Subject: Re: kern/34212
To: None <gnats-bugs@netbsd.org, kern-bug-people@netbsd.org,>
From: Martti Kuparinen <martti.kuparinen@iki.fi>
List: netbsd-bugs
Date: 10/27/2006 09:15:04
# dmesg -M netbsd.9.core
--- trap (number 6) ---
fr_checkicmp6matchingstate(c0894960,0,28,c0894960,8) at
netbsd:fr_checkicmp6matchingstate+0x95
fr_stlookup(c0894960,c1f71ff8,c0894928,0,c0894960) at netbsd:fr_stlookup+0x2c4
fr_checkstate(c0894960,c089495c,c0894960,1,6) at netbsd:fr_checkstate+0x21f
fr_check(c1f71fd0,28,c1b7304c,1,c0894a68) at netbsd:fr_check+0x4bd
fr_check_wrapper6(0,c0894a68,c1b7304c,2,c1b7304c) at netbsd:fr_check_wrapper6+0x23
pfil_run_hooks(c07cdfe0,c0894af4,c1b7304c,2,a7e70360) at netbsd:pfil_run_hooks+0x6e
ip6_output(c1f71f00,0,c0894bb0,4,0) at netbsd:ip6_output+0x891
icmp6_reflect(c1f71f00,28,1,8000000,cb3ce016) at netbsd:icmp6_reflect+0x287
icmp6_error(c1dac800,2,0,500,0) at netbsd:icmp6_error+0x1b8
ip6_forward(c28a7200,0,c1b7304c,1,c1b73da8) at netbsd:ip6_forward+0x47d
ip6_input(c28a7200,0,0,246,0) at netbsd:ip6_input+0x499
ip6intr(bfd90010,70030,a67a0010,10,c0891000) at netbsd:ip6intr+0x76
DDB lost frame for netbsd:Xsoftnet+0x4e, trying 0xc0894e60
Xsoftnet() at netbsd:Xsoftnet+0x4e
--- interrupt ---
# gdb /var/crash/netbsd.9
(gdb) target kcore /var/crash/netbsd.9.core
> Please provide a disassembly of fr_checkicmp6matchingstate from +0x0 to +0xa0
(gdb) p fr_checkicmp6matchingstate
$1 = {<text variable, no debug info>} 0xc0145778 <fr_checkicmp6matchingstate>
(gdb) disassemble fr_checkicmp6matchingstate 0xc0145818
Dump of assembler code from 0xc0145778 to 0xc0145818:
0xc0145778 <fr_checkicmp6matchingstate>: push %ebp
0xc0145779 <fr_checkicmp6matchingstate+1>: mov %esp,%ebp
0xc014577b <fr_checkicmp6matchingstate+3>: push %edi
0xc014577c <fr_checkicmp6matchingstate+4>: push %esi
0xc014577d <fr_checkicmp6matchingstate+5>: push %ebx
0xc014577e <fr_checkicmp6matchingstate+6>: sub $0xec,%esp
0xc0145784 <fr_checkicmp6matchingstate+12>: mov 0x8(%ebp),%edx
0xc0145787 <fr_checkicmp6matchingstate+15>: movzbl 0x4(%edx),%eax
0xc014578b <fr_checkicmp6matchingstate+19>: and $0xf,%eax
0xc014578e <fr_checkicmp6matchingstate+22>: cmp $0x6,%eax
0xc0145791 <fr_checkicmp6matchingstate+25>:
jne 0xc01458fc <fr_checkicmp6matchingstate+388>
0xc0145797 <fr_checkicmp6matchingstate+31>: mov 0x6c(%edx),%edx
0xc014579a <fr_checkicmp6matchingstate+34>: cmp $0x2f,%edx
0xc014579d <fr_checkicmp6matchingstate+37>:
jle 0xc01458fc <fr_checkicmp6matchingstate+388>
0xc0145797 <fr_checkicmp6matchingstate+31>: mov 0x6c(%edx),%edx
0xc014579a <fr_checkicmp6matchingstate+34>: cmp $0x2f,%edx
0xc014579d <fr_checkicmp6matchingstate+37>:
jle 0xc01458fc <fr_checkicmp6matchingstate+388>
0xc01457a3 <fr_checkicmp6matchingstate+43>: mov 0x8(%ebp),%ebx
0xc01457a6 <fr_checkicmp6matchingstate+46>: mov 0x64(%ebx),%ebx
0xc01457a9 <fr_checkicmp6matchingstate+49>: mov %ebx,0xffffff24(%ebp)
0xc01457af <fr_checkicmp6matchingstate+55>: movzbl (%ebx),%eax
0xc01457b2 <fr_checkicmp6matchingstate+58>: dec %eax
0xc01457b3 <fr_checkicmp6matchingstate+59>: xor %ecx,%ecx
0xc01457b5 <fr_checkicmp6matchingstate+61>: cmp $0x3,%eax
0xc01457b8 <fr_checkicmp6matchingstate+64>:
ja 0xc01458fe <fr_checkicmp6matchingstate+390>
0xc01457be <fr_checkicmp6matchingstate+70>: mov %ebx,%edi
0xc01457c0 <fr_checkicmp6matchingstate+72>: add $0x8,%edi
0xc01457c3 <fr_checkicmp6matchingstate+75>: cmp $0x27,%edx
0xc01457c6 <fr_checkicmp6matchingstate+78>:
jbe 0xc01458fe <fr_checkicmp6matchingstate+390>
0xc01457cc <fr_checkicmp6matchingstate+84>: mov 0xffffff2c(%ebp),%al
0xc01457d2 <fr_checkicmp6matchingstate+90>: and $0xfffffff0,%eax
0xc01457d5 <fr_checkicmp6matchingstate+93>: mov 0x8(%ebp),%esi
0xc01457d8 <fr_checkicmp6matchingstate+96>: or $0x6,%eax
0xc01457db <fr_checkicmp6matchingstate+99>: mov (%esi),%edx
0xc01457dd <fr_checkicmp6matchingstate+101>: mov %al,0xffffff2c(%ebp)
0xc01457e3 <fr_checkicmp6matchingstate+107>: xor %eax,%eax
0xc01457e5 <fr_checkicmp6matchingstate+109>: cmpl $0x0,0x40(%esi)
0xc01457e9 <fr_checkicmp6matchingstate+113>: sete %al
0xc01457ec <fr_checkicmp6matchingstate+116>: mov %eax,0xffffff68(%ebp)
0xc01457f2 <fr_checkicmp6matchingstate+122>: mov 0x68(%esi),%ax
0xc01457f6 <fr_checkicmp6matchingstate+126>: mov %edx,0xffffff28(%ebp)
0xc01457fc <fr_checkicmp6matchingstate+132>: movl $0x0,0xffffffbc(%ebp)
0xc0145803 <fr_checkicmp6matchingstate+139>: movl $0x0,0xffffffb8(%ebp)
0xc014580a <fr_checkicmp6matchingstate+146>: sub $0x8,%eax
0xc014580d <fr_checkicmp6matchingstate+149>: mov 0x4(%edi),%bx
0xc0145811 <fr_checkicmp6matchingstate+153>: mov %ax,0x4(%edi)
0xc0145815 <fr_checkicmp6matchingstate+157>:
movl $0x20000000,0xffffff58(%ebp)
End of assembler dump.
> In addition to that gdb output...print out the mblk from fin_m:
> print *(struct mbuf *)0xc2069f00
(gdb) file netbsd.gdb
Reading symbols from netbsd.gdb...done.
(gdb) print *(fr_info_t *)0xc0894960
$1 = {fin_ifp = 0xc1b7304c, fin_fi = {fi_v = 6, fi_xx = 0, fi_tos = 0,
fi_ttl = 64, fi_p = 58, fi_optmsk = 0, fi_src = {i6 = {3088318752, 4, 0,
16777216}, in4 = {s_addr = 3088318752}, in6 = {__u6_addr = {
__u6_addr8 = " \001\024�\004\0\0\0\0\0\0\0\0\0\0\001",
__u6_addr16 = {288, 47124, 4, 0, 0, 0, 0, 256}, __u6_addr32 = {
3088318752, 4, 0, 16777216}}}, vptr = {0xb8140120, 0x4}, lptr = {
0xb8140120, 0x4}}, fi_dst = {i6 = {3088318752, 4, 0, 822149120},
in4 = {s_addr = 3088318752}, in6 = {__u6_addr = {
__u6_addr8 = " \001\024�\004\0\0\0\0\0\0\0\0\0\0011", __u6_addr16 = {
288, 47124, 4, 0, 0, 0, 0, 12545}, __u6_addr32 = {3088318752, 4,
0, 822149120}}}, vptr = {0xb8140120, 0x4}, lptr = {0xb8140120,
0x4}}, fi_secmsk = 0, fi_auth = 0, fi_flx = 135168, fi_tcpmsk = 0,
fi_res1 = 0}, fin_dat = {fid_16 = {2, 0}, fid_32 = 2}, fin_out = 1,
fin_rev = 0, fin_hlen = 40, fin_tcpf = 0 '\0', fin_icode = 0 '\0',
fin_rule = 4294967295, fin_group = "�", '\0' <repeats 14 times>,
fin_fr = 0x0, fin_dp = 0xc1f71ff8, fin_dlen = 1240, fin_plen = 1280,
fin_ipoff = 0, fin_id = 96, fin_off = 0, fin_depth = 0, fin_error = 51,
fin_nat = 0x0, fin_state = 0x0, fin_nattag = 0x0, fin_ip = 0xc1f71fd0,
fin_mp = 0xc0894a68, fin_m = 0xc1f71f00}
(gdb) print *(struct mbuf *)0xc1f71f00
$2 = {m_hdr = {mh_next = 0xc1da5400, mh_nextpkt = 0x0,
mh_data = 0xc1f71fd0 "`", mh_owner = 0x29726f6c, mh_len = 0, mh_flags = 2,
mh_paddr = 287244032, mh_type = 1}, M_dat = {MH = {MH_pkthdr = {
rcvif = 0x0, tags = {slh_first = 0x0}, len = 1280, csum_flags = 0,
csum_data = 0, segsz = 150994944}, MH_dat = {MH_ext = {
can not access 0x5350e756, invalid translation (invalid PDE)
can not access 0x5350e756, invalid translation (invalid PDE)
can not access 0x5350e756, invalid translation (invalid PDE)
can not access 0x5350e756, invalid translation (invalid PDE)
can not access 0x5350e756, invalid translation (invalid PDE)
can not access 0x5350e756, invalid translation (invalid PDE)
ext_buf = 0x5350e756 <Address 0x5350e756 out of bounds>,
ext_free = 0xde6f97aa, ext_arg = 0xcec87a43, ext_size = 2721204872,
ext_type = 0x195dab49, ext_nextref = 0xda74c69f,
ext_prevref = 0x4dbfaac, ext_un = {extun_paddr = 3196932459,
extun_pgs = {0xbe8d516b, 0x7233550c, 0xe780f6be, 0x6319db69,
0x62f1bee5, 0x7d13d239, 0x6cdeb9e0, 0xb7a5fbc0, 0x949af80a,
0x2d99a9be, 0x283e668d, 0x928ef2e8, 0xc2808900, 0x9a9f2c1,
0xa6743bd0, 0xffef6757, 0x1b4260ea}}},
MH_databuf =
"V�S�\227o�z�\210J2�I�]\031\237�ڬ�\004kQ\215�\fU3r��200��031c�b9�023}�l���\n�232\224��\231-\215f>(�\216\222\0\211\200��t�t�Wg��B\e�\0@J\225\206\031\001z�N�5H��J�\205I|\200��004�217�224@�003\fb�220�\0a\214\\\022�\025^\f��202`\0\0\0\004�@
\001\024�\004\0\0\0\0\0\0\0\0\0\0\001
\001\024�\004\0\0\0\0\0\0\0\0\0\0011\002\0S�0\0\005"}},
M_databuf = "\0\0\0\0\0\0\0\0\0\005", '\0' <repeats 13 times>,
"\tV�S�\227o�z�\210J2�I�]\031\237�ڬ�\004kQ\215�\fU3r��200��031c�b9�023}�l���\n�232\224��\231-\215f>(�\216\222\0\211\200��t�t�Wg��B\e�\0@J\225\206\031\001z�N�5H��J�\205I|\200��004�217�224@�003\fb�220�\0a\214\\\022�\025^\f��202`\0\0\0\004�@
\001\024�\004\0\0\0\0\0\0\0\0\0\0\001 \001\024"...}}