(unknown charset) Re: GPF in ether_output -> m_tag_locate

From: (unknown charset) Kris Kennaway <kris_at_obsecurity.org> Date: Sun, 15 Apr 2007 23:40:01 -0400 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:08 UTC

On Sun, Apr 15, 2007 at 11:30:47PM -0400, Kris Kennaway wrote:
> On an 8-core amd64 running up-to-date CVS sources:
> 
> > Fatal trap 9: general protection fault while in kernel mode
> > cpuid = 7; apic id = 07
> > instruction pointer     = 0x8:0xffffffff802a7800
> > stack pointer           = 0x10:0xffffffffabc61960
> > frame pointer           = 0x10:0xffffffffabc61970
> > code segment            = base 0x0, limit 0xfffff, type 0x1b
> >                         = DPL 0, pres 1, long 1, def32 0, gran 1
> > processor eflags        = interrupt enabled, resume, IOPL = 0
> > current process         = 19 (swi4: clock sio)
> > Tracing pid 19 tid 100005 td 0xffffff00b9a7f000
> > m_tag_locate() at m_tag_locate+0x20
> > ether_output() at ether_output+0x2ec
> > ip_output() at ip_output+0x9b5
> > udp_output() at udp_output+0x594
> > udp_send() at udp_send+0x1c
> > nfs_timer() at nfs_timer+0x7de
> > softclock() at softclock+0x319
> > ithread_execute_handlers() at ithread_execute_handlers+0x15d
> > ithread_loop() at ithread_loop+0x69
> > fork_exit() at fork_exit+0x93
> > fork_trampoline() at fork_trampoline+0xe
> > --- trap 0, rip = 0, rsp = 0xffffffffabc61d30, rbp = 0 ---

#9  0xffffffff802a7800 in m_tag_locate (m=0xffffff0033956a00, cookie=0, type=21, t=0x5f73736e0e000000) at ../../../kern/uipc_mbuf2.c:393
        p = (struct m_tag *) 0x5f73736e0e000000
#10 0xffffffff802ed9dc in ether_output (ifp=0xffffff0000900800, m=0xffffff0033956a00, dst=0xffffffffabc61a38, rt0=0x0) at mbuf.h:950
        type = 8
        error = 865430226
        hdrcmplt = 0
        esrc = "\000\b\220\000\000˙"
        edst = "\000\002³\027>\021"
        eh = (struct ether_header *) 0xffffff0033956ad2
        loop_copy = 1
#11 0xffffffff80304345 in ip_output (m=0xffffff0033956a00, opt=0x0, ro=0xffffffffabc61a30, flags=0, imo=0x0, inp=0xffffff00152a9e38)
    at ../../../netinet/ip_output.c:561
        ip = (struct ip *) 0xffffff0033956ae0
        ifp = (struct ifnet *) 0xffffff0000900800
        m0 = (struct mbuf *) 0x0
        hlen = 20
        mtu = 1500
        len = 0
        error = 0
        dst = (struct sockaddr_in *) 0xffffffffabc61a38
        ia = (struct in_ifaddr *) 0xffffff001583e600
        isbroadcast = 234881024
        sw_csum = 0
        iproute = {ro_rt = 0xffffff00949320f0, ro_dst = {sa_len = 16 '\020', sa_family = 2 '\002', sa_data = "\000\000Ģ\230æā\000\000\000\000\000\000\000"}}
        odst = {s_addr = 0}
#12 0xffffffff80317c24 in udp_output (inp=0xffffff00152a9e38, m=0xffffff0033956a00, addr=0x0, control=0xffffff0033956ae0, td=0xffffff00b9a7f000)
    at ../../../netinet/udp_usrreq.c:934
        ui = (struct udpiphdr *) 0xffffff0033956ae0
        len = 0
        faddr = {s_addr = 3804207308}
        laddr = {s_addr = 3871316172}
        cm = (struct cmsghdr *) 0x0
        src = {sin_len = 0 '\0', sin_family = 0 '\0', sin_port = 22405, sin_addr = {s_addr = 4294967040}, sin_zero = "\001\000\000\000\000\000\000"}
        error = 55
        ipflags = 0
        fport = 264
        lport = 4355
        unlock_udbinfo = 0
#13 0xffffffff8031874c in udp_send (so=0xffffff0033956a00, flags=0, m=0x0, addr=0x0, control=0x5f73736e0e000000, td=0xffffff00152a9e38)
    at ../../../netinet/udp_usrreq.c:1116
        inp = (struct inpcb *) 0xffffff0033956a00
#14 0xffffffff8032ff8e in nfs_timer (arg=0xffffff0033956a00) at pcpu.h:168
        rep = (struct nfsreq *) 0xffffff0008250600
        m = (struct mbuf *) 0xffffff0057854a00
        so = (struct socket *) 0xffffff00157d7bb8
        nmp = (struct nfsmount *) 0xffffff001575f000
        timeo = 234881024
        error = 1468353024
        now = {tv_sec = 89409, tv_usec = 181305}