Subject: kern/25227: panic: m_copydata - in ipf logging during initial ifconfig
To: None <gnats-bugs@gnats.NetBSD.org>
From: Frank Kardel <kardel@pip.acrys.com>
List: netbsd-bugs
Date: 04/18/2004 16:33:30
>Number:         25227
>Category:       kern
>Synopsis:       panic: m_copydata - in ipf logging during initial ifconfig
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Apr 18 14:34:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Frank Kardel
>Release:        NetBSD 2.0C
>Organization:
	
>Environment:
-current level: current-20040418-112850
System: NetBSD pip 2.0C NetBSD 2.0C (SYSPIP_ISDN) #1: Sun Apr 18 13:10:20 MEST 2004 kardel@pip:/src/NetBSD/netbsd/sys/arch/i386/compile/obj.i386/SYSPIP_ISDN i386
Architecture: i386
Machine: i386
>Description:
	During /etc/rc the system panics when configuring bge0 with
	panic: m_copydata
	in ipfilter logging routines.

Stacktrace:
[...crash junk...]
#18 0xc02a3dd9 in panic (fmt=0x1 <Address 0x1 out of bounds>)
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/kern/subr_prf.c:226
#19 0xc02b6148 in m_copydata (m=0x0, off=0, len=48, 
    cp=0xc1a44164 "\235\2300\230@\236\230\220\230\020\237\230 \224")
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/kern/uipc_mbuf.c:665
#20 0xc012e56b in ipllog (dev=0, fin=0xc1a44100, items=0xcc2135dc, 
    itemsz=0xcc2135d4, types=0xcc2135cc, cnt=2)
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/netinet/ip_log.c:490
#21 0xc012e327 in ipflog (fin=0xcc2136a4, flags=1073758225)
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/netinet/ip_log.c:393
#22 0xc0127e0b in fr_dolog (fin=0xcc2136a4, passp=0xcc2136a0)
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/netinet/fil.c:2551
#23 0xc0127918 in fr_check (ip=0xcc2136a0, hlen=40, ifp=0xcc213288, out=1, 
    mp=0xcc2137ac)
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/netinet/fil.c:2362
#24 0xc012ba23 in fr_check_wrapper6 (arg=0x0, mp=0x0, ifp=0xc1854034, dir=2)
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/netinet/ip_fil_netbsd.c:183
#25 0xc02f3807 in pfil_run_hooks (ph=0x0, mp=0xcc213838, ifp=0xc1854034, dir=2)
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/net/pfil.c:69
#26 0xc014df39 in ip6_output (m0=0xc1650101, opt=0xc04b59a0, ro=0xcc2138f4, 
    flags=1, im6o=0xcc213964, so=0xc16501d8, ifpp=0x0)
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/netinet6/ip6_output.c:810
#27 0xc0151371 in mld6_sendpkt (in6m=0xc1673f80, type=131, dst=0x0)
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/netinet6/mld6.c:508
#28 0xc0150b07 in mld6_start_listening (in6m=0xc1673f80)
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/netinet6/mld6.c:189
#29 0xc0144f55 in in6_addmulti (maddr6=0xcc213c0c, ifp=0xc1854034, 
    errorp=0xcc213b80)
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/netinet6/in6.c:1897
#30 0xc0145265 in in6_joingroup (ifp=0xc1854034, addr=0xcc213c0c, 
    errorp=0xcc213b80)
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/netinet6/in6.c:1969
#31 0xc0143881 in in6_update_ifa (ifp=0xc1854034, ifra=0xcc213d14, 
    ia=0xc1a47100)
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/netinet6/in6.c:1082
#32 0xc0146283 in in6_ifattach_linklocal (ifp=0xc1854034, altifp=0x0)
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/netinet6/in6_ifattach.c:387
#33 0xc01466e4 in in6_ifattach (ifp=0xc1854034, altifp=0x0)
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/netinet6/in6_ifattach.c:653
#34 0xc0145b6e in in6_if_up (ifp=0xc1854034)
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/netinet6/in6.c:2634
#35 0xc02d86cf in ifioctl (so=0xc1636000, cmd=2151704858, 
    data=0xcc213ea4 "bge0", p=0xcc19ecc4)
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/net/if.c:1601
#36 0xc02a7d0e in sys_ioctl (l=0xc16638e0, v=0xcc213f64, retval=0xcc213f5c)
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/kern/sys_generic.c:612
#37 0xc033993e in syscall_plain (frame=0xcc213fa8)
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/arch/i386/i386/syscall.c:156

mbufs related to this:
(gdb) print **(struct mbuf **)0xcc213838
$25 = {m_hdr = {mh_next = 0xc1650300, mh_nextpkt = 0x0, 
    mh_data = 0xc16501d8 "`", mh_owner = 0x802, mh_len = 0, mh_flags = 512, 
    mh_paddr = 95281408, mh_type = 2}, M_dat = {MH = {MH_pkthdr = {
        rcvif = 0x0, tags = {slh_first = 0x0}, len = 72, csum_flags = 0, 
        csum_data = 0}can not access 0x802, invalid translation (invalid PTE)
can not access 0x802, invalid translation (invalid PTE)
can not access 0x802, invalid translation (invalid PTE)
can not access 0x802, invalid translation (invalid PTE)
can not access 0x802, invalid translation (invalid PTE)
can not access 0x802, invalid translation (invalid PTE)
, MH_dat = {MH_ext = {
          ext_buf = 0x802 <Address 0x802 out of bounds>, ext_free = 0x802, 
          ext_arg = 0x802, ext_size = 2050, ext_type = 0x802, 
          ext_nextref = 0x802, ext_prevref = 0x802, ext_un = {
            extun_paddr = 2050, extun_pgs = {0x802 <repeats 17 times>}}}, 
        MH_databuf = "\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0`\0\0\0\0 \0\001", '\0' <repeats 16 times>, "\002\0\0\0\0\0\0\0\0\0\0014o"}}, 
    M_databuf = "\0\0\0\0\0\0\0\0H", '\0' <repeats 11 times>, "\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0`\0\0\0\0 \0\001", '\0' <repeats 16 times>, "\002\0\0\0\0\0\0\0\0\0\0014o"}}
(gdb) print *$25.m_hdr.mh_next
$26 = {m_hdr = {mh_next = 0x0, mh_nextpkt = 0x0, mh_data = 0xc1650320 "\203", 
    mh_owner = 0x802, mh_len = 24, mh_flags = 0, mh_paddr = 95281920, 
    mh_type = 1}, M_dat = {MH = {MH_pkthdr = {rcvif = 0xde150083, tags = {
          slh_first = 0x0}, len = 767, csum_flags = 0, csum_data = 33554432}, 
can not access 0x607ac13a, invalid translation (invalid PDE)
can not access 0x607ac13a, invalid translation (invalid PDE)
can not access 0x607ac13a, invalid translation (invalid PDE)
can not access 0x607ac13a, invalid translation (invalid PDE)
can not access 0x607ac13a, invalid translation (invalid PDE)
can not access 0x607ac13a, invalid translation (invalid PDE)
      MH_dat = {MH_ext = {
          ext_buf = 0x607ac13a <Address 0x607ac13a out of bounds>, 
          ext_free = 0x802, ext_arg = 0x802, ext_size = 2050, 
          ext_type = 0x802, ext_nextref = 0x802, ext_prevref = 0x802, 
          ext_un = {extun_paddr = 2050, extun_pgs = {0x802, 0x802, 0x802, 
              0x404, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x404, 0x404, 0x802, 0x404, 
              0x404, 0x404, 0x802}}}, 
        MH_databuf = ":z`\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\004\004\0\0\001\0\0\0\001\0\0\0\001\0\0\0\001\0\0\0\001\0\0\0\001\0\0\0\004\004\0\0\004\004\0\0\002\b\0\0\004\004\0\0\004\004\0\0\004\004\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\004\004\0"}}, 
    M_databuf = "\203\0\025\0\0\0\0\002\0\0\0\0\0\0\0\0\0\002:z`\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\004\004\0\0\001\0\0\0\001\0\0\0\001\0\0\0\001\0\0\0\001\0\0\0\001\0\0\0\004\004\0\0\004\004\0\0\002\b\0\0\004\004\0\0\004\004\0\0\004\004\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\002\b\0\0\004\004\0"}}

	Kernel is configured witg IPFILTER_DEFAULT_BLOCK.

>How-To-Repeat:
	boot current-20040418-112850 in a system with a bge interface and ipfilter enabled (rc.conf ipfilter=YES, ipmon=YES)
	and watch it panic: m_copydata during interface initialization phase.

	If you enable ipfilter later you run into the panic during shutdown.

>Fix:
	check ipv6 multicast paket wrt/ ipfilter.
>Release-Note:
>Audit-Trail:
>Unformatted: