On 06/25/2019 4:18 am, Andrey V. Elsukov wrote:
On 24.06.2019 23:10, Larry Rosenman wrote:
#5 0xffffffff828ee5b7 in ng_snd_item (item=0xfffff8021e3b4d80,
flags=0)
at /usr/src/sys/netgraph/ng_base.c:2252
It looks like you use some netgraph based ethernet interface.
The system got received ARP request and is going to send the reply,
but somehow mbuf with this ARP request has initialized m_next
pointer,
thus it is considered as a chain of mbufs.
in_arpinput() reuses received mbuf to construct the reply, but it
doesn't check that an mbut is a chain. It just sets m_len and sends
it.
Then since you have INVARIANTS in your kernel, the netgraph code
check
the actual length of the chain, and it doesn't match to m_len. It
panics.
so, is this a bug? Timing race? Other?
I think we should determine that my assumption is correct :)
Can you show the output of the following commands from the kgdb for
this
core?
(kgdb) f 7
(kgdb) p *m
(kgdb) p *m->m_next
(kgdb) fr 7
#7 0xffffffff805b1e43 in ether_output (ifp=<optimized out>,
m=0xfffff81f59eefb00, dst=0xfffffe012628d740, ro=<optimized out>) at
/usr/src/sys/net/if_ethersubr.c:430
430 if ((error = (*ng_ether_output_p)(ifp, &m)) != 0) {
(kgdb) p *m
$1 = {{m_next = 0xfffff81086c9dd00, m_slist = {sle_next =
0xfffff81086c9dd00}, m_stailq = {stqe_next = 0xfffff81086c9dd00}},
{m_nextpkt = 0x0, m_slistpkt = {sle_next = 0x0}, m_stailqpkt =
{stqe_next = 0x0}},
m_data = 0xfffff81f59eefb72
"\004\311\331c\"\207\244\272\333)f\225\b\006", m_len = 42, m_type = 1,
m_flags = 2, {{m_pkthdr = {{snd_tag = 0x0, rcvif = 0x0}, tags =
{slh_first = 0xfffff8104c530d60}, len = 42, flowid = 0, csum_flags = 0,
fibnum = 0,
numa_domain = 255 '\377', rsstype = 0 '\000', {rcv_tstmp = 0,
{l2hlen = 0 '\000', l3hlen = 0 '\000', l4hlen = 0 '\000', l5hlen = 0
'\000', spare = 0}}, PH_per = {eight = "\000\000\000\000\000\000\000",
sixteen = {0, 0, 0, 0}, thirtytwo = {0, 0}, sixtyfour = {
0}, unintptr = {0}, ptr = 0x0}, PH_loc = {eight =
"\000\000\000\000\000\000\000", sixteen = {0, 0, 0, 0}, thirtytwo = {0,
0}, sixtyfour = {0}, unintptr = {0}, ptr = 0x0}}, {m_ext = {{ext_count =
3735929054, ext_cnt = 0xdeadc0dedeadc0de},
ext_buf = 0x200000207 <error: Cannot access memory at address
0x200000207>, ext_size = 99483648, ext_type = 0, ext_flags = 0, ext_free
= 0x872263d9c9040000, ext_arg1 = 0x608956629dbbaa4, ext_arg2 =
0x200040600080100},
m_pktdat = 0xfffff81f59eefb58
"\336\300\255\336\336\300\255\336\a\002"}}, m_dat = 0xfffff81f59eefb20
""}}
(kgdb) p *m->m_next
$2 = {{m_next = 0x0, m_slist = {sle_next = 0x0}, m_stailq = {stqe_next =
0x0}}, {m_nextpkt = 0x0, m_slistpkt = {sle_next = 0x0}, m_stailqpkt =
{stqe_next = 0x0}},
m_data = 0xfffff8002144b800
"\004\002\b\n\001tWg\001tWg\001\003\003\006\255\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336",
<incomplete sequence \332>, m_len = 1372, m_type = 1, m_flags = 1,
{{m_pkthdr = {{snd_tag = 0x0,
rcvif = 0x0}, tags = {slh_first = 0x0}, len = 0, flowid = 0,
csum_flags = 0, fibnum = 0, numa_domain = 0 '\000', rsstype = 0 '\000',
{rcv_tstmp = 0, {l2hlen = 0 '\000', l3hlen = 0 '\000', l4hlen = 0
'\000', l5hlen = 0 '\000', spare = 0}}, PH_per = {
eight = "\000\000\000\000\000\000\000", sixteen = {0, 0, 0,
0}, thirtytwo = {0, 0}, sixtyfour = {0}, unintptr = {0}, ptr = 0x0},
PH_loc = {eight = "\000\000\000\000\000\000\000", sixteen = {0, 0, 0,
0}, thirtytwo = {0, 0}, sixtyfour = {0}, unintptr = {0},
ptr = 0x0}}, {m_ext = {{ext_count = 1, ext_cnt =
0xdeadc0de00000001}, ext_buf = 0xfffff8002144b800
"\004\002\b\n\001tWg\001tWg\001\003\003\006\255\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336zڭ\336",
<incomplete sequence \332>,
ext_size = 2048, ext_type = 6, ext_flags = 1, ext_free = 0x0,
ext_arg1 = 0x0, ext_arg2 = 0x0}, m_pktdat = 0xfffff81086c9dd58 "\001"}},
m_dat = 0xfffff81086c9dd20 ""}}
(kgdb)
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: l...@lerctr.org
US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
