>Number:         1290
>Category:       kern
>Synopsis:       tcp_reass faulted on bogus q->ti_prev;
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jul 27 21:35:02 1995
>Last-Modified:
>Originator:     John Kohl
>Organization:
NetBSD Kernel Hackers `R` Us
>Release:        -current as of July 27 1995
>Environment:
	
System: NetBSD kolvir 1.0A NetBSD 1.0A (KOLVIR) #618: Tue Jul 25 18:50:28 EDT 1995 jtk@pattern:/u1/NetBSD-current/src/sys/arch/i386/compile/KOLVIR i386


>Description:
I got a kernel page fault in tcp_reass on a fresh i386 kernel running PPP.

kernel: page fault trap, code=0
Stopped at      _tcp_reass+0x48:        movswl  0xa(%ebx),%eax
db> tr
_tcp_reass(f87ed800,f87ee720,f87ee700,f87ee720,f87ee700) at _tcp_reass+0x48
_tcp_input(f87ee700,14) at _tcp_input+0x1272
_ipintr(7e,8000001a,f81e9a90,f8149698,f81e9a90) at _ipintr+0x394
_Xsoftnet() at _Xsoftnet+0x2d
--- interrupt ---
Bad frame pointer: 0xf86f50b8
_compoll:
db> show reg
es                0x10
ds                0x10
edi         0xf87ed800  _end+0x5daac0
esi         0xf87ee720  _end+0x5db9e0
ebp         0xf9a8ec88  _end+0x187bf48
ebx          0x2000000
edx         0xf87ee700  _end+0x5db9c0
ecx         0xf87ed800  _end+0x5daac0
eax         0x276f2f4f
eip         0xf8159b2c  _tcp_reass+0x48
cs                 0x8
eflags         0x10207
esp         0xf9a8ec74  _end+0x187bf34
ss                0x10
_tcp_reass+0x48:        movswl  0xa(%ebx),%eax
db> 

I looked over the tcp reassembly code and the stack trace.  I couldn't
figure out exactly what went wrong where, but it looks like 
q->ti_prev is bogus (0x2000000) in the tcp segment in question.

The call from tcp_input() is from the TCP_REASS() macro call to tcp_reass().

>How-To-Repeat:

I was using PPP on a 56k line.  Maybe this is related to interrupt
masking problems?

>Fix:
	
>Audit-Trail:
>Unformatted: