Bug 862

Summary: more access to freed mbufs
Product: Base System Reporter: Heikki Suonsivu <hsu>
Component: kernAssignee: olah
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 2.2-CURRENT   
Hardware: Any   
OS: Any   

Description Heikki Suonsivu 1995-12-03 20:20:04 UTC 
	Self-explanatory; crash dumps are available as
ftp://clinet.fi/pub/FreeBSD/crashdumps/*.36.gz

Current directory is /m/katiska/news/crash/
Reading symbol data from /m/katiska/news/crash/kernel.36...done.
IdlePTD 26d000
panic: m_copydata
current pcb at 21bd44
Reading in symbols for ../../i386/i386/machdep.c...done.
(kgdb) bt
#0  boot (howto=256) (../../i386/i386/machdep.c line 925)
#1  0xf0115367 in panic (...)
#2  0xf0120b21 in m_copydata (...)
#3  0xf015e9b5 in tcp_output (...)
#4  0xf015dc4e in tcp_input (...)
#5  0xf0156045 in ip_input:ipintr (...)
#6  0xf01c6f0d in exception:swi_net_next (-272630140)
#7  0xf01170b5 in select (...)
#8  0xf01d09f3 in syscall (...)
(kgdb) up
Reading in symbols for ../../kern/subr_prf.c...done.
#1  0xf0115367 in panic (fmt=(char *) 0xf0120af4 "m_copydata") (../../kern/subr_prf.c line 124)
124	(../../kern/subr_prf.c)
(kgdb) up
Reading in symbols for ../../kern/uipc_mbuf.c...done.
#2  0xf0120b21 in m_copydata (m=(struct mbuf *) 0x0, off=-1, len=1, cp=(char *) 0xf17986e8 "\004") (../../kern/uipc_mbuf.c line 372)
372	(../../kern/uipc_mbuf.c)
(kgdb) directory /usr/src/sys/i386/conf
Source directories searched: /m/katiska/news/crash:/usr/src/sys/i386/conf
(kgdb) up
Reading in symbols for ../../netinet/tcp_output.c...done.
#3  0xf015e9b5 in tcp_output (tp=(struct tcpcb *) 0xf182d900) (../../netinet/tcp_output.c line 476)
(kgdb) down
#2  0xf0120b21 in m_copydata (m=(struct mbuf *) 0x0, off=-1, len=1, cp=(char *) 0xf17986e8 "\004") (../../kern/uipc_mbuf.c line 372)
(kgdb) list
367		caddr_t cp;
368	{
369		register unsigned count;
370	
371		if (off < 0 || len < 0)
372			panic("m_copydata");
373		while (off > 0) {
374			if (m == 0)
375				panic("m_copydata");
376			if (off < m->m_len)
(kgdb) print off
$1 = 0
(kgdb) print len
$2 = 1
(kgdb) up
#3  0xf015e9b5 in tcp_output (tp=(struct tcpcb *) 0xf182d900) (../../netinet/tcp_output.c line 476)
(kgdb) print so
$3 = (struct socket *) 0xf180c800
(kgdb) print so->so_snd.sb_md
There is no field named sb_md.
(kgdb) print so->so_snd.sb_mb
$4 = (struct mbuf *) 0x0
(kgdb) print off
$5 = -1
(kgdb) print len
$6 = 1
(kgdb) list
471				goto out;
472			}
473			m->m_data += max_linkhdr;
474			m->m_len = hdrlen;
475			if (len <= MHLEN - hdrlen - max_linkhdr) {
476				m_copydata(so->so_snd.sb_mb, off, (int) len,
477				    mtod(m, caddr_t) + hdrlen);
478				m->m_len += len;
479			} else {
480				m->m_next = m_copy(so->so_snd.sb_mb, off, (int) len);
(kgdb) print m
$7 = (struct mbuf *) 0xf1798680
(kgdb) print *m
$8 = {m_hdr = {mh_next = 0x0, mh_nextpkt = 0x0, mh_len = 60, mh_data = 0xf17986ac "\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336", mh_type = 2, mh_flags = 2}, M_dat = {MH = {MH_pkthdr = {len = -559038242, rcvif = 0xdeadc0de}, MH_dat = {MH_ext = {ext_buf = 0xdeadc0de <Address 0xdeadc0de out of bounds>, ext_free = 0xdeadc0de, ext_size = 0xdeadc0de}, MH_databuf = {"\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\000P\005m\020)\003\217\000\0044\223P\020@\000\366\004\000\000\000\000\000\000M\000\000\000\000\000\a\361\001\001\013\006\000\000\0028\004\000\000\000\204\361\2720\006\000\000\000\006", '\000' <repeats 11 times>}}}, M_databuf = {"\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\000P\005m\020)\003\217\000\0044\223P\0!
 20@\000\366\004\000\000\000\000\000\000M\000\000\000\000\000\a\361\001\001\013\006\000\000\0028\004\000\000\000\204\361\2720\006\000\000\000\006", '\000' <repeats 11 times>}}}
(kgdb)

Fix: 

unknown.
How-To-Repeat: 
	I don't know what triggers it, but for some reason it has been
triggered at least 8 times today.
Comment 1 davidg 1995-12-03 21:54:12 UTC 
>	Self-explanatory; crash dumps are available as
>ftp://clinet.fi/pub/FreeBSD/crashdumps/*.36.gz
>
>Current directory is /m/katiska/news/crash/
>Reading symbol data from /m/katiska/news/crash/kernel.36...done.
>IdlePTD 26d000
>panic: m_copydata
...
>	I don't know what triggers it, but for some reason it has been
>triggered at least 8 times today.

   When did it first start happening? What types of networking related things
is this machine doing? Does it serve SLIP/PPP?

-DG
Comment 2 olah freebsd_committer freebsd_triage 1996-02-09 08:47:45 UTC 
State Changed
From-To: open->closed

Duplicates kern/903 (actually, the other way around, but kern/903 is closed already)
Comment 3 olah freebsd_committer freebsd_triage 1996-02-09 08:47:45 UTC 
Responsible Changed
From-To: freebsd-bugs->olah