From hsu@clinet.fi  Sun Dec  3 12:19:52 1995
Received: from hauki.clinet.fi (root@hauki.clinet.fi [194.100.0.1])
          by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id MAA20980
          for <FreeBSD-gnats-submit@freebsd.org>; Sun, 3 Dec 1995 12:19:46 -0800
Received: from katiska.clinet.fi (root@katiska.clinet.fi [194.100.0.4]) by hauki.clinet.fi (8.6.12/8.6.4) with ESMTP id WAA26761 for <FreeBSD-gnats-submit@freebsd.org>; Sun, 3 Dec 1995 22:19:24 +0200
Received: (hsu@localhost) by katiska.clinet.fi (8.6.12/8.6.4) id WAA11147; Sun, 3 Dec 1995 22:19:27 +0200
Message-Id: <199512032019.WAA11147@katiska.clinet.fi>
Date: Sun, 3 Dec 1995 22:19:27 +0200
From: Heikki Suonsivu <hsu@clinet.fi>
Reply-To: hsu@clinet.fi
To: FreeBSD-gnats-submit@freebsd.org
Subject: more access to freed mbufs
X-Send-Pr-Version: 3.2

>Number:         862
>Category:       kern
>Synopsis:       more access to freed mbufs
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    olah
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Dec  3 12:20:04 PST 1995
>Closed-Date:    Fri Feb 9 00:47:45 PST 1996
>Last-Modified:  Fri Feb  9 00:51:12 PST 1996
>Originator:     Heikki Suonsivu
>Release:        FreeBSD 2.2-CURRENT i386
>Organization:
Clinet, Espoo, Finland
>Environment:

Dec  3 19:02:20 katiska /kernel: FreeBSD 2.2-CURRENT #2: Sun Nov 26 06:35:44 EET 1995
Dec  3 19:02:20 katiska /kernel:     hsu@katiska.clinet.fi:/usr/current/src/sys/compile/CLINETSERVER
Dec  3 19:02:20 katiska /kernel: CPU: 90-MHz Pentium 735\90 (Pentium-class CPU)
Dec  3 19:02:20 katiska /kernel:   Origin = "GenuineIntel"  Id = 0x524  Stepping=4
Dec  3 19:02:20 katiska /kernel:   Features=0x1bf<FPU,VME,PSE,MCE,CX8,APIC>
Dec  3 19:02:19 katiska /kernel: real memory  = 67108864 (65536K bytes)
Dec  3 19:02:19 katiska /kernel: avail memory = 62394368 (60932K bytes)
Dec  3 19:02:19 katiska /kernel: Probing for devices on the ISA bus:
Dec  3 19:02:19 katiska /kernel: vt0 at 0x60-0x6f irq 1 on motherboard
Dec  3 19:02:19 katiska /kernel: vt0: tvga 8900cl, 80/132 col, mono, 8 scr, mf2-kbd, [R3.20-b24]
Dec  3 19:02:19 katiska /kernel: ed0 at 0x280-0x29f irq 5 maddr 0xd8000 msize 16384 on isa
Dec  3 19:02:20 katiska /kernel: ed0: address 00:00:c0:cd:b9:a3, type WD8013EPC (16 bit) 
Dec  3 19:02:20 katiska /kernel: lpt0 at 0x378-0x37f irq 7 on isa
Dec  3 19:02:20 katiska /kernel: lpt0: Interrupt-driven port
Dec  3 19:02:20 katiska /kernel: lp0: TCP/IP capable interface
Dec  3 19:02:20 katiska /kernel: lpt1 not found at 0xffffffff
Dec  3 19:02:20 katiska /kernel: lpt2 not found at 0xffffffff
Dec  3 19:02:20 katiska /kernel: sio0 at 0x3f8-0x3ff irq 4 on isa
Dec  3 19:02:20 katiska /kernel: sio0: type 16550A
Dec  3 19:02:20 katiska /kernel: sio1 at 0x2f8-0x2ff irq 3 on isa
Dec  3 19:02:20 katiska /kernel: sio1: type 16550A
Dec  3 19:02:20 katiska /kernel: sio2 not found at 0x3e8
Dec  3 19:02:20 katiska /kernel: sio3 not found at 0x2e8
Dec  3 19:02:20 katiska /kernel: pca0 on isa
Dec  3 19:02:20 katiska /kernel: pca0: PC speaker audio driver
Dec  3 19:02:20 katiska /kernel: bt0 not found at 0x330
Dec  3 19:02:20 katiska /kernel: aha0 not found at 0x330
Dec  3 19:02:20 katiska /kernel: wdc0 not found at 0x1f0
Dec  3 19:02:20 katiska /kernel: fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa
Dec  3 19:02:20 katiska /kernel: fdc0: NEC 72065B
Dec  3 19:02:20 katiska /kernel: fd0: 1.44MB 3.5in
Dec  3 19:02:21 katiska /kernel: mcd0: timeout getting status
Dec  3 19:02:21 katiska /kernel: mcd0 not found at 0x300
Dec  3 19:02:21 katiska /kernel: npx0 on motherboard
Dec  3 19:02:21 katiska /kernel: npx0: INT 16 interface
Dec  3 19:02:21 katiska /kernel: matcdc0 not found at 0xffffffff
Dec  3 19:02:21 katiska /kernel: matcdc1 not found at 0xffffffff
Dec  3 19:02:21 katiska /kernel: matcdc2 not found at 0xffffffff
Dec  3 19:02:21 katiska /kernel: matcdc3 not found at 0xffffffff
Dec  3 19:02:21 katiska /kernel: Probing for devices on the PCI bus:
Dec  3 19:02:21 katiska /kernel: chip0 <Intel 82434NX (Neptune) PCI cache memory controller> rev 17 on pci0:0
Dec  3 19:02:21 katiska /kernel: chip1 <Intel 82378IB PCI-ISA bridge> rev 67 on pci0:2
Dec  3 19:02:21 katiska /kernel: ncr0 <ncr 53c810 scsi> rev 2 int a irq 9 on pci0:12
Dec  3 19:02:21 katiska /kernel: ncr0 waiting for scsi devices to settle
Dec  3 19:02:21 katiska /kernel: (ncr0:0:0): "SEAGATE ST15230N 0298" type 0 fixed SCSI 2
Dec  3 19:02:21 katiska /kernel: sd0(ncr0:0:0): Direct-Access 
Dec  3 19:02:21 katiska /kernel: sd0(ncr0:0:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8.
Dec  3 19:02:21 katiska /kernel: 4095MB (8386733 512 byte sectors)
Dec  3 19:02:21 katiska /kernel: sd0(ncr0:0:0): with 3992 cyls, 19 heads, and an average 110 sectors/track
Dec  3 19:02:21 katiska /kernel: (ncr0:3:0): "SEAGATE ST31200N 9348" type 0 fixed SCSI 2
Dec  3 19:02:22 katiska /kernel: sd3(ncr0:3:0): Direct-Access 
Dec  3 19:02:22 katiska /kernel: sd3(ncr0:3:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8.
Dec  3 19:02:22 katiska /kernel: 1011MB (2072435 512 byte sectors)
Dec  3 19:02:22 katiska /kernel: sd3(ncr0:3:0): with 2700 cyls, 9 heads, and an average 85 sectors/track
Dec  3 19:02:22 katiska /kernel: (ncr0:4:0): "HP C1533A 9503" type 1 removable SCSI 2
Dec  3 19:02:22 katiska /kernel: st4(ncr0:4:0): Sequential-Access 
Dec  3 19:02:22 katiska /kernel: st4(ncr0:4:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8.
Dec  3 19:02:22 katiska /kernel: density code 0x24, variable blocks, write-enabled
Dec  3 19:02:22 katiska /kernel: ncr1 <ncr 53c810 scsi> rev 1 int a irq 9 on pci0:14
Dec  3 19:02:22 katiska /kernel: ncr1 waiting for scsi devices to settle
Dec  3 19:02:22 katiska /kernel: (ncr1:3:0): "SEAGATE ST15230N 0168" type 0 fixed SCSI 2
Dec  3 19:02:22 katiska /kernel: sd7(ncr1:3:0): Direct-Access 
Dec  3 19:02:22 katiska /kernel: sd7(ncr1:3:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8.
Dec  3 19:02:22 katiska /kernel: 4095MB (8386733 512 byte sectors)
Dec  3 19:02:22 katiska /kernel: sd7(ncr1:3:0): with 3992 cyls, 19 heads, and an average 110 sectors/track
Dec  3 19:02:22 katiska /kernel: changing root device to sd0a
Dec  3 19:02:22 katiska /kernel: new masks: bio c0000240, tty c00300ba, net c00300ba
Dec  3 19:02:22 katiska /kernel: WARNING: / was not properly dismounted.
Dec  3 19:02:20 katiska /kernel: FreeBSD 2.2-CURRENT #2: Sun Nov 26 06:35:44 EET 1995
Dec  3 19:02:20 katiska /kernel:     hsu@katiska.clinet.fi:/usr/current/src/sys/compile/CLINETSERVER
Dec  3 19:02:20 katiska /kernel: CPU: 90-MHz Pentium 735\90 (Pentium-class CPU)
Dec  3 19:02:20 katiska /kernel:   Origin = "GenuineIntel"  Id = 0x524  Stepping=4
Dec  3 19:02:20 katiska /kernel:   Features=0x1bf<FPU,VME,PSE,MCE,CX8,APIC>
Dec  3 19:02:19 katiska /kernel: real memory  = 67108864 (65536K bytes)
Dec  3 19:02:19 katiska /kernel: avail memory = 62394368 (60932K bytes)
Dec  3 19:02:19 katiska /kernel: Probing for devices on the ISA bus:
Dec  3 19:02:19 katiska /kernel: vt0 at 0x60-0x6f irq 1 on motherboard
Dec  3 19:02:19 katiska /kernel: vt0: tvga 8900cl, 80/132 col, mono, 8 scr, mf2-kbd, [R3.20-b24]
Dec  3 19:02:19 katiska /kernel: ed0 at 0x280-0x29f irq 5 maddr 0xd8000 msize 16384 on isa
Dec  3 19:02:20 katiska /kernel: ed0: address 00:00:c0:cd:b9:a3, type WD8013EPC (16 bit) 
Dec  3 19:02:20 katiska /kernel: lpt0 at 0x378-0x37f irq 7 on isa
Dec  3 19:02:20 katiska /kernel: lpt0: Interrupt-driven port
Dec  3 19:02:20 katiska /kernel: lp0: TCP/IP capable interface
Dec  3 19:02:20 katiska /kernel: lpt1 not found at 0xffffffff
Dec  3 19:02:20 katiska /kernel: lpt2 not found at 0xffffffff
Dec  3 19:02:20 katiska /kernel: sio0 at 0x3f8-0x3ff irq 4 on isa
Dec  3 19:02:20 katiska /kernel: sio0: type 16550A
Dec  3 19:02:20 katiska /kernel: sio1 at 0x2f8-0x2ff irq 3 on isa
Dec  3 19:02:20 katiska /kernel: sio1: type 16550A
Dec  3 19:02:20 katiska /kernel: sio2 not found at 0x3e8
Dec  3 19:02:20 katiska /kernel: sio3 not found at 0x2e8
Dec  3 19:02:20 katiska /kernel: pca0 on isa
Dec  3 19:02:20 katiska /kernel: pca0: PC speaker audio driver
Dec  3 19:02:20 katiska /kernel: bt0 not found at 0x330
Dec  3 19:02:20 katiska /kernel: aha0 not found at 0x330
Dec  3 19:02:20 katiska /kernel: wdc0 not found at 0x1f0
Dec  3 19:02:20 katiska /kernel: fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa
Dec  3 19:02:20 katiska /kernel: fdc0: NEC 72065B
Dec  3 19:02:20 katiska /kernel: fd0: 1.44MB 3.5in
Dec  3 19:02:21 katiska /kernel: mcd0: timeout getting status
Dec  3 19:02:21 katiska /kernel: mcd0 not found at 0x300
Dec  3 19:02:21 katiska /kernel: npx0 on motherboard
Dec  3 19:02:21 katiska /kernel: npx0: INT 16 interface
Dec  3 19:02:21 katiska /kernel: matcdc0 not found at 0xffffffff
Dec  3 19:02:21 katiska /kernel: matcdc1 not found at 0xffffffff
Dec  3 19:02:21 katiska /kernel: matcdc2 not found at 0xffffffff
Dec  3 19:02:21 katiska /kernel: matcdc3 not found at 0xffffffff
Dec  3 19:02:21 katiska /kernel: Probing for devices on the PCI bus:
Dec  3 19:02:21 katiska /kernel: chip0 <Intel 82434NX (Neptune) PCI cache memory controller> rev 17 on pci0:0
Dec  3 19:02:21 katiska /kernel: chip1 <Intel 82378IB PCI-ISA bridge> rev 67 on pci0:2
Dec  3 19:02:21 katiska /kernel: ncr0 <ncr 53c810 scsi> rev 2 int a irq 9 on pci0:12
Dec  3 19:02:21 katiska /kernel: ncr0 waiting for scsi devices to settle
Dec  3 19:02:21 katiska /kernel: (ncr0:0:0): "SEAGATE ST15230N 0298" type 0 fixed SCSI 2
Dec  3 19:02:21 katiska /kernel: sd0(ncr0:0:0): Direct-Access 
Dec  3 19:02:21 katiska /kernel: sd0(ncr0:0:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8.
Dec  3 19:02:21 katiska /kernel: 4095MB (8386733 512 byte sectors)
Dec  3 19:02:21 katiska /kernel: sd0(ncr0:0:0): with 3992 cyls, 19 heads, and an average 110 sectors/track
Dec  3 19:02:21 katiska /kernel: (ncr0:3:0): "SEAGATE ST31200N 9348" type 0 fixed SCSI 2
Dec  3 19:02:22 katiska /kernel: sd3(ncr0:3:0): Direct-Access 
Dec  3 19:02:22 katiska /kernel: sd3(ncr0:3:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8.
Dec  3 19:02:22 katiska /kernel: 1011MB (2072435 512 byte sectors)
Dec  3 19:02:22 katiska /kernel: sd3(ncr0:3:0): with 2700 cyls, 9 heads, and an average 85 sectors/track
Dec  3 19:02:22 katiska /kernel: (ncr0:4:0): "HP C1533A 9503" type 1 removable SCSI 2
Dec  3 19:02:22 katiska /kernel: st4(ncr0:4:0): Sequential-Access 
Dec  3 19:02:22 katiska /kernel: st4(ncr0:4:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8.
Dec  3 19:02:22 katiska /kernel: density code 0x24, variable blocks, write-enabled
Dec  3 19:02:22 katiska /kernel: ncr1 <ncr 53c810 scsi> rev 1 int a irq 9 on pci0:14
Dec  3 19:02:22 katiska /kernel: ncr1 waiting for scsi devices to settle
Dec  3 19:02:22 katiska /kernel: (ncr1:3:0): "SEAGATE ST15230N 0168" type 0 fixed SCSI 2
Dec  3 19:02:22 katiska /kernel: sd7(ncr1:3:0): Direct-Access 
Dec  3 19:02:22 katiska /kernel: sd7(ncr1:3:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8.
Dec  3 19:02:22 katiska /kernel: 4095MB (8386733 512 byte sectors)
Dec  3 19:02:22 katiska /kernel: sd7(ncr1:3:0): with 3992 cyls, 19 heads, and an average 110 sectors/track
Dec  3 19:02:22 katiska /kernel: changing root device to sd0a
Dec  3 19:02:22 katiska /kernel: new masks: bio c0000240, tty c00300ba, net c00300ba
Dec  3 19:02:22 katiska /kernel: WARNING: / was not properly dismounted.

Runs news, httpd and users.  innd has been compiled with mmap on.

>Description:

	Self-explanatory; crash dumps are available as
ftp://clinet.fi/pub/FreeBSD/crashdumps/*.36.gz

Current directory is /m/katiska/news/crash/
Reading symbol data from /m/katiska/news/crash/kernel.36...done.
IdlePTD 26d000
panic: m_copydata
current pcb at 21bd44
Reading in symbols for ../../i386/i386/machdep.c...done.
(kgdb) bt
#0  boot (howto=256) (../../i386/i386/machdep.c line 925)
#1  0xf0115367 in panic (...)
#2  0xf0120b21 in m_copydata (...)
#3  0xf015e9b5 in tcp_output (...)
#4  0xf015dc4e in tcp_input (...)
#5  0xf0156045 in ip_input:ipintr (...)
#6  0xf01c6f0d in exception:swi_net_next (-272630140)
#7  0xf01170b5 in select (...)
#8  0xf01d09f3 in syscall (...)
(kgdb) up
Reading in symbols for ../../kern/subr_prf.c...done.
#1  0xf0115367 in panic (fmt=(char *) 0xf0120af4 "m_copydata") (../../kern/subr_prf.c line 124)
124	(../../kern/subr_prf.c)
(kgdb) up
Reading in symbols for ../../kern/uipc_mbuf.c...done.
#2  0xf0120b21 in m_copydata (m=(struct mbuf *) 0x0, off=-1, len=1, cp=(char *) 0xf17986e8 "\004") (../../kern/uipc_mbuf.c line 372)
372	(../../kern/uipc_mbuf.c)
(kgdb) directory /usr/src/sys/i386/conf
Source directories searched: /m/katiska/news/crash:/usr/src/sys/i386/conf
(kgdb) up
Reading in symbols for ../../netinet/tcp_output.c...done.
#3  0xf015e9b5 in tcp_output (tp=(struct tcpcb *) 0xf182d900) (../../netinet/tcp_output.c line 476)
(kgdb) down
#2  0xf0120b21 in m_copydata (m=(struct mbuf *) 0x0, off=-1, len=1, cp=(char *) 0xf17986e8 "\004") (../../kern/uipc_mbuf.c line 372)
(kgdb) list
367		caddr_t cp;
368	{
369		register unsigned count;
370	
371		if (off < 0 || len < 0)
372			panic("m_copydata");
373		while (off > 0) {
374			if (m == 0)
375				panic("m_copydata");
376			if (off < m->m_len)
(kgdb) print off
$1 = 0
(kgdb) print len
$2 = 1
(kgdb) up
#3  0xf015e9b5 in tcp_output (tp=(struct tcpcb *) 0xf182d900) (../../netinet/tcp_output.c line 476)
(kgdb) print so
$3 = (struct socket *) 0xf180c800
(kgdb) print so->so_snd.sb_md
There is no field named sb_md.
(kgdb) print so->so_snd.sb_mb
$4 = (struct mbuf *) 0x0
(kgdb) print off
$5 = -1
(kgdb) print len
$6 = 1
(kgdb) list
471				goto out;
472			}
473			m->m_data += max_linkhdr;
474			m->m_len = hdrlen;
475			if (len <= MHLEN - hdrlen - max_linkhdr) {
476				m_copydata(so->so_snd.sb_mb, off, (int) len,
477				    mtod(m, caddr_t) + hdrlen);
478				m->m_len += len;
479			} else {
480				m->m_next = m_copy(so->so_snd.sb_mb, off, (int) len);
(kgdb) print m
$7 = (struct mbuf *) 0xf1798680
(kgdb) print *m
$8 = {m_hdr = {mh_next = 0x0, mh_nextpkt = 0x0, mh_len = 60, mh_data = 0xf17986ac "\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336", mh_type = 2, mh_flags = 2}, M_dat = {MH = {MH_pkthdr = {len = -559038242, rcvif = 0xdeadc0de}, MH_dat = {MH_ext = {ext_buf = 0xdeadc0de <Address 0xdeadc0de out of bounds>, ext_free = 0xdeadc0de, ext_size = 0xdeadc0de}, MH_databuf = {"\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\000P\005m\020)\003\217\000\0044\223P\020@\000\366\004\000\000\000\000\000\000M\000\000\000\000\000\a\361\001\001\013\006\000\000\0028\004\000\000\000\204\361\2720\006\000\000\000\006", '\000' <repeats 11 times>}}}, M_databuf = {"\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\000P\005m\020)\003\217\000\0044\223P\0!
 20@\000\366\004\000\000\000\000\000\000M\000\000\000\000\000\a\361\001\001\013\006\000\000\0028\004\000\000\000\204\361\2720\006\000\000\000\006", '\000' <repeats 11 times>}}}
(kgdb)

>How-To-Repeat:

	I don't know what triggers it, but for some reason it has been
triggered at least 8 times today.

>Fix:
	
	unknown.

>Release-Note:
>Audit-Trail:

From: David Greenman <davidg@Root.COM>
To: hsu@clinet.fi
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: kern/862: more access to freed mbufs 
Date: Sun, 03 Dec 1995 13:54:12 -0800

 >	Self-explanatory; crash dumps are available as
 >ftp://clinet.fi/pub/FreeBSD/crashdumps/*.36.gz
 >
 >Current directory is /m/katiska/news/crash/
 >Reading symbol data from /m/katiska/news/crash/kernel.36...done.
 >IdlePTD 26d000
 >panic: m_copydata
 ...
 >	I don't know what triggers it, but for some reason it has been
 >triggered at least 8 times today.
 
    When did it first start happening? What types of networking related things
 is this machine doing? Does it serve SLIP/PPP?
 
 -DG
State-Changed-From-To: open->closed 
State-Changed-By: olah 
State-Changed-When: Fri Feb 9 00:47:45 PST 1996 
State-Changed-Why:  
Duplicates kern/903 (actually, the other way around, but kern/903 is closed already) 


Responsible-Changed-From-To: freebsd-bugs->olah 
Responsible-Changed-By: olah 
Responsible-Changed-When: Fri Feb 9 00:47:45 PST 1996 
Responsible-Changed-Why:  
>Unformatted:
