthdr.pf.statekey: %p\n",
+                   m->m_pkthdr.pf.hdr, m->m_pkthdr.pf.statekey);
+               printf("m_pkthdr.pf.qid:\t%u m_pkthdr.pf.tag: %hu\n",
+                   m->m_pkthdr.pf.qid, m->m_pkthdr.pf.tag);
+               printf("m_pkthdr.pf.routed: %hhx\n", m->m_pkthdr.pf.routed);
+       }
+       if (m->m_flags & M_EXT) {
+               printf("m_ext.ext_buf: %p\tm_ext.ext_size: %u\n",
+                   m->m_ext.ext_buf, m->m_ext.ext_size);
+               printf("m_ext.ext_type: %x\tm_ext.ext_backend: %i\n",
+                   m->m_ext.ext_type, m->m_ext.ext_backend);
+               printf("m_ext.ext_ifp: %p\n", m->m_ext.ext_ifp);
+               printf("m_ext.ext_free: %p\tm_ext.ext_arg: %p\n",
+                   m->m_ext.ext_free, m->m_ext.ext_arg);
+               printf("m_ext.ext_nextref: %p\tm_ext.ext_prevref: %p\n",
+                   m->m_ext.ext_nextref, m->m_ext.ext_prevref);
+       }
+}
+#endif

Copyright (c) 1982, 1986, 1989, 1991, 1993
        The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2010 OpenBSD. All rights reserved.  http://www.OpenBSD.org

