Bug 19551

Summary: panic when enabling bridge_ipfw
Product: Base System Reporter: Mikhail Teterin <mi>
Component: kernAssignee: bmilekic
Status: Closed FIXED    
Severity: Affects Only Me CC: luigi
Priority: Normal    
Version: 4.0-STABLE   
Hardware: Any   
OS: Any   

Description Mikhail Teterin 2000-06-27 23:10:04 UTC 
	The bridging is enabled as follows:
		sysctl -w net.link.ether.bridge_cfg=dc0:1,dc2:1
		sysctl -w net.link.ether.bridge=1
		sysctl -w net.link.ether.bridge_ipfw=1

	With the kernel  built from April 27  sources, the setup
	works fine.

	With todays  kernel (and a  week old kernel)  the system
	panics when bridge_ipfw is  enabled (commenting the line
	out stops the panic, but disables the firewall).

	The  crash happens  in  sys/netinet/ip_icmp.c, where  on
	line 633, where the NULL pointer is referenced:

(kgdb) l
627		/*
628		 * The following happens if the packet was not addressed to us,
629		 * and was received on an interface with no IP address.
630		 */
631		f (ia == (struct in_ifaddr *)0)
632			ia = in_ifaddrhead.tqh_first;
633		t = IA_SIN(ia)->sin_addr;
634		ip->ip_src = t;
635		ip->ip_ttl = MAXTTL;
636
(kgdb) p ia
$2 = (struct in_ifaddr *) 0x0

	The full stack is

#0  boot (howto=256) at /opt/src/sys/kern/kern_shutdown.c:302
#1  0xc0138358 in poweroff_wait (junk=0xc025842f, howto=0)
    at /opt/src/sys/kern/kern_shutdown.c:552
#2  0xc0226ed2 in trap_fatal (frame=0xc025e4fc, eva=76)
    at /opt/src/sys/i386/i386/trap.c:927
#3  0xc0226b91 in trap_pfault (frame=0xc025e4fc, usermode=0, eva=76)
    at /opt/src/sys/i386/i386/trap.c:820
#4  0xc022677b in trap (frame={tf_fs = -1071579120, tf_es = 16, tf_ds = 16, 
      tf_edi = 20, tf_esi = -1067166976, tf_ebp = -1071258284, 
      tf_isp = -1071258328, tf_ebx = -1067166756, tf_edx = 0, 
      tf_ecx = -1067166976, tf_eax = 0, tf_trapno = 12, tf_err = 0, 
      tf_eip = -1072156088, tf_cs = 8, tf_eflags = 66118, 
      tf_esp = -1067166756, tf_ss = -1067166976})
    at /opt/src/sys/i386/i386/trap.c:426
#5  0xc0183248 in icmp_reflect (m=0xc0645300)
    at /opt/src/sys/netinet/ip_icmp.c:632
#6  0xc0182ca8 in icmp_error (n=0xc0645200, type=3, code=3, dest=0, 
    destifp=0x0) at /opt/src/sys/netinet/ip_icmp.c:220
#7  0xc018f1ee in udp_input (m=0xc0645200, off=20, proto=17)
    at /opt/src/sys/netinet/udp_usrreq.c:358
#8  0xc0183e93 in ip_input (m=0xc0645200)
    at /opt/src/sys/netinet/ip_input.c:743
#9  0xc0183f0b in ipintr () at /opt/src/sys/netinet/ip_input.c:771
#10 0xc021c875 in swi_net_next ()

Fix: 

I wish I knew :(
How-To-Repeat: 
	See environment. This can be  reproduced at will even in
	single user mode by simply enabling bridging:
		sysctl -w net.link.ether.bridge=1
	and requesting the bridged  packet be routed through the
	firewall rules:
		sysctl -w net.link.ether.bridge_ipfw=1
	The interfaces don't  need to be configured  for this to
	happen...
Comment 1 Mikhail Teterin 2000-06-28 15:32:52 UTC 
	(See the  end of  this message for  the location  of the
	 debuggable kernel and two vmcores).

I decided to try giving the unconfigured interface an IP address
and got another panic:

Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x30
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc01df0a4
stack pointer           = 0x10:0xc025e3b4
frame pointer           = 0x10:0xc025e3b8
code segment            = base rx0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = Idle
interrupt mask          = net bio cam 
trap number             = 12
panic: page fault
Uptime: 21s

dumping to dev #ad/1, offset 216
dump ata0: resetting devices .. ata0: mask=01 status0=50 status1=00
ata0-master: success setting up PIO4 mode on generic chip
done
64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 
---
#0  boot (howto=260) at /opt/src/sys/kern/kern_shutdown.c:302
302                     dumppcb.pcb_cr3 = rcr3();
(kgdb) where
#0  boot (howto=260) at /opt/src/sys/kern/kern_shutdown.c:302
#1  0xc0138358 in poweroff_wait (junk=0xc025842f, howto=0)
    at /opt/src/sys/kern/kern_shutdown.c:552
#2  0xc0226ed2 in trap_fatal (frame=0xc025e374, eva=48)
    at /opt/src/sys/i386/i386/trap.c:927
#3  0xc0226b91 in trap_pfault (frame=0xc025e374, usermode=0, eva=48)
    at /opt/src/sys/i386/i386/trap.c:820
#4  0xc022677b in trap (frame={tf_fs = 1074135056, tf_es = -1071316976, 
      tf_ds = -966393840, tf_edi = 0, tf_esi = -966347776, 
      tf_ebp = -1071258696, tf_isp = -1071258720, tf_ebx = -1071180740, 
      tf_edx = 1074315328, tf_ecx = -827104320, tf_eax = 0, tf_trapno = 12, 
      tf_err = 0, tf_eip = -1071779676, tf_cs = 8, tf_eflags = 66050, 
      tf_esp = -966347776, tf_ss = -1071258664})
    at /opt/src/sys/i386/i386/trap.c:426
#5  0xc01df0a4 in acquire_lock (lk=0xc027143c)
    at /opt/src/sys/ufs/ffs/ffs_softdep.c:265
#6  0xc01e2ebc in softdep_update_inodeblock (ip=0xc666b400, bp=0xc7a298c8, 
    waitfor=0) at /opt/src/sys/ufs/ffs/ffs_softdep.c:3585
#7  0xc01de34e in ffs_update (vp=0xceb363c0, waitfor=0)
    at /opt/src/sys/ufs/ffs/ffs_inode.c:105
#8  0xc01e6110 in ffs_sync (mp=0xc65e3800, waitfor=2, cred=0xc05cb680, 
    p=0xc029eee0) at /opt/src/sys/ufs/ffs/ffs_vfsops.c:987
#9  0xc016471f in sync (p=0xc029eee0, uap=0x0)
    at /opt/src/sys/kern/vfs_syscalls.c:549
#10 0xc0137d9f in boot (howto=256) at /opt/src/sys/kern/kern_shutdown.c:224
#11 0xc0138358 in poweroff_wait (junk=0xc025842f, howto=0)
    at /opt/src/sys/kern/kern_shutdown.c:552
#12 0xc0226ed2 in trap_fatal (frame=0xc025e540, eva=3227829326)
    at /opt/src/sys/i386/i386/trap.c:927
#13 0xc0226b91 in trap_pfault (frame=0xc025e540, usermode=0, eva=3227829326)
    at /opt/src/sys/i386/i386/trap.c:820
#14 0xc022677b in trap (frame={tf_fs = 16, tf_es = -1072234480, 
      tf_ds = 1074135056, tf_edi = 1073872896, tf_esi = 0, 
      tf_ebp = -1071258228, tf_isp = -1071258260, tf_ebx = -966216256, 
      tf_edx = 521294, tf_ecx = 0, tf_eax = -1067659264, tf_trapno = 12, 
      tf_err = 2, tf_eip = -1072359149, tf_cs = 8, tf_eflags = 66054, 
      tf_esp = -1067170816, tf_ss = 0}) at /opt/src/sys/i386/i386/trap.c:426
#15 0xc0151913 in m_free (m=0xc668b5c0) at /opt/src/sys/kern/uipc_mbuf.c:509
#16 0xc01526f5 in m_pullup (n=0xc668b5c0, len=14)
    at /opt/src/sys/kern/uipc_mbuf.c:966
#17 0xc017df87 in transmit_event (pipe=0xc665f400)
    at /opt/src/sys/netinet/ip_dummynet.c:407
#18 0xc017e1cf in ready_event (q=0xc6684380)
    at /opt/src/sys/netinet/ip_dummynet.c:525
#19 0xc017e60b in dummynet (unused=0x0)
    at /opt/src/sys/netinet/ip_dummynet.c:660
#20 0xc013d839 in softclock () at /opt/src/sys/kern/kern_timeout.c:131
(kgdb) up 15
#15 0xc0151913 in m_free (m=0xc668b5c0) at /opt/src/sys/kern/uipc_mbuf.c:509
509             MFREE(m, n);
(kgdb) p m
$1 = (struct mbuf *) 0x40060e00
(kgdb) p n 
$2 = (struct mbuf *) 0x0

	Somewhere in the depth of MFREE maze, I guess, the following happens:

(kgdb) p _mm
$7 = (struct mbuf *) 0x0

The kernel (with all debug symbols) and the two vmcores are available at:
	http://virtual-estates.com/kernel.ip_icmp.bz2
	http://virtual-estates.com/vmcore.ip_icmp.bz2
	http://virtual-estates.com/vmcore.m_free.bz2

		-mi
Comment 2 bmilekic freebsd_committer freebsd_triage 2000-09-24 01:22:52 UTC 
Responsible Changed
From-To: freebsd-bugs->bmilekic

I'll grab this now that I think I've stumbled on a related problem... unless Luigi wants it specifically (in which case he can change it when he likes)
Comment 3 bmilekic freebsd_committer freebsd_triage 2000-12-18 19:31:59 UTC 
State Changed
From-To: open->closed

Fixed a while ago, got confirmation that problem is indeed fixed in 
-STABLE and -CURRENT.