Subject: kern/7831: panic: m_copydata
To: None <gnats-bugs@gnats.netbsd.org>
From: None <bouyer@asim.lip6.fr>
List: netbsd-bugs
Date: 06/22/1999 02:22:50
>Number:         7831
>Category:       kern
>Synopsis:       panic: m_copydata
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jun 22 02:20:00 1999
>Last-Modified:
>Originator:     Manuel Bouyer
>Organization:
	LIP6, universite paris VI
>Release:        NetBSD 1.4 + in-var patch
>Environment:

System: NetBSD asim-gw 1.4 NetBSD 1.4 (GW) #5: Thu Jun 17 18:34:40 MEST 1999 root@asim-gw:/usr/src/sys/arch/i386/compile/GW i386


>Description:
	
	This box is my router. It does some NAT + ftp proxy.
	Tonigth it paniced with "panic: m_copydata". The stack trace
	is:
(gdb) where
#0  0xf012a4c5 in m_copypacket (m=0xf6a52c3c, how=-156947408)
    at ../../../../kern/uipc_mbuf.c:401
	#1  0xf017dae7 in cpu_reboot (howto=256, bootstr=0x0)
    at ../../../../arch/i386/i386/machdep.c:1350
#2  0xf011e8b8 in log (can not access 0xfffffffc, invalid translation (invalid PDE)
can not access 0xfffffffc, invalid translation (invalid PDE)
can not access 0xfffffffc, invalid translation (invalid PDE)
can not access 0xfffffffc, invalid translation (invalid PDE)
level=-267213627, 
    fmt=0xfffffffc <Address 0xfffffffc out of bounds>)
    at ../../../../kern/subr_prf.c:212
#3  0xf012a502 in m_copydata (m=0xf0401328, off=60, len=52, cp=0xf6a52cfc "")
    at ../../../../kern/uipc_mbuf.c:420
#4  0xf015ad05 in ippr_ftp_pasvmsg (fin=0xf6a52de4, ip=0xf61bc810, 
    tcp=0xf61bc824, nat=0xf043f800) at ../../../../netinet/ip_ftp_pxy.c:282
#5  0xf015ad59 in ippr_ftp_in (fin=0xf6a52de4, ip=0xf61bc810, aps=0xf043d200, 
    nat=0xf043f800) at ../../../../netinet/ip_ftp_pxy.c:423
#6  0xf015afa4 in ap_check (ip=0xf61bc810, fin=0xf6a52de4, nat=0xf043f800)
    at ../../../../netinet/ip_proxy.c:227
#7  0xf0159a04 in ip_natin (ip=0xf61bc810, hlen=20, fin=0xf6a52de4)
    at ../../../../netinet/ip_nat.c:1230
#8  0xf0157b7b in fr_check (ip=0xf61bc810, hlen=20, ifp=0xf038c030, out=0, 
    mp=0xf6a52e64) at ../../../../netinet/fil.c:672
#9  0xf01499ba in ipintr () at ../../../../netinet/ip_input.c:399

	Note the "invalid translation (invalid PDE)" messages.

(gdb) up
#3  0xf012a502 in m_copydata (m=0xf0401328, off=60, len=52, cp=0xf6a52cfc "")
    at ../../../../kern/uipc_mbuf.c:420
420                             panic("m_copydata");

This is:
        while (off > 0) {
                if (m == 0)
                        panic("m_copydata");
                if (off < m->m_len)
                        break;
                off -= m->m_len;
                m = m->m_next;
        }


(gdb) print *m
can not access 0x0, invalid translation (invalid PDE)
can not access 0x0, invalid translation (invalid PDE)
Cannot access memory at address 0x0.

It really paniced because m==0.

(gdb) print *(struct mbuf*)0xf0401328
$1 = {m_hdr = {mh_next = 0x0, mh_nextpkt = 0x0, mh_data = 0xf61bc810 "E8", 
    mh_len = 56, mh_type = 1, mh_flags = 11}, M_dat = {MH = {MH_pkthdr = {
        rcvif = 0xf038c030, len = 56}, MH_dat = {MH_ext = {
          ext_buf = 0xf61bc800 "", ext_free = 0, ext_arg = 0x0, 
          ext_size = 2048, ext_type = -2109660797, ext_nextref = 0xf0401328, 
          ext_prevref = 0xf0401328}, 
        MH_databuf = "\000\e\000\000\000\000\000\000\000\000\000\b\000\000\203!A\202(\023@(\023@", '\000' <repeats 48 times>, "\020\020\000\000\205\017\000\000\000\220_\b\000\000P\0040\203\b\000"}}, 
    M_databuf = "088\000\000\000\000\e\000\000\000\000\000\000\000\000\000\b\000\000\203!A\202(\023@(\023@", '\000' <repeats 48 times>, "\020\020\000\000\205\017\000\000\000\220_\b\000\000P\0040\203\b\000"}}


>How-To-Repeat:
	I can't repeat it reliably. It's the first time this happens, so
	I suspect some kind of race condition here. A missing splxxx()
	somewhere ?
>Fix:
	unknow, unfortunably. I hope someone understanding the mbuf struct
	better than I do can tell if the mbuf passed to m_copydata is
	correct or not.
>Audit-Trail:
>Unformatted: