Panic from osendmsg() (Re: panic: m_prepend: MH_ALIGN not PKTHDR mbuf)

Maxim Konovalov maxim at macomnet.ru
Tue Jun 6 14:38:19 PDT 2006 

Hi Kris,

On Sun, 4 Jun 2006, 20:41-0400, Kris Kennaway wrote:

> On Tue, May 23, 2006 at 09:58:26PM -0400, Kris Kennaway wrote:
> > I got this panic as a non-privileged user running the stress2 test
> > component that does random syscalls:
> >
> > panic: m_prepend: MH_ALIGN not PKTHDR mbuf
> > cpuid = 1
> > KDB: enter: panic
> > [thread pid 15370 tid 100536 ]
> > Stopped at      kdb_enter+0x32: leave
> > db> wh
> > Tracing pid 15370 tid 100536 td 0xc5561000
> > kdb_enter(c073c6b2,1,c0741b31,eced5be0,c5561000) at kdb_enter+0x32
> > panic(c0741b31,c07199c6,2,0,e) at panic+0x1b1
> > m_prepend(c4dc0300,c,2,e,eced5c58) at m_prepend+0xd8
> > sendit(eced5c58,7cd3a4b7,eced5c54,28,c4beb1a0) at sendit+0x1a4
> > osendmsg(c5561000,eced5d04,c,445,3) at osendmsg+0x89
>
> Anyone looking at this?  It seems that the osendmsg() compatibility
> syscall can be easily used to cause this panic.

It panics at KASSERT which appeared in rev. 1.181 mbuf.h:

% revision 1.181
% date: 2005/11/18 14:40:43;  author: andre;  state: Exp;  lines: +8 -0
% Add KASSERTs to M_ALIGN() and MH_ALIGN() to prevent usage on wrong
% mbuf types.
%
% Sponsored by:   TCP/IP Optimization Fundraise 2005

COMPAT_OLDSOCK code in sendit() tries to prepend a control data mbuf
to sockargs mbuf which is !M_PKTHDR and could be !M_EXT.

There are two options:

1. Backout KASSERTS.

2. Fix m_prepend() so it won't call MH_ALIGN for an mbuf without
M_PKTHDR/M_EXT stuff.

I think this is a resonable w/o and shouldn't break anything (it
passed my tests at least):

Index: uipc_mbuf.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/uipc_mbuf.c,v
retrieving revision 1.165
diff -u -p -r1.165 uipc_mbuf.c
--- uipc_mbuf.c	15 Mar 2006 21:11:11 -0000	1.165
+++ uipc_mbuf.c	6 Jun 2006 21:09:57 -0000
@@ -496,7 +496,7 @@ m_prepend(struct mbuf *m, int len, int h
 		M_MOVE_PKTHDR(mn, m);
 	mn->m_next = m;
 	m = mn;
-	if (len < MHLEN)
+	if (m->m_flags & M_PKTHDR && len < MHLEN)
 		MH_ALIGN(m, len);
 	m->m_len = len;
 	return (m);
%%%

I CC'ed Andre.

-- 
Maxim Konovalov

More information about the freebsd-net mailing list