From nobody@FreeBSD.org  Thu Dec 20 18:04:50 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C72E216A417
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 20 Dec 2007 18:04:50 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id AD36A13C447
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 20 Dec 2007 18:04:50 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id lBKI4Ri6068308
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 20 Dec 2007 18:04:27 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id lBKI4RgT068307;
	Thu, 20 Dec 2007 18:04:27 GMT
	(envelope-from nobody)
Message-Id: <200712201804.lBKI4RgT068307@www.freebsd.org>
Date: Thu, 20 Dec 2007 18:04:27 GMT
From: Manolis Kiagias <sonicy@otenet.gr>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Kernel Panic acquiring IP address from DHCP server on newly enabled netcard
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         118897
>Category:       kern
>Synopsis:       [bfe] Kernel Panic acquiring IP address from DHCP server on newly enabled netcard
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    yongari
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 20 18:10:02 UTC 2007
>Closed-Date:    Fri Jan 16 02:08:32 UTC 2009
>Last-Modified:  Fri Jan 16 02:08:32 UTC 2009
>Originator:     Manolis Kiagias
>Release:        6.3-RC1
>Organization:
>Environment:
FreeBSD pegasus.dyndns.org 6.3-RC1-p1 FreeBSD 6.3-RC1-p1 #2: Sun Dec  2 19:48:21 EET 2007     root@pegasus.dyndns.org:/usr/obj/usr/src/sys/PEGASUS  i386

>Description:
Machine has a broadcom network card shown as bfe0.  At boot, the card
is not enabled (commented out) in rc.conf 
Driver attaches normally. 
After editing rc.conf to enable the line:

ifconfig_bfe0="DHCP"

and running:

/etc/rc.d/netif restart

there is a kernel panic while getting an address from DHCP server (a
linksys home router).

panic: page fault
fault virtual address = 0x104
fault code = supervisor read, page not present
instruction pointer = 0x20:0xc052417d
stack pointer = 0x28:0xe71ffbec
frame pointer = 0x28:0xe71ffbf8
code segment = base 0x0 limit 0xfffff type 0x1b
=DPL 0, pres 1, def32 1, gran 1
=resume, IOPL=0
=971 (ifconfig)
=12
>How-To-Repeat:
The symptom is repeatable every time. Use the procedure mentioned above.
The symptom does not occur if you reboot after enabling the card in
rc.conf. In this case the card is assigned an IP and subsequent runs
of netif have no undesirable effects.
>Fix:
None that I know. Only workaround is to reboot after enabling the rc.conf entry.

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: kris 
State-Changed-When: Sat Dec 29 11:01:34 UTC 2007 
State-Changed-Why:  
Awaiting user feedback 

http://www.freebsd.org/cgi/query-pr.cgi?pr=118897 

From: Kris Kennaway <kris@FreeBSD.org>
To: Manolis Kiagias <sonicy@otenet.gr>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/118897: Kernel Panic acquiring IP address from DHCP server
 on	newly enabled netcard
Date: Sat, 29 Dec 2007 12:01:19 +0100

 Thanks for the report, but you need to do some additional work to 
 complete the submission.  Please see:
 
  
 http://www.freebsd.org/doc/en_US.ISO8859-1/books/developers-handbook/kerneldebug.html
 
 and obtain a crashdump and backtrace.
 
 Kris

From: Manolis Kiagias <sonicy@otenet.gr>
To: Kris Kennaway <kris@FreeBSD.org>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/118897: Kernel Panic acquiring IP address from DHCP server
 on	newly enabled netcard
Date: Sat, 29 Dec 2007 13:31:04 +0200

 Thanks
 Will do promptly and come back with the results.
 
 Manolis

From: Manolis Kiagias <sonicy@otenet.gr>
To: Kris Kennaway <kris@FreeBSD.org>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/118897: Kernel Panic acquiring IP address from DHCP server
 on	newly enabled netcard
Date: Mon, 31 Dec 2007 15:23:49 +0200

 Unfortunately I cannot get a kernel dump from the system. I have set
 dumpdev to my  swap device in rc.conf. I also tried the AUTO setting. I
 get the message:
 
 Dumping 2046 (2 chunks)
 
 but it never starts writing.
 
 This is an Acer Aspire 5610 Core Duo (not core2 though) machine,
 googling revealed SMP maybe responsible for not being able to dump.
 I recompiled the kernel without SMP, however the non-SMP kernel does not
 crash performing the  procedure mentioned in the PR.
 
 If there are any more steps I could perform at this point, please let me
 know. This machine is generally available for all sorts of experiments :)
 
 Thanks,
 Manolis Kiagias

From: Kris Kennaway <kris@FreeBSD.org>
To: Manolis Kiagias <sonicy@otenet.gr>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/118897: Kernel Panic acquiring IP address from DHCP server
 on	newly enabled netcard
Date: Mon, 31 Dec 2007 16:43:36 +0100

 Either try enabling minidumps (debug.minidump), maybe try adding a 
 different disk device (e.g. ATA) and dumping on that, or just use DDB to 
 obtain the information, either by serial console, hand transcription or 
 photography.
 
 Kris

From: Manolis Kiagias <sonicy@otenet.gr>
To: Kris Kennaway <kris@FreeBSD.org>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/118897: Kernel Panic acquiring IP address from DHCP server
 on	newly enabled netcard
Date: Mon, 31 Dec 2007 20:10:50 +0200

 I finally succeeded in getting the crash dump on a usb disk (never
 thought this was possible)...
 
 I hope this contains what you are looking for, I am kind of new to this
 stuff...
 
 Script started on Mon Dec 31 20:00:13 2007
 [root@pegasus:PEGASUS]#    kgdb kernel.debug /var/crash/vmcore.0  
 [GDB will not be able to debug user-mode threads:
 /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
 GNU gdb 6.1.1 [FreeBSD]
 Copyright 2004 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you
 are
 welcome to change it and/or distribute copies of it under certain
 conditions.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "i386-marcel-freebsd".
  
 Unread portion of the kernel message buffer:
  
 Fatal trap 12: page fault while in kernel mode
 cpuid = 1; apic id = 01
 fault virtual address    = 0x104
 fault code        = supervisor read, page not present
 instruction pointer    = 0x20:0xc052417d
 stack pointer            = 0x28:0xe9591bec
 frame pointer            = 0x28:0xe9591bf8
 code segment        = base 0x0, limit 0xfffff, type 0x1b
             = DPL 0, pres 1, def32 1, gran 1
 processor eflags    = resume, IOPL = 0
 current process        = 1791 (ifconfig)
 trap number        = 12
 panic: page fault
 cpuid = 1
 Uptime: 1m9s
 Dumping 2046 MB (2 chunks)
   chunk 0: 1MB (159 pages) ... ok
   chunk 1: 2046MB (523648 pages) 2030 2014 1998 1982 1966 1950 1934 1918
 1902 1886 1870 1854 1838 1822 1806 1790 1774 1758 1742 1726 1710 1694
 1678 1662 1646 1630 1614 1598 1582 1566 1550 1534 1518 1502 1486 1470
 1454 1438 1422 1406 1390 1374 1358 1342 1326 1310 1294 1278 1262 1246
 1230 1214 1198 1182 1166 1150 1134 1118 1102 1086 1070 1054 1038 1022
 1006 990 974 958 942 926 910 894 878 862 846 830 814 798 782 766 750 734
 718 702 686 670 654 638 622 606 590 574 558 542 526 510 494 478 462 446
 430 414 398 382 366 350 334 318 302 286 270 254 238 222 206 190 174 158
 142 126 110 94 78 62 46 30 14
  
 #0  doadump () at pcpu.h:165
 165        __asm __volatile("movl %%fs:0,%0" : "=r" (td));
 (kgdb) list *0xc052417d
 0xc052417d is in _mtx_lock_sleep (/usr/src/sys/kern/kern_mutex.c:548).
 543             * If the current owner of the lock is executing on another
 544             * CPU, spin instead of blocking.
 545             */
 546            owner = (struct thread *)(v & MTX_FLAGMASK);
 547    #ifdef ADAPTIVE_GIANT
 548            if (TD_IS_RUNNING(owner)) {
 549    #else
 550            if (m != &Giant && TD_IS_RUNNING(owner)) {
 551    #endif
 552                turnstile_release(&m->mtx_object);
 (kgdb) backtrace
 #0  doadump () at pcpu.h:165
 #1  0xc052d81a in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
 #2  0xc052db41 in panic (fmt=0xc06dcdb1 "%s")
     at /usr/src/sys/kern/kern_shutdown.c:565
 #3  0xc06af804 in trap_fatal (frame=0xe9591bac, eva=260)
     at /usr/src/sys/i386/i386/trap.c:838
 #4  0xc06aefba in trap (frame=
       {tf_fs = -380043256, tf_es = 40, tf_ds = -1066074072, tf_edi =
 -956558976, tf_esi = 4, tf_ebp = -380036104, tf_isp = -380036136, tf_ebx
 = -951325060, tf_edx = 6, tf_ecx = -951325184, tf_eax = 1, tf_trapno =
 12, tf_err = 0, tf_eip = -1068351107, tf_cs = 32, tf_eflags = 65538,
 tf_esp = 0, tf_ss = -2145359591})
     at /usr/src/sys/i386/i386/trap.c:270
 #5  0xc069a9ba in calltrap () at /usr/src/sys/i386/i386/exception.s:139
 #6  0xc052417d in _mtx_lock_sleep (m=0xc74bee7c, tid=3338408320, opts=0, 
     file=0x0, line=0) at /usr/src/sys/kern/kern_mutex.c:546
 #7  0xc05c82bf in in_control (so=0xc70be000, cmd=2149607705, 
     data=0xc6fbd9a0 "bfe0", ifp=0xc6d5f800, td=0xc6fc1180)
     at /usr/src/sys/netinet/in.c:485
 #8  0xc059e47b in ifioctl (so=0xc70be000, cmd=2149607705, 
     data=0xc6fbd9a0 "bfe0", td=0xc6fc1180) at /usr/src/sys/net/if.c:1612
 #9  0xc0557f6b in soo_ioctl (fp=0x1, cmd=2149607705, data=0xc6fbd9a0, 
     active_cred=0xc6bdd780, td=0xc6fc1180)
     at /usr/src/sys/kern/sys_socket.c:214
 #10 0xc0552191 in ioctl (td=0xc6fc1180, uap=0xe9591d04) at file.h:265
 ---Type <return> to continue, or q <return> to quit--- 
 #11 0xc06afb4b in syscall (frame=
       {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 134570944, tf_esi =
 -1077940406, tf_ebp = -1077940744, tf_isp = -380035740, tf_ebx = 0,
 tf_edx = 134583201, tf_ecx = 134570944, tf_eax = 54, tf_trapno = 12,
 tf_err = 2, tf_eip = 672438819, tf_cs = 51, tf_eflags = 642, tf_esp =
 -1077942868, tf_ss = 59})
     at /usr/src/sys/i386/i386/trap.c:984
 #12 0xc069aa0f in Xint0x80_syscall ()
     at /usr/src/sys/i386/i386/exception.s:200
 #13 0x00000033 in ?? ()
 Previous frame inner to this frame (corrupt stack?)
 (kgdb) quit
 
 Script done on Mon Dec 31 20:01:44 2007
State-Changed-From-To: feedback->open 
State-Changed-By: vwe 
State-Changed-When: Fri May 2 10:34:13 UTC 2008 
State-Changed-Why:  

Feedback has been provided. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=118897 
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: vwe 
Responsible-Changed-When: Wed Jan 14 23:51:00 UTC 2009 
Responsible-Changed-Why:  

Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=118897 
State-Changed-From-To: open->feedback 
State-Changed-By: yongari 
State-Changed-When: Thu Jan 15 02:06:33 UTC 2009 
State-Changed-Why:  
I think all known bugs in bfe(4) were fixed. 
Can you still reproduce the issue on 6.4-RELEASE or 7.1-RELEASE? 


Responsible-Changed-From-To: freebsd-net->yongari 
Responsible-Changed-By: yongari 
Responsible-Changed-When: Thu Jan 15 02:06:33 UTC 2009 
Responsible-Changed-Why:  
Grab. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=118897 
State-Changed-From-To: feedback->closed 
State-Changed-By: yongari 
State-Changed-When: Fri Jan 16 02:07:38 UTC 2009 
State-Changed-Why:  
Feeback received. Submitter has no more access to bfe(4) controller. 
I believe instability issues of bfe(4) were solved in 7.1-RELEASE 
and 6.4-RELEASE. If you encounter the same issue again we can reopen 
this PR. Thanks for reporting. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=118897 
>Unformatted:
