Re: ng_snd_item: Panic?

From: Andrey V. Elsukov <bu7cher_at_yandex.ru>
Date: Tue, 25 Jun 2019 23:13:29 +0300
On 25.06.2019 15:59, Larry Rosenman wrote:
> On 06/25/2019 4:18 am, Andrey V. Elsukov wrote:
>> On 24.06.2019 23:10, Larry Rosenman wrote:
>>>>> #5  0xffffffff828ee5b7 in ng_snd_item (item=0xfffff8021e3b4d80,
>>>>> flags=0)
>>>>>     at /usr/src/sys/netgraph/ng_base.c:2252
>>>>
>>>> It looks like you use some netgraph based ethernet interface.
>>>> The system got received ARP request and is going to send the reply,
>>>> but somehow mbuf with this ARP request has initialized m_next pointer,
>>>> thus it is considered as a chain of mbufs.
>>>>
>>>> in_arpinput() reuses received mbuf to construct the reply, but it
>>>> doesn't check that an mbut is a chain. It just sets m_len and sends it.
>>>> Then since you have INVARIANTS in your kernel, the netgraph code check
>>>> the actual length of the chain, and it doesn't match to m_len. It
>>>> panics.
>>>
>>>
>>> so, is this a bug?  Timing race? Other?
>>
>> I think we should determine that my assumption is correct :)
>> Can you show the output of the following commands from the kgdb for this
>> core?
>>
>> (kgdb) f 7
>> (kgdb) p *m
>> (kgdb) p *m->m_next
> 
> 
> (kgdb) fr 7
> #7  0xffffffff805b1e43 in ether_output (ifp=<optimized out>,
> m=0xfffff81f59eefb00, dst=0xfffffe012628d740, ro=<optimized out>) at
> /usr/src/sys/net/if_ethersubr.c:430
> 430            if ((error = (*ng_ether_output_p)(ifp, &m)) != 0) {

I failed to track the possible way to get this.
Please, show the output of the following commands:
(kgdb) f 7
(kgdb) p/x (u_char[42])m->m_data
(kgdb) p/x (u_char[1372]m->m_next->m_data

Did you used this configuration for the long time and these panics were
the first time?

-- 
WBR, Andrey V. Elsukov


Received on Tue Jun 25 2019 - 18:16:20 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:21 UTC