Subject: kern/24713: ping -c 1 -s 60000 will panic if DIAGNOSTIC
To: None <gnats-bugs@gnats.netbsd.org>
From: Darrin B. Jewell <dbj@netbsd.org>
List: netbsd-bugs
Date: 03/09/2004 01:01:51
>Number:         24713
>Category:       kern
>Synopsis:       ping -c 1 -s 60000 will panic if DIAGNOSTIC
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Mar 09 06:07:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Darrin B. Jewell
>Release:        netbsd-current, updated via cvs ~20040306T0344Z
>Organization:
>Environment:
System: NetBSD  1.6ZK NetBSD 1.6ZK (GENERIC.DIAGNOSTIC) #0: Tue Mar  9 00:37:07 EST 2004
  dbj@Quiteria:/u3/ephemeral/t/obj.i386/sys/arch/i386/compile/GENERIC.DIAGNOSTIC i386
Architecture: i386
Machine: i386
>Description:

# ping -c 1 -s 60000 localhost
PING localhost (127.0.0.1): 60000 data bytes
panic: kernel diagnostic assertion "n == NULL || m->m_type == n->m_type" failed:
 file "/u3/work/t/src/sys/kern/uipc_mbuf.c", line 677
Stopped in pid 370.1 (ping) at  netbsd:cpu_Debugger+0x4:        leave
db> t
cpu_Debugger(c10e5c40,5,c,c10e2000,c10e2300) at netbsd:cpu_Debugger+0x4
panic(c0737080,c06a0f8f,c0701680,c07016c0,2a5) at netbsd:panic+0x11d
__main(c06a0f8f,c07016c0,2a5,c0701680,c1308fd8) at netbsd:__main
m_adj(c10e2000,c10e2300,8,282,c0795280) at netbsd:m_adj
ip_reass(c130802c,c10e5780,c079539c,c1308000,c10e2044) at netbsd:ip_reass+0x36e
ip_input(c10e2300,0,c10e2100,c10e2200,0) at netbsd:ip_input+0x4d1
ipintr(1583,c10e2200,0,cb4cbe5c,c037916a) at netbsd:ipintr+0x71
DDB lost frame for netbsd:Xsoftnet+0x40, trying 0xcb4cbe00
Xsoftnet() at netbsd:Xsoftnet+0x40
--- interrupt ---
0:
db> x 0xcb4cbe00-8
netbsd:usb_all_tasks+0xad09020: cb4cbe0c
db> t cb4cbe0c
sosend(c12de000,c10e2100,cb4cbea4,c10e2200,0) at netbsd:sosend+0x406
sendit(cb3e9994,3,cb4cbf14,0,cb4cbf5c) at netbsd:sendit+0x124
sys_sendto(cb3ba840,cb4cbf64,cb4cbf5c,0,cb4cbfa4) at netbsd:sys_sendto+0x54
syscall_plain() at netbsd:syscall_plain+0x7e
--- syscall (number 133) ---
0x480fa6f3:
db>

(gdb) info line *(ip_reass+0x36e)
Line 1206 of "/u3/work/t/src/sys/netinet/ip_input.c" starts at address 0xc01258ba <ip_reass+878>
   and ends at 0xc01258c3 <ip_reass+887>.
(gdb) list *(ip_reass+0x36e)
0xc01258ba is in ip_reass (/u3/work/t/src/sys/netinet/ip_input.c:1206).
1201            t = m->m_next;
1202            m->m_next = 0;
1203            m_cat(m, t);
1204            nq = TAILQ_NEXT(q, ipqe_q);
1205            pool_put(&ipqent_pool, q);
1206            for (q = nq; q != NULL; q = nq) {
1207                    t = q->ipqe_m;
1208                    nq = TAILQ_NEXT(q, ipqe_q);
1209                    pool_put(&ipqent_pool, q);
1210                    m_cat(m, t);
(gdb) list /u3/work/t/src/sys/kern/uipc_mbuf.c:677
672      */
673     void
674     m_cat(struct mbuf *m, struct mbuf *n)
675     {
676     
677             KASSERT(n == NULL || m->m_type == n->m_type);
678     
679             while (m->m_next)
680                     m = m->m_next;
681             while (n) {
(gdb) info line *(sosend+0x406)
Line 168 of "intr.h" starts at address 0xc0379161 <sosend+1021> and ends at 0xc0379172 <sosend+1038>.
(gdb) info line *(sosend+1020)
Line 814 of "/u3/work/t/src/sys/kern/uipc_socket.c" starts at address 0xc0379139 <sosend+981>
   and ends at 0xc0379161 <sosend+1021>.
(gdb) list *(sosend+1020)
0xc0379160 is in sosend (/u3/work/t/src/sys/kern/uipc_socket.c:814).
809     
810      release:
811             sbunlock(&so->so_snd);
812      out:
813             if (top)
814                     m_freem(top);
815             if (control)
816                     m_freem(control);
817             return (error);
818     }
(gdb) 

>How-To-Repeat:
compile a kernel with DIAGNOSTIC option turned on
run 'ping -c 1 -s 60000 localhost'

The same thing occurs if I ping the ip address of a local
tlp(4) interface.

>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted: