Bug 41417

Summary: 3Com xl0 drivers generate a kernel panic
Product: Base System Reporter: heikki Soerum <heikkis>
Component: kernAssignee: Andre Oppermann <andre>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.6-STABLE   
Hardware: Any   
OS: Any   

Description heikki Soerum 2002-08-07 19:00:02 UTC 
Sending any type of IP packet to the IP assigned to xl0 (3COM 3c900 card)
provokes a kernel panic.
Both packets send from the FreeBSD box and external computer provokes the kernel panic.
(Fatal trap 12: page fault while in kernel mode)

Newly installed system with 4.5-RELEASE and CVSUP'ed stable and ports 
collection. Ran buildworld, installworld, buildkernel and installkernel as the handbook recommends.
booting the kernel with boot -s provokes the panic without before console is accessible. 
Botting the kernel in multiuser mode, and the going to single user with
shutdown now does *NOT* provoke the panic, nor am I able to provoke 
any panic in this configration, I can even ssh, ping , run dhclient and 
browse with the xl0 interface. But *only* when booting in multiuser mode, and then entering single user mode.

How-To-Repeat: Send any IP packet to xl0 interface. Works every time *except* when dooing the multiuser boot and droping down to singel user.
"Look ma!, it's a DOS OS ;)"*cough*

Kernel.debug(128 mb) , vmcore.0(32 mb) or a screendump of "gdm -k kernel.debug vmcore.o" (4 kb)
available.
Comment 1 Nate Lawson 2002-08-16 00:50:22 UTC 
Please send a backtrace ("bt") from your gdb session.

-Nate
Comment 2 Nate Lawson 2002-08-22 23:19:32 UTC 
It looks like ip_fw_chk_ptr == NULL (i.e. ipfw.ko is not loaded even
though you have enabled filtering).  Are you loading it as a module or
compiling it in statically?  Are you using ipfw or ipfw2?  This should be
caught by the IPFW_LOADED check.

Please use "reply all" to keep the bug db in the loop.

-Nate

------- dmesg submitted by user ------------
Script started on Wed Aug  7 18:12:05 2002
# gdb -k kernel.debug.0 vmcore.0
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
IdlePTD at phsyical address 0x0050d000
initial pcb at physical address 0x0044c8c0
panicstr: from debugger
panic messages:
---
Fatal trap 12: page fault while in kernel mode
fault virtual address	= 0xc800
fault code		= supervisor read, page not present
instruction pointer	= 0x8:0xc0cd1937
stack pointer	        = 0x10:0xc03e6dc0
frame pointer	        = 0x10:0xc03e6dd8
code segment		= base rx0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= Idle
interrupt mask		= 
panic: from debugger


Fatal trap 3: breakpoint instruction fault while in kernel mode
instruction pointer	= 0x8:0xc035a2e1
stack pointer	        = 0x10:0xc03e6bd4
frame pointer	        = 0x10:0xc03e6bdc
code segment		= base rx0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= interrupt enabled, IOPL = 0
current process		= Idle
interrupt mask		= 


Fatal trap 12: page fault while in kernel mode
fault virtual address	= 0xc800
fault code		= supervisor read, page not present
instruction pointer	= 0x8:0xc0cd1937
stack pointer	        = 0x10:0xc03e6dc0
frame pointer	        = 0x10:0xc03e6dd8
code segment		= base rx0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= Idle
interrupt mask		= 
panic: from debugger
Uptime: 1m20s

dumping to dev #ad/0x20001, offset 196608
dump ata0: resetting devices .. done
32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 
---
#0  dumpsys () at /usr/src/sys/kern/kern_shutdown.c:487
487		if (dumping++) {
(kgdb) where
#0  dumpsys () at /usr/src/sys/kern/kern_shutdown.c:487
#1  0xc01f1d58 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:316
#2  0xc01f21a5 in panic (fmt=0xc03896c4 "from debugger")
    at /usr/src/sys/kern/kern_shutdown.c:595
#3  0xc0142239 in db_panic (addr=-1060300489, have_addr=0, count=-1, 
    modif=0xc03e6c50 "") at /usr/src/sys/ddb/db_command.c:435
#4  0xc01421d7 in db_command (last_cmdp=0xc03ea744, cmd_table=0xc03ea584, 
    aux_cmd_tablep=0xc042b1f8) at /usr/src/sys/ddb/db_command.c:333
#5  0xc014229e in db_command_loop () at /usr/src/sys/ddb/db_command.c:457
#6  0xc0144477 in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_trap.c:71
#7  0xc035a082 in kdb_trap (type=12, code=0, regs=0xc03e6d80)
    at /usr/src/sys/i386/i386/db_interface.c:158
#8  0xc036a968 in trap_fatal (frame=0xc03e6d80, eva=51200)
    at /usr/src/sys/i386/i386/trap.c:969
#9  0xc036a332 in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16, 
      tf_edi = -1064105968, tf_esi = 51200, tf_ebp = -1069650472, 
      tf_isp = -1069650516, tf_ebx = 0, tf_edx = 0, tf_ecx = -1064122368, 
      tf_eax = -1069650400, tf_trapno = 12, tf_err = 0, tf_eip = -1060300489, 
      tf_cs = 8, tf_eflags = 66118, tf_esp = 0, tf_ss = -1064122368})
    at /usr/src/sys/i386/i386/trap.c:636
#10 0xc0cd1937 in ?? ()
#11 0xc024a636 in ip_input (m=0xc092c800)
    at /usr/src/sys/netinet/ip_input.c:446
#12 0xc024ab3b in ipintr () at /usr/src/sys/netinet/ip_input.c:842
---Type <return> to continue, or q <return> to quit---
#13 0xc035c3f9 in swi_net_next ()
(kgdb) q
# uname -a
FreeBSD flodhest.uio.no 4.6-STABLE FreeBSD 4.6-STABLE #0: Wed Aug  7 16:57:41 CEST 2002     root@flodhest.uio.no:/usr/obj/usr/src/sys/GENERIC_DEBUG  i386
Script done on Wed Aug  7 18:13:37 2002
Comment 3 njl freebsd_committer freebsd_triage 2002-08-22 23:21:29 UTC 
State Changed
From-To: open->feedback

User will report on ipfw configuration.
Comment 4 njl freebsd_committer freebsd_triage 2002-08-22 23:21:29 UTC 
Responsible Changed
From-To: freebsd-bugs->luigi

Luigi maintains IPFW and this appears to be a problem there.
Comment 5 Luigi Rizzo 2002-09-03 02:49:27 UTC 
i suspect pilot error.

i am wondering if the problem has to do with out-of-sync kernel
and modules. It is not interface-dependent, and if it were as
the poster claims, all users of kld'ed ipfw would be affected by
it.

i have used myself a kernel with ipfw.ko without problem...

I am inclined to close this PR.

	cheers
	luigi
Comment 6 Andre Oppermann freebsd_committer freebsd_triage 2003-12-22 20:30:39 UTC 
Responsible Changed
From-To: luigi->andre

This PR has been dormant for a long time. I've written to the Originator again 
asking whether this is still a problem on 4.9 or 5.2.
Comment 7 Andre Oppermann freebsd_committer freebsd_triage 2003-12-22 20:34:21 UTC 
Hello Heikki,

Do you still see the problem with FreeBSD 4.9(-STABLE) or 5.2(-CURRENT)?

Thanks
-- 
Andre
Comment 8 Andre Oppermann freebsd_committer freebsd_triage 2003-12-23 09:51:22 UTC 
State Changed
From-To: feedback->closed

The Originator responded that he threw these 3com nic's away and 
exchanged them for others which use the xl driver. No problems 
since then and he suspects either pilot error or defective hardware.