137392 – [ip] [panic] crash in ip_nat.c line 2577

Bug 137392 - [ip] [panic] crash in ip_nat.c line 2577

Summary: [ip] [panic] crash in ip_nat.c line 2577

Status:	Closed Overcome By Events

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	7.2-RELEASE
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	Cy Schubert

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-08-03 14:50 UTC by Mark Rekai
Modified:	2018-05-29 01:23 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Rekai 2009-08-03 14:50:01 UTC

[root@xxx /usr/obj/usr/src/sys/GENERIC]# kgdb kernel.debug /var/crash/vmcore.2 
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...

Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
cpuid = 3; apic id = 03
fault virtual address   = 0x4
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc04a4067
stack pointer           = 0x28:0xc67919d8
frame pointer           = 0x28:0xc6791a50
code segment            = base rx0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 23 (irq256: bge0)
trap number             = 12
panic: page fault
cpuid = 3
Uptime: 27d15h6m42s
Physical memory: 3314 MB
Dumping 288 MB: 273 257 241 225 209 193 177 161 145 129 113 97 81 65 49 33 17 1

#0  doadump () at pcpu.h:196
196             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) list *0xc04a4067
0xc04a4067 is in nat_new (/usr/src/sys/contrib/ipfilter/netinet/ip_nat.c:2577).
2572            nat->nat_ifps[1] = np->in_ifps[1];
2573            nat->nat_ptr = np;
2574            nat->nat_p = fin->fin_p;
2575            nat->nat_mssclamp = np->in_mssclamp;
2576            if (nat->nat_p == IPPROTO_TCP)
2577                    nat->nat_seqnext[0] = ntohl(tcp->th_seq);
2578
2579            if ((np->in_apr != NULL) && ((ni->nai_flags & NAT_SLAVE) == 0))
2580                    if (appr_new(fin, nat) == -1)
2581                            return -1;
(kgdb) backtrace
#0  doadump () at pcpu.h:196
#1  0xc08075d7 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:418
#2  0xc08078a9 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:574
#3  0xc0b10b0c in trap_fatal (frame=0xc6791998, eva=4) at /usr/src/sys/i386/i386/trap.c:939
#4  0xc0b10d90 in trap_pfault (frame=0xc6791998, usermode=0, eva=4) at /usr/src/sys/i386/i386/trap.c:852
#5  0xc0b1173c in trap (frame=0xc6791998) at /usr/src/sys/i386/i386/trap.c:530
#6  0xc0af5e4b in calltrap () at /usr/src/sys/i386/i386/exception.s:159
#7  0xc04a4067 in nat_new (fin=0xc6791ac8, np=0xc837b200, natsave=0x0, flags=Variable "flags" is not available.
)
    at /usr/src/sys/contrib/ipfilter/netinet/ip_nat.c:2577
#8  0xc04a8462 in fr_checknatin (fin=0xc6791ac8, passp=0xc6791ac4)
    at /usr/src/sys/contrib/ipfilter/netinet/ip_nat.c:4122
#9  0xc049ae67 in fr_check (ip=0xc8270010, hlen=20, ifp=0xc69a2c00, out=0, mp=0xc6791bb0)
    at /usr/src/sys/contrib/ipfilter/netinet/fil.c:2572
#10 0xc049d96f in fr_check_wrapper (arg=0x0, mp=0xc6791bb0, ifp=0xc69a2c00, dir=1)
    at /usr/src/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c:178
#11 0xc08b1508 in pfil_run_hooks (ph=0xc0cf3060, mp=0xc6791c0c, ifp=0xc69a2c00, dir=1, inp=0x0)
    at /usr/src/sys/net/pfil.c:78
#12 0xc08f26ea in ip_input (m=0xce513100) at /usr/src/sys/netinet/ip_input.c:416
#13 0xc08afca5 in netisr_dispatch (num=2, m=0xce513100) at /usr/src/sys/net/netisr.c:185
#14 0xc08a5c41 in ether_demux (ifp=0xc69a2c00, m=0xce513100) at /usr/src/sys/net/if_ethersubr.c:834
#15 0xc08a6033 in ether_input (ifp=0xc69a2c00, m=0xce513100) at /usr/src/sys/net/if_ethersubr.c:692
#16 0xc05a72f4 in bge_intr (xsc=0xc69a8000) at /usr/src/sys/dev/bge/if_bge.c:3194
#17 0xc07e553b in ithread_loop (arg=0xc69a7830) at /usr/src/sys/kern/kern_intr.c:1088
#18 0xc07e2089 in fork_exit (callout=0xc07e5380 <ithread_loop>, arg=0xc69a7830, frame=0xc6791d38)
    at /usr/src/sys/kern/kern_fork.c:810
#19 0xc0af5ec0 in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:264

Fix: 

unknown
How-To-Repeat: Problem repeats periodically every few weeks across three boxes with same hardware, kernel, duty, and load at same code point.  Problem cannot be created manually.

Comment 1 Mark Linimon freebsd_committer

2009-08-03 16:21:16 UTC

Responsible Changed
From-To: freebsd-bugs->freebsd-net

Over to maintainer(s).

Comment 2 Mark Rekai 2009-08-05 13:57:15 UTC

This appears to duplicate http://www.freebsd.org/cgi/query-pr.cgi?pr=3D1316=
01&cat=3D.

I have inspected the last packet handled.  The IP header appears intact and=
 valid, but everything from that point onward (TCP header and payload) is g=
arbage.=

Comment 3 Eitan Adler freebsd_committer

2018-05-28 19:49:36 UTC

batch change:

For bugs that match the following
-  Status Is In progress 
AND
- Untouched since 2018-01-01.
AND
- Affects Base System OR Documentation

DO:

Reset to open status.


Note:
I did a quick pass but if you are getting this email it might be worthwhile to double check to see if this bug ought to be closed.

Comment 4 Cy Schubert freebsd_committer

2018-05-29 01:23:06 UTC

This no longer applies to FreeBSD 10+.