OpenBSD 4.8 (GENERIC) #0: Fri Nov 19 22:32:29 PST 2010
    g...@u5.nest.cx:/usr/src/sys/arch/sparc64/compile/GENERIC
real mem = 402653184 (384MB)
avail mem = 383975424 (366MB)
mainbus0 at root: Sun Ultra 5/10 UPA/PCI (UltraSPARC-IIi 360MHz)
cpu0 at mainbus0: SUNW,UltraSPARC-IIi (rev 9.1) @ 360 MHz
cpu0: physical 16K instruction (32 b/l), 16K data (32 b/l), 256K
external (64 b/l)
psycho0 at mainbus0 addr 0xfffc4000: SUNW,sabre, impl 0, version 0, ign 7c0
psycho0: bus range 0-2, PCI bus 0
psycho0: dvma map c0000000-dfffffff
pci0 at psycho0
ppb0 at pci0 dev 1 function 1 "Sun Simba PCI-PCI" rev 0x13
pci1 at ppb0 bus 1
ebus0 at pci1 dev 1 function 0 "Sun PCIO EBus2" rev 0x01
auxio0 at ebus0 addr 726000-726003, 728000-728003, 72a000-72a003,
72c000-72c003, 72f000-72f003
power0 at ebus0 addr 724000-724003 ivec 0x25
"SUNW,pll" at ebus0 addr 504000-504002 not configured
sab0 at ebus0 addr 400000-40007f ivec 0x2b: rev 3.2
sabtty0 at sab0 port 0: console
sabtty1 at sab0 port 1
comkbd0 at ebus0 addr 3083f8-3083ff ivec 0x29: no keyboard
comms0 at ebus0 addr 3062f8-3062ff ivec 0x2a
wsmouse0 at comms0 mux 0
lpt0 at ebus0 addr 3043bc-3043cb, 30015c-30015d, 700000-70000f ivec 0x22:
polled
clock1 at ebus0 addr 0-1fff: mk48t59
"flashprom" at ebus0 addr 0-fffff not configured
audioce0 at ebus0 addr 200000-2000ff, 702000-70200f, 704000-70400f,
722000-722003 ivec 0x23 ivec 0x24: nvaddrs 0
audio0 at audioce0
hme0 at pci1 dev 1 function 1 "Sun HME" rev 0x01: ivec 0x7e1, address
08:00:20:xx:xx:xx
nsphy0 at hme0 phy 1: DP83840 10/100 PHY, rev. 1
machfb0 at pci1 dev 2 function 0 "ATI Mach64" rev 0x5c
machfb0: ATY,GT-C, 1152x900
wsdisplay0 at machfb0 mux 1
wsdisplay0: screen 0 added (std, sun emulation)
pciide0 at pci1 dev 3 function 0 "CMD Technology PCI0646" rev 0x03:
DMA, channel 0 configured to native-PCI, channel 1 configured to
native-PCI
pciide0: using ivec 0x7e0 for native-PCI interrupt
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <LG, CD-ROM CRD-8322B, 1.05> ATAPI
5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, DMA mode 2
wd0 at pciide0 channel 1 drive 0: <IBM-DHEA-38451>
wd0: 16-sector PIO, LBA, 8063MB, 16514064 sectors
wd0(pciide0:1:0): using PIO mode 4, DMA mode 2
ppb1 at pci0 dev 1 function 0 "Sun Simba PCI-PCI" rev 0x13
pci2 at ppb1 bus 2
wi0 at pci2 dev 1 function 0 "Intersil PRISM2.5" rev 0x01: ivec 0x7d0
wi0: PRISM2.5 ISL3874A(Mini-PCI) (0x8013), Firmware 1.0.5 (primary),
1.3.4 (station), address 00:06:25:xx:xx:xx
skc0 at pci2 dev 2 function 0 "Linksys EG1032" rev 0x12, Yukon (0x1): ivec
0x7d4
sk0 at skc0 port A: address 00:0c:41:xx:xx:xx
eephy0 at sk0 phy 0: 88E1011 Gigabit PHY, rev. 3
softraid0 at root
bootpath: /p...@1f,0/p...@1,1/i...@3,0/d...@2,0
root on wd0a swap on wd0b dump on wd0b
mbuf 0x40006baa390
m_type: 1       m_flags: 20b<M_EXT,M_PKTHDR,M_CLUSTER,M_MCAST>
m_next: 0x0     m_nextpkt: 0x0
m_data: 0x40006bde802   m_len: 342
m_dat: 0x40006baa3b0 m_pktdat: 0x40006baa3e8
m_pkthdr.len: 342       m_ptkhdr.rcvif: 0x400006f4048   m_ptkhdr.rdomain: 0
m_ptkhdr.tags: 0x0      m_pkthdr.tagsset: 0
m_pkthdr.csum_flags: 0  m_pkthdr.ether_vtag: 0
m_pkthdr.pf.flags: 0
m_pkthdr.pf.hdr: 0x0    m_pkthdr.pf.statekey: 0x0
m_pkthdr.pf.qid:        0 m_pkthdr.pf.tag: 0
m_pkthdr.pf.routed: 0
m_ext.ext_buf: 0x40006bde800    m_ext.ext_size: 2048
m_ext.ext_type: 0       m_ext.ext_backend: 0
m_ext.ext_ifp: 0x0
m_ext.ext_free: 0x0     m_ext.ext_arg: 0x0
m_ext.ext_nextref: 0x40006baa690        m_ext.ext_prevref: 0x40006baa690
Dropping too short packet: 7 bytes 1 timesmbuf 0x40006bb0d60
m_type: 1       m_flags: 20b<M_EXT,M_PKTHDR,M_CLUSTER,M_MCAST>
m_next: 0x0     m_nextpkt: 0x0
m_data: 0x40006cc9002   m_len: 7
m_dat: 0x40006bb0d80 m_pktdat: 0x40006bb0db8
m_pkthdr.len: 7 m_ptkhdr.rcvif: 0x400006f4048   m_ptkhdr.rdomain: 0
m_ptkhdr.tags: 0x0      m_pkthdr.tagsset: 0
m_pkthdr.csum_flags: 0  m_pkthdr.ether_vtag: 0
m_pkthdr.pf.flags: 0
m_pkthdr.pf.hdr: 0x0    m_pkthdr.pf.statekey: 0x0
m_pkthdr.pf.qid:        0 m_pkthdr.pf.tag: 0
m_pkthdr.pf.routed: 0
m_ext.ext_buf: 0x40006cc9000    m_ext.ext_size: 2048
m_ext.ext_type: 0       m_ext.ext_backend: 0
m_ext.ext_ifp: 0x0
m_ext.ext_free: 0x0     m_ext.ext_arg: 0x0
m_ext.ext_nextref: 0x40006bb1e60        m_ext.ext_prevref: 0x40006bb1e60


--
nest.cx is Gmail hosted, use PGP for anything private. Key:
http://tinyurl.com/ho8qg
Fingerprint: 5E2B 2D0E 1E03 2046 BEC3  4D50 0B15 42BD 8DF5 A1B0

Re: wihap_data_input -> wi_start -> panic: m_copydata: len -7 < 0

Reply via email to