>Number:         18809
>Category:       kern
>Synopsis:       ping with datasize >4067 crashed local machine
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Oct 26 04:19:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Werner Backes
>Release:        -current
>Organization:
>Environment:
NetBSD twincam 1.6I NetBSD 1.6I (TWINCAM.MP) #7: Wed Oct 16 23:15:36 CEST 2002
root@twincam:/usr1/src/sys/arch/i386/compile/TWINCAM.MP i386

>Description:
When I send a ping with datasize >4067, the local machine panics:

panic: pmap_kremove: PG_PVLIST mapping for 0xcbe57000
Stopped in pid 219 (ping) at    cpu_Debugger+0x4:       movl   
%ebp,%esp
db{1}> trace
cpu_Debugger(cbe57000,2,0,0,cbe58000) at cpu_Debugger+0x4
panic(c02e5260,cbe57000,cbe58,100007f,cbe59000) at panic+0xad
pmap_kremove(cbe57000,2000,cbe4cdcc,c0343994,c058d6ec,c058dd04,4,14,0,c082e000,1
3a4,1312d00,1,cbe4cdcc,c01c5ffc,cbe59000,2,3,2,2,2000,cbe59000,cbe57000,cbe4cd78
,2eb5,4047000,cbe4ce00,c01e9321,cbe57688,13a4,cbe4ce10,c01d8392,0,13a4,0,c029355
f,0,cbe4cf14,cbe4ce60,c01e9d35,c086b2e4,c033f69c,cbe4ce40,c01e6f75,0,13a4,0,2,1,
cbe4cf14,10,e7a9,0,10,cbe4cf14,c01ee5f4,805efe0,c0835c14,10,c01ee652,1,cbe4cf14,
cbe4ced0) at pmap_kremove+0x44
sodoloanfree(cbe57688,13a4,cbe4ce10,c01d8392,0) at sodoloanfree+0x135
sodopendfree(c086b2e4,c033f69c,cbe4ce40,c01e6f75) at sodopendfree+0xd9
sosend(c086b2e4,c0835c00,cbe4ceb0,0,0) at sosend+0x15
sendit(cbe323f4,3,cbe4cf14,0,cbe4cf78) at sendit+0x177
sys_sendto(cbe323f4,cbe4cf80,cbe4cf78,c0249b37,cbe323f4) at
sys_sendto+0x58
syscall_plain(1f,1f,1f,1f,804e69c) at syscall_plain+0xbc
db{1}>

The machine is a Dual Pentium Pro, the kernel is compiled with MP
support enabled.
>How-To-Repeat:
ping -s 4068 localhost
>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted: