From vk@kbb2.kbb.ru  Thu Feb 12 08:18:23 2009
Return-Path: <vk@kbb2.kbb.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 336BD1065674
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 12 Feb 2009 08:18:23 +0000 (UTC)
	(envelope-from vk@kbb2.kbb.ru)
Received: from kbb2.kbb.ru (kbb2.kbb.ru [213.184.72.33])
	by mx1.freebsd.org (Postfix) with ESMTP id 3F2498FC25
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 12 Feb 2009 08:18:21 +0000 (UTC)
	(envelope-from vk@kbb2.kbb.ru)
Received: from kbb2.kbb.ru (localhost [127.0.0.1])
	by kbb2.kbb.ru (8.14.3/8.14.2) with ESMTP id n1C888Yr012179
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 12 Feb 2009 15:08:08 +0700 (NKZ)
	(envelope-from vk@kbb2.kbb.ru)
Received: (from vk@localhost)
	by kbb2.kbb.ru (8.14.3/8.14.2/Submit) id n1C887os012178;
	Thu, 12 Feb 2009 15:08:07 +0700 (NKZ)
	(envelope-from vk)
Message-Id: <200902120808.n1C887os012178@kbb2.kbb.ru>
Date: Thu, 12 Feb 2009 15:08:07 +0700 (NKZ)
From: Vladimir Kurtukov <vk@kbb.ru>
Reply-To: Vladimir Kurtukov <vk@kbb.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: 7-STABLE panic in nat_finalise
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         131601
>Category:       kern
>Synopsis:       [ipfilter] [panic] 7-STABLE panic in nat_finalise (tcp=0)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    cy
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Feb 12 08:20:01 UTC 2009
>Closed-Date:    
>Last-Modified:  Wed Jul 03 05:21:19 UTC 2013
>Originator:     Vladimir Kurtukov
>Release:        FreeBSD 7.1-STABLE amd64
>Organization:
KuznetskBusinessBank
>Environment:
System: FreeBSD kbb2.kbb.ru 7.1-STABLE FreeBSD 7.1-STABLE #0: Fri Jan 16 12:11:42 NKZ 2009 vk@kbb2.kbb.ru:/usr/src/sys/amd64/compile/KBB2 amd64

CPU: Intel(R) Core(TM)2 Quad CPU    Q6600  @ 2.40GHz (2405.46-MHz K8-class CPU)
usable memory = 4282646528 (4084 MB)
avail memory  = 4121227264 (3930 MB)
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs

aac0: <Adaptec SATA RAID 2420SA> mem 0xfe800000-0xfe9fffff,0xfeaff000-0xfeafffff irq 17 at device 1.

mskc0: <Marvell Yukon 88E8056 Gigabit Ethernet> port 0xd800-0xd8ff mem 0xfe6fc000-0xfe6fffff irq 18
msk0: <Marvell Technology Group Ltd. Yukon EC Ultra Id 0xb4 Rev 0x03> on mskc0

mskc1: <Marvell Yukon 88E8056 Gigabit Ethernet> port 0xc800-0xc8ff mem 0xfe5fc000-0xfe5fffff irq 19
msk1: <Marvell Technology Group Ltd. Yukon EC Ultra Id 0xb4 Rev 0x03> on mskc1

em0: <Intel(R) PRO/1000 Network Connection 6.9.6> port 0xec00-0xec3f mem 0xfebe0000-0xfebfffff,0xfeb

This machine is used as a Internet gateway with FW (ipfw) and NAT (IPF's ipnat with 
LARGE_NAT defined, because there are 4000 NAT rules)

>Description:

Sometimes (1 crash per 2 weeks or even more) machine panics with:

Fatal trap 12: page fault while in kernel mode
cpuid = 3; apic id = 03
fault virtual address   = 0x4
fault code              = supervisor read data, page not present
instruction pointer     = 0x8:0xffffffffb2f3a316
stack pointer           = 0x10:0xffffffffb0a28220
frame pointer           = 0x10:0xffffffffb0a28270
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 37 (mskc1 taskq)
trap number             = 12
panic: page fault
cpuid = 3
Uptime: 20d13h12m43s
Physical memory: 4084 MB
Dumping 777 MB: 762 746 730 714 698 682 666 650 634 618 602 586 570 554 538 522 506 490 474 458 442
426 410 394 378 362 346 330 314 298 282 266 250 234 218 202 186 170 154 138 122 106 90 74 58 42 26 1
0

backtrace:
#0  doadump () at ../../../kern/kern_shutdown.c:244
244             dumptid = curthread->td_tid;
(kgdb) bt
#0  doadump () at ../../../kern/kern_shutdown.c:244
#1  0xffffffff803908be in boot (howto=260) at ../../../kern/kern_shutdown.c:418
#2  0xffffffff80390e0d in panic (fmt=Could not find the frame base for "panic".
) at ../../../kern/kern_shutdown.c:574
#3  0xffffffff806d8892 in trap_fatal (frame=0xffffffffb0a28170, eva=4)
    at ../../../amd64/amd64/trap.c:764
#4  0xffffffff806d8342 in trap_pfault (frame=0xffffffffb0a28170, usermode=0)
    at ../../../amd64/amd64/trap.c:680
#5  0xffffffff806d7d20 in trap (frame=0xffffffffb0a28170) at ../../../amd64/amd64/trap.c:449
#6  0xffffffff806b73ee in calltrap () at ../../../amd64/amd64/exception.S:209
#7  0xffffffffb2f3a316 in nat_finalise (fin=0xffffffffb0a28440, nat=0xffffff002502da00,
    ni=0xffffffffb0a282b0, tcp=0x0, natsave=0x0, direction=0)
    at /usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_nat.c:2577
#8  0xffffffffb2f3a11d in nat_new () from /boot/kernel/ipl.ko
#9  0xffffffffb2f3d53a in fr_checknatin (fin=0xffffffffb0a28440, passp=0xffffffffb0a2843c)
    at /usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_nat.c:4122
#10 0xffffffffb2f5c822 in fr_check (ip=0xffffff004f583810, hlen=20, ifp=0xffffff0003370800,
    out=0, mp=0xffffffffb0a285c8)
    at /usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/fil.c:2572
#11 0xffffffffb2f56ec8 in fr_check_wrapper (arg=0x0, mp=0xffffffffb0a285c8,
    ifp=0xffffff0003370800, dir=1)
    at /usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_fil_freebsd.c:178
#12 0xffffffff8047ae88 in pfil_run_hooks (ph=0xffffffff80928320, mp=0xffffffffb0a28608,
    ifp=0xffffff0003370800, dir=1, inp=0x0) at ../../../net/pfil.c:78
#13 0xffffffff804b0cae in ip_input (m=0xffffff00105be300) at ../../../netinet/ip_input.c:417
#14 0xffffffff8047891c in netisr_dispatch (num=2, m=0xffffff00105be300)
    at ../../../net/netisr.c:185
#15 0xffffffff8046d0b7 in ether_demux (ifp=0xffffff0003370800, m=0xffffff00105be300)
    at ../../../net/if_ethersubr.c:834
#16 0xffffffffb30f50a6 in ng_ether_rcv_upper (node=0xffffff0009f8b100, m=0xffffff00105be300)
    at /usr/src/sys/modules/netgraph/ether/../../../netgraph/ng_ether.c:664
#17 0xffffffffb30f4e02 in ng_ether_rcvdata (hook=0xffffff00097f3e00, item=0xffffff008569a690)
    at /usr/src/sys/modules/netgraph/ether/../../../netgraph/ng_ether.c:586
#18 0xffffffffb30ea8be in ng_apply_item (node=0xffffff0009f8b100, item=0xffffff008569a690, rw=0)
    at /usr/src/sys/modules/netgraph/netgraph/../../../netgraph/ng_base.c:2331
#19 0xffffffffb30ea446 in ng_snd_item (item=0xffffff008569a690, flags=0)
    at /usr/src/sys/modules/netgraph/netgraph/../../../netgraph/ng_base.c:2249
#20 0xffffffffb30f86ef in ng_tee_rcvdata (hook=0xffffff00097f4080, item=0xffffff008569a690)
    at /usr/src/sys/modules/netgraph/tee/../../../netgraph/ng_tee.c:326
#21 0xffffffffb30ea8be in ng_apply_item (node=0xffffff003b38f000, item=0xffffff008569a690, rw=0)
    at /usr/src/sys/modules/netgraph/netgraph/../../../netgraph/ng_base.c:2331
#22 0xffffffffb30ea446 in ng_snd_item (item=0xffffff008569a690, flags=0)
    at /usr/src/sys/modules/netgraph/netgraph/../../../netgraph/ng_base.c:2249
#23 0xffffffffb30f4087 in ng_ether_input () from /boot/kernel/ng_ether.ko
#24 0xffffffff8046cd7a in ether_input (ifp=0xffffff0003370800, m=0xffffff00105be300)
    at ../../../net/if_ethersubr.c:643
#25 0xffffffff802849af in msk_rxeof (sc_if=0xffffffff80c67000, status=3932416, len=60)
    at ../../../dev/msk/if_msk.c:2966
#26 0xffffffff80285934 in msk_handle_events (sc=0xffffff0003348600)
    at ../../../dev/msk/if_msk.c:3341
#27 0xffffffff802862e5 in msk_int_task (arg=0xffffff0003348600, pending=1)
    at ../../../dev/msk/if_msk.c:3523
#28 0xffffffff803daa33 in taskqueue_run (queue=0xffffff0005c09e00)
    at ../../../kern/subr_taskqueue.c:282
#29 0xffffffff803db0e1 in taskqueue_thread_loop (arg=0xffffff00033486d8)
    at ../../../kern/subr_taskqueue.c:401
#30 0xffffffff80360f72 in fork_exit (callout=0xffffffff803db0b0 <taskqueue_thread_loop>,
    arg=0xffffff00033486d8, frame=0xffffffffb0a28c80) at ../../../kern/kern_fork.c:804
#31 0xffffffff806b77be in fork_trampoline () at ../../../amd64/amd64/exception.S:455
#32 0x0000000000000000 in ?? ()
#33 0x0000000000000000 in ?? ()
#34 0x0000000000000001 in ?? ()
#35 0x0000000000000000 in ?? ()
#36 0x0000000000000000 in ?? ()
#37 0x0000000000000000 in ?? ()
#38 0x0000000000000000 in ?? ()
#39 0x0000000000000000 in ?? ()
#40 0x0000000000000000 in ?? ()
#41 0x0000000000000000 in ?? ()
#42 0x0000000000000000 in ?? ()
#43 0x0000000000000000 in ?? ()
#44 0x0000000000000000 in ?? ()
#45 0x0000000000000000 in ?? ()
#46 0x0000000000000000 in ?? ()
#47 0x0000000000000000 in ?? ()
#48 0x0000000000000000 in ?? ()
#49 0x0000000000000000 in ?? ()
#50 0x0000000000000000 in ?? ()
#51 0x0000000000000000 in ?? ()
#52 0x0000000000000000 in ?? ()
#53 0x0000000000000000 in ?? ()
#54 0x0000000000000000 in ?? ()
#55 0x0000000000000000 in ?? ()
#56 0x0000000000bcf000 in ?? ()
#57 0x0000000000000000 in ?? ()
#58 0x0000000000000000 in ?? ()
#59 0x0000000000000000 in ?? ()
#60 0xffffffff803db0b0 in taskqueue_start_threads () at ../../../kern/subr_taskqueue.c:390
(kgdb) list *0xffffffffb2f3a316
0xffffffffb2f3a316 is in nat_finalise (/usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/
ip_nat.c:2577).
2572            nat->nat_ifps[1] = np->in_ifps[1];
2573            nat->nat_ptr = np;
2574            nat->nat_p = fin->fin_p;
2575            nat->nat_mssclamp = np->in_mssclamp;
2576            if (nat->nat_p == IPPROTO_TCP)
2577                    nat->nat_seqnext[0] = ntohl(tcp->th_seq);
2578
2579            if ((np->in_apr != NULL) && ((ni->nai_flags & NAT_SLAVE) == 0))
2580                    if (appr_new(fin, nat) == -1)
2581                            return -1;

Coredump is available by request

>How-To-Repeat:

        Floating bug, can't repeat

>Fix:

	Unknown


>Release-Note:
>Audit-Trail:

From: Vladimir Kurtukov <vk@kbb.ru>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: amd64/131601: 7-STABLE panic in nat_finalise
Date: Thu, 12 Feb 2009 15:48:44 +0700

 (kgdb) frame 7
 #7  0xffffffffb2f3a316 in nat_finalise (fin=0xffffffffb0a28440, nat=0xffffff002502da00,
     ni=0xffffffffb0a282b0, tcp=0x0, natsave=0x0, direction=0)
     at /usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_nat.c:2577
 2577                    nat->nat_seqnext[0] = ntohl(tcp->th_seq);
 (kgdb) p nat->nat_seqnext
 $1 = {0, 0}
 (kgdb) p tcp
 $2 = (tcphdr_t *) 0x0
 (kgdb) p tcp->th_seq
 Cannot access memory at address 0x4
 
 ---
 Best regards, 
   Vladimir
Responsible-Changed-From-To: freebsd-amd64->freebsd-net 
Responsible-Changed-By: gavin 
Responsible-Changed-When: Thu Feb 12 18:54:38 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer(s).  PR has a full backtrace and submitter 
has a core file for further investigation. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=131601 
Responsible-Changed-From-To: freebsd-net->freebsd-ipfw 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Fri Feb 13 14:30:00 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=131601 

From: Vladimir Kurtukov <vk@kbb.ru>
To: bug-followup@FreeBSD.org
Cc:  
Subject: kern/131601: [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0)
Date: Thu, 19 Feb 2009 10:22:45 +0700

 Quick fix, tested, no panic.
 
 apply in /sys/contrib/ipfilter/netinet
 
 --- ip_nat.c.std        2007-10-31 12:00:38.000000000 +0700
 +++ ip_nat.c    2009-02-19 10:20:05.000000000 +0700
 @@ -2552,6 +2552,10 @@
  {
         frentry_t *fr;
         ipnat_t *np;
 +
 +       if (fin->fin_p == IPPROTO_TCP && tcp == NULL) {
 +         return -1;
 +       }
 
         np = ni->nai_np;
 
 
 ---
 Best regards, 
   Vladimir

From: =?iso-8859-9?B?TXVyYXQgU/xy/GP8?= <msurucu@karaelmas.edu.tr>
To: <bug-followup@FreeBSD.org>,
	<vk@kbb.ru>
Cc:  
Subject: Re: kern/131601: [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0)
Date: Thu, 7 May 2009 21:41:58 +0300

 Bu, MIME biiminde bir ok paral iletidir.
 
 ------=_NextPart_000_0001_01C9CF5C.A8DF7F10
 Content-Type: text/plain;
 	charset="iso-8859-9"
 Content-Transfer-Encoding: 7bit
 
 FreeBSD 7.2 - i386
 
 # kgdb kernel.debug /var/crash/vmcore.0 
 
 GNU gdb 6.1.1 [FreeBSD]
 
 Copyright 2004 Free Software Foundation, Inc.
 
 GDB is free software, covered by the GNU General Public License, and you are
 
 welcome to change it and/or distribute copies of it under certain
 conditions.
 
 Type "show copying" to see the conditions.
 
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 
 This GDB was configured as "i386-marcel-freebsd"...
 
  
 
 Unread portion of the kernel message buffer:
 
  
 
  
 
 Fatal trap 12: page fault while in kernel mode
 
 cpuid = 2; apic id = 06
 
 fault virtual address   = 0x4
 
 fault code              = supervisor read, page not present
 
 instruction pointer     = 0x20:0xc5abe98b
 
 stack pointer           = 0x28:0xe58109ac
 
 frame pointer           = 0x28:0xe5810a28
 
 code segment            = base 0x0, limit 0xfffff, type 0x1b
 
                         = DPL 0, pres 1, def32 1, gran 1
 
 processor eflags        = interrupt enabled, resume, IOPL = 0
 
 current process         = 30 (em1 taskq)
 
 trap number             = 12
 
 panic: page fault
 
 cpuid = 2
 
 Uptime: 1d3h25m11s
 
 Physical memory: 2035 MB
 
 Dumping 209 MB: 194 178 162 146 130 114 98 82 66 50 34 18 2
 
  
 
 Reading symbols from /boot/kernel/acpi.ko...Reading symbols from
 /boot/kernel/acpi.ko.symbols...done.
 
 done.
 
 Loaded symbols for /boot/kernel/acpi.ko
 
 Reading symbols from /boot/kernel/ipl.ko...Reading symbols from
 /boot/kernel/ipl.ko.symbols...done.
 
 done.
 
 Loaded symbols for /boot/kernel/ipl.ko
 
 #0  doadump () at pcpu.h:196
 
 196             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
 
  
 
  
 
 (kgdb) list *0xc5abe98b
 
 0xc5abe98b is in nat_new
 (/usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_nat.c:2577)
 .
 
 2572            nat->nat_ifps[1] = np->in_ifps[1];
 
 2573            nat->nat_ptr = np;
 
 2574            nat->nat_p = fin->fin_p;
 
 2575            nat->nat_mssclamp = np->in_mssclamp;
 
 2576            if (nat->nat_p == IPPROTO_TCP)
 
 2577                    nat->nat_seqnext[0] = ntohl(tcp->th_seq);
 
 2578
 
 2579            if ((np->in_apr != NULL) && ((ni->nai_flags & NAT_SLAVE) ==
 0))
 
 2580                    if (appr_new(fin, nat) == -1)
 
 2581                            return -1;
 
  
 
  
 
 (kgdb) backtrace
 
 #0  doadump () at pcpu.h:196
 
 #1  0xc07dfa4f in boot (howto=260) at ../../../kern/kern_shutdown.c:418
 
 #2  0xc07dfd32 in panic (fmt=Variable "fmt" is not available.
 
 ) at ../../../kern/kern_shutdown.c:574
 
 #3  0xc0ae8573 in trap_fatal (frame=0xe581096c, eva=4) at
 ../../../i386/i386/trap.c:939
 
 #4  0xc0ae8763 in trap_pfault (frame=0xe581096c, usermode=0, eva=4) at
 ../../../i386/i386/trap.c:852
 
 #5  0xc0ae90e8 in trap (frame=0xe581096c) at ../../../i386/i386/trap.c:530
 
 #6  0xc0acd16b in calltrap () at ../../../i386/i386/exception.s:159
 
 #7  0xc5abe98b in nat_new (fin=0xe5810a84, np=0xc5b13400, natsave=0x0,
 flags=Variable "flags" is not available.
 
 )
 
     at
 /usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_nat.c:2577
 
 #8  0xc5ac2654 in fr_checknatin (fin=0xe5810a84, passp=0xe5810b30)
 
     at
 /usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_nat.c:4122
 
 #9  0xc5adb833 in fr_check (ip=0xc5ba5010, hlen=20, ifp=0xc567a800, out=0,
 mp=0xe5810b7c)
 
     at
 /usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/fil.c:2572
 
 #10 0xc5ad37ee in fr_check_wrapper (arg=0x0, mp=0xe5810b7c, ifp=0xc567a800,
 dir=1)
 
     at
 /usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_fil_freebsd.
 c:178
 
 #11 0xc08894a8 in pfil_run_hooks (ph=0xc0ce5580, mp=0xe5810bcc,
 ifp=0xc567a800, dir=1, inp=0x0)
 
     at ../../../net/pfil.c:78
 
 #12 0xc08cf801 in ip_input (m=0xc6c8de00) at ../../../netinet/ip_input.c:416
 
 #13 0xc0887903 in netisr_dispatch (num=2, m=0xc6c8de00) at
 ../../../net/netisr.c:185
 
 #14 0xc087b9c1 in ether_demux (ifp=0xc567a800, m=0xc6c8de00) at
 ../../../net/if_ethersubr.c:834
 
 #15 0xc087be2f in ether_input (ifp=0xc567a800, m=0xc6c8de00) at
 ../../../net/if_ethersubr.c:692
 
 #16 0xc05bf099 in em_rxeof (adapter=0xc567d000, count=99) at
 ../../../dev/e1000/if_em.c:4539
 
 #17 0xc05bf21e in em_handle_rxtx (context=0xc567d000, pending=1) at
 ../../../dev/e1000/if_em.c:1702
 
 ---Type <return> to continue, or q <return> to quit---
 
 #18 0xc0815eab in taskqueue_run (queue=0xc566c480) at
 ../../../kern/subr_taskqueue.c:282
 
 #19 0xc0816008 in taskqueue_thread_loop (arg=0xc568135c) at
 ../../../kern/subr_taskqueue.c:401
 
 #20 0xc07bc298 in fork_exit (callout=0xc0815fa0 <taskqueue_thread_loop>,
 arg=0xc568135c, frame=0xe5810d38)
 
     at ../../../kern/kern_fork.c:810
 
 #21 0xc0acd1e0 in fork_trampoline () at ../../../i386/i386/exception.s:264
 
  
 
  
 
 
 ------=_NextPart_000_0001_01C9CF5C.A8DF7F10
 Content-Type: text/html;
 	charset="iso-8859-9"
 Content-Transfer-Encoding: quoted-printable
 
 <html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
 xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
 xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
 xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
 xmlns=3D"http://www.w3.org/TR/REC-html40">
 
 <head>
 <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
 charset=3Diso-8859-9">
 
 
 <meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
 <style>
 <!--
  /* Font Definitions */
  @font-face
 	{font-family:Calibri;
 	panose-1:2 15 5 2 2 2 4 3 2 4;}
  /* Style Definitions */
  p.MsoNormal, li.MsoNormal, div.MsoNormal
 	{margin:0cm;
 	margin-bottom:.0001pt;
 	font-size:11.0pt;
 	font-family:"Calibri","sans-serif";}
 a:link, span.MsoHyperlink
 	{mso-style-priority:99;
 	color:blue;
 	text-decoration:underline;}
 a:visited, span.MsoHyperlinkFollowed
 	{mso-style-priority:99;
 	color:purple;
 	text-decoration:underline;}
 span.E-postaStili17
 	{mso-style-type:personal-compose;
 	font-family:"Calibri","sans-serif";
 	color:windowtext;}
 .MsoChpDefault
 	{mso-style-type:export-only;}
 @page Section1
 	{size:612.0pt 792.0pt;
 	margin:70.85pt 70.85pt 70.85pt 70.85pt;}
 div.Section1
 	{page:Section1;}
 -->
 </style>
 <!--[if gte mso 9]><xml>
  <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
 </xml><![endif]--><!--[if gte mso 9]><xml>
  <o:shapelayout v:ext=3D"edit">
   <o:idmap v:ext=3D"edit" data=3D"1" />
  </o:shapelayout></xml><![endif]-->
 </head>
 
 <body lang=3DTR link=3Dblue vlink=3Dpurple>
 
 <div class=3DSection1>
 
 <p class=3DMsoNormal>FreeBSD 7.2 &#8211; i386<o:p></o:p></p>
 
 <p class=3DMsoNormal># kgdb kernel.debug /var/crash/vmcore.0 =
 <o:p></o:p></p>
 
 <p class=3DMsoNormal>GNU gdb 6.1.1 [FreeBSD]<o:p></o:p></p>
 
 <p class=3DMsoNormal>Copyright 2004 Free Software Foundation, =
 Inc.<o:p></o:p></p>
 
 <p class=3DMsoNormal>GDB is free software, covered by the GNU General =
 Public
 License, and you are<o:p></o:p></p>
 
 <p class=3DMsoNormal>welcome to change it and/or distribute copies of it =
 under
 certain conditions.<o:p></o:p></p>
 
 <p class=3DMsoNormal>Type &quot;show copying&quot; to see the =
 conditions.<o:p></o:p></p>
 
 <p class=3DMsoNormal>There is absolutely no warranty for GDB.=A0 Type =
 &quot;show
 warranty&quot; for details.<o:p></o:p></p>
 
 <p class=3DMsoNormal>This GDB was configured as
 &quot;i386-marcel-freebsd&quot;...<o:p></o:p></p>
 
 <p class=3DMsoNormal><o:p>&nbsp;</o:p></p>
 
 <p class=3DMsoNormal>Unread portion of the kernel message =
 buffer:<o:p></o:p></p>
 
 <p class=3DMsoNormal><o:p>&nbsp;</o:p></p>
 
 <p class=3DMsoNormal><o:p>&nbsp;</o:p></p>
 
 <p class=3DMsoNormal>Fatal trap 12: page fault while in kernel =
 mode<o:p></o:p></p>
 
 <p class=3DMsoNormal>cpuid =3D 2; apic id =3D 06<o:p></o:p></p>
 
 <p class=3DMsoNormal>fault virtual address=A0=A0 =3D 0x4<o:p></o:p></p>
 
 <p class=3DMsoNormal>fault code=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 =
 =3D supervisor read, page not present<o:p></o:p></p>
 
 <p class=3DMsoNormal>instruction pointer=A0=A0=A0=A0 =3D =
 0x20:0xc5abe98b<o:p></o:p></p>
 
 <p class=3DMsoNormal>stack pointer=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 =3D =
 0x28:0xe58109ac<o:p></o:p></p>
 
 <p class=3DMsoNormal>frame pointer=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 =3D =
 0x28:0xe5810a28<o:p></o:p></p>
 
 <p class=3DMsoNormal>code segment=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 =3D =
 base 0x0, limit 0xfffff, type 0x1b<o:p></o:p></p>
 
 <p =
 class=3DMsoNormal>=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
 =A0=A0=A0=A0 =3D DPL 0, pres 1, def32 1, gran 1<o:p></o:p></p>
 
 <p class=3DMsoNormal>processor eflags=A0=A0=A0=A0=A0=A0=A0 =3D interrupt =
 enabled, resume, IOPL =3D
 0<o:p></o:p></p>
 
 <p class=3DMsoNormal>current process=A0=A0=A0=A0=A0=A0=A0=A0 =3D 30 (em1 =
 taskq)<o:p></o:p></p>
 
 <p class=3DMsoNormal>trap number=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 =3D =
 12<o:p></o:p></p>
 
 <p class=3DMsoNormal>panic: page fault<o:p></o:p></p>
 
 <p class=3DMsoNormal>cpuid =3D 2<o:p></o:p></p>
 
 <p class=3DMsoNormal>Uptime: 1d3h25m11s<o:p></o:p></p>
 
 <p class=3DMsoNormal>Physical memory: 2035 MB<o:p></o:p></p>
 
 <p class=3DMsoNormal>Dumping 209 MB: 194 178 162 146 130 114 98 82 66 50 =
 34 18 2<o:p></o:p></p>
 
 <p class=3DMsoNormal><o:p>&nbsp;</o:p></p>
 
 <p class=3DMsoNormal>Reading symbols from /boot/kernel/acpi.ko...Reading =
 symbols
 from /boot/kernel/acpi.ko.symbols...done.<o:p></o:p></p>
 
 <p class=3DMsoNormal>done.<o:p></o:p></p>
 
 <p class=3DMsoNormal>Loaded symbols for =
 /boot/kernel/acpi.ko<o:p></o:p></p>
 
 <p class=3DMsoNormal>Reading symbols from /boot/kernel/ipl.ko...Reading =
 symbols
 from /boot/kernel/ipl.ko.symbols...done.<o:p></o:p></p>
 
 <p class=3DMsoNormal>done.<o:p></o:p></p>
 
 <p class=3DMsoNormal>Loaded symbols for =
 /boot/kernel/ipl.ko<o:p></o:p></p>
 
 <p class=3DMsoNormal>#0=A0 doadump () at pcpu.h:196<o:p></o:p></p>
 
 <p class=3DMsoNormal>196=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 __asm =
 __volatile(&quot;movl %%fs:0,%0&quot;
 : &quot;=3Dr&quot; (td));<o:p></o:p></p>
 
 <p class=3DMsoNormal><o:p>&nbsp;</o:p></p>
 
 <p class=3DMsoNormal><o:p>&nbsp;</o:p></p>
 
 <p class=3DMsoNormal>(kgdb) list *0xc5abe98b<o:p></o:p></p>
 
 <p class=3DMsoNormal>0xc5abe98b is in nat_new
 (/usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_nat.c:25=
 77).<o:p></o:p></p>
 
 <p class=3DMsoNormal>2572=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 =
 nat-&gt;nat_ifps[1] =3D np-&gt;in_ifps[1];<o:p></o:p></p>
 
 <p class=3DMsoNormal>2573=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 =
 nat-&gt;nat_ptr =3D np;<o:p></o:p></p>
 
 <p class=3DMsoNormal>2574=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 nat-&gt;nat_p =
 =3D fin-&gt;fin_p;<o:p></o:p></p>
 
 <p class=3DMsoNormal>2575=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 =
 nat-&gt;nat_mssclamp =3D np-&gt;in_mssclamp;<o:p></o:p></p>
 
 <p class=3DMsoNormal>2576=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 if =
 (nat-&gt;nat_p =3D=3D IPPROTO_TCP)<o:p></o:p></p>
 
 <p =
 class=3DMsoNormal>2577=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
 =A0=A0 nat-&gt;nat_seqnext[0] =3D
 ntohl(tcp-&gt;th_seq);<o:p></o:p></p>
 
 <p class=3DMsoNormal>2578<o:p></o:p></p>
 
 <p class=3DMsoNormal>2579=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 if =
 ((np-&gt;in_apr !=3D NULL) &amp;&amp;
 ((ni-&gt;nai_flags &amp; NAT_SLAVE) =3D=3D 0))<o:p></o:p></p>
 
 <p =
 class=3DMsoNormal>2580=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
 =A0=A0 if (appr_new(fin, nat) =3D=3D -1)<o:p></o:p></p>
 
 <p =
 class=3DMsoNormal>2581=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
 =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 return -1;<o:p></o:p></p>
 
 <p class=3DMsoNormal><o:p>&nbsp;</o:p></p>
 
 <p class=3DMsoNormal><o:p>&nbsp;</o:p></p>
 
 <p class=3DMsoNormal>(kgdb) backtrace<o:p></o:p></p>
 
 <p class=3DMsoNormal>#0=A0 doadump () at pcpu.h:196<o:p></o:p></p>
 
 <p class=3DMsoNormal>#1=A0 0xc07dfa4f in boot (howto=3D260) at
 ../../../kern/kern_shutdown.c:418<o:p></o:p></p>
 
 <p class=3DMsoNormal>#2=A0 0xc07dfd32 in panic (fmt=3DVariable =
 &quot;fmt&quot; is not
 available.<o:p></o:p></p>
 
 <p class=3DMsoNormal>) at =
 ../../../kern/kern_shutdown.c:574<o:p></o:p></p>
 
 <p class=3DMsoNormal>#3=A0 0xc0ae8573 in trap_fatal (frame=3D0xe581096c, =
 eva=3D4) at
 ../../../i386/i386/trap.c:939<o:p></o:p></p>
 
 <p class=3DMsoNormal>#4=A0 0xc0ae8763 in trap_pfault =
 (frame=3D0xe581096c, usermode=3D0,
 eva=3D4) at ../../../i386/i386/trap.c:852<o:p></o:p></p>
 
 <p class=3DMsoNormal>#5=A0 0xc0ae90e8 in trap (frame=3D0xe581096c) at
 ../../../i386/i386/trap.c:530<o:p></o:p></p>
 
 <p class=3DMsoNormal>#6=A0 0xc0acd16b in calltrap () at
 ../../../i386/i386/exception.s:159<o:p></o:p></p>
 
 <p class=3DMsoNormal>#7=A0 0xc5abe98b in nat_new (fin=3D0xe5810a84, =
 np=3D0xc5b13400,
 natsave=3D0x0, flags=3DVariable &quot;flags&quot; is not =
 available.<o:p></o:p></p>
 
 <p class=3DMsoNormal>)<o:p></o:p></p>
 
 <p class=3DMsoNormal>=A0=A0=A0 at
 /usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_nat.c:257=
 7<o:p></o:p></p>
 
 <p class=3DMsoNormal>#8=A0 0xc5ac2654 in fr_checknatin =
 (fin=3D0xe5810a84,
 passp=3D0xe5810b30)<o:p></o:p></p>
 
 <p class=3DMsoNormal>=A0=A0=A0 at
 /usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_nat.c:412=
 2<o:p></o:p></p>
 
 <p class=3DMsoNormal>#9=A0 0xc5adb833 in fr_check (ip=3D0xc5ba5010, =
 hlen=3D20,
 ifp=3D0xc567a800, out=3D0, mp=3D0xe5810b7c)<o:p></o:p></p>
 
 <p class=3DMsoNormal>=A0=A0=A0 at
 /usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/fil.c:2572<o=
 :p></o:p></p>
 
 <p class=3DMsoNormal>#10 0xc5ad37ee in fr_check_wrapper (arg=3D0x0, =
 mp=3D0xe5810b7c,
 ifp=3D0xc567a800, dir=3D1)<o:p></o:p></p>
 
 <p class=3DMsoNormal>=A0=A0=A0 at
 /usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_fil_freeb=
 sd.c:178<o:p></o:p></p>
 
 <p class=3DMsoNormal>#11 0xc08894a8 in pfil_run_hooks (ph=3D0xc0ce5580,
 mp=3D0xe5810bcc, ifp=3D0xc567a800, dir=3D1, inp=3D0x0)<o:p></o:p></p>
 
 <p class=3DMsoNormal>=A0=A0=A0 at ../../../net/pfil.c:78<o:p></o:p></p>
 
 <p class=3DMsoNormal>#12 0xc08cf801 in ip_input (m=3D0xc6c8de00) at
 ../../../netinet/ip_input.c:416<o:p></o:p></p>
 
 <p class=3DMsoNormal>#13 0xc0887903 in netisr_dispatch (num=3D2, =
 m=3D0xc6c8de00) at ../../../net/netisr.c:185<o:p></o:p></p>
 
 <p class=3DMsoNormal>#14 0xc087b9c1 in ether_demux (ifp=3D0xc567a800, =
 m=3D0xc6c8de00)
 at ../../../net/if_ethersubr.c:834<o:p></o:p></p>
 
 <p class=3DMsoNormal>#15 0xc087be2f in ether_input (ifp=3D0xc567a800, =
 m=3D0xc6c8de00)
 at ../../../net/if_ethersubr.c:692<o:p></o:p></p>
 
 <p class=3DMsoNormal>#16 0xc05bf099 in em_rxeof (adapter=3D0xc567d000, =
 count=3D99) at
 ../../../dev/e1000/if_em.c:4539<o:p></o:p></p>
 
 <p class=3DMsoNormal>#17 0xc05bf21e in em_handle_rxtx =
 (context=3D0xc567d000,
 pending=3D1) at ../../../dev/e1000/if_em.c:1702<o:p></o:p></p>
 
 <p class=3DMsoNormal>---Type &lt;return&gt; to continue, or q =
 &lt;return&gt; to
 quit---<o:p></o:p></p>
 
 <p class=3DMsoNormal>#18 0xc0815eab in taskqueue_run =
 (queue=3D0xc566c480) at
 ../../../kern/subr_taskqueue.c:282<o:p></o:p></p>
 
 <p class=3DMsoNormal>#19 0xc0816008 in taskqueue_thread_loop =
 (arg=3D0xc568135c) at
 ../../../kern/subr_taskqueue.c:401<o:p></o:p></p>
 
 <p class=3DMsoNormal>#20 0xc07bc298 in fork_exit (callout=3D0xc0815fa0
 &lt;taskqueue_thread_loop&gt;, arg=3D0xc568135c, =
 frame=3D0xe5810d38)<o:p></o:p></p>
 
 <p class=3DMsoNormal>=A0=A0=A0 at =
 ../../../kern/kern_fork.c:810<o:p></o:p></p>
 
 <p class=3DMsoNormal>#21 0xc0acd1e0 in fork_trampoline () at
 ../../../i386/i386/exception.s:264<o:p></o:p></p>
 
 <p class=3DMsoNormal><o:p>&nbsp;</o:p></p>
 
 <p class=3DMsoNormal><o:p>&nbsp;</o:p></p>
 
 </div>
 
  <BR><BR>__________ ESET NOD32 Antivirus Ak=FDll=FD G=FCvenlik =
 taraf=FDndan sa=F0lanan bilgiler, vir=FCs imza veritaban=FD =
 s=FCr=FCm=FC: 4056 (20090506) __________<BR><BR>=DDleti ESET NOD32 =
 Antivirus Ak=FDll=FD G=FCvenlik taraf=FDndan denetlendi.<BR><BR><A =
 HREF=3D"http://www.nod32.com.tr">http://www.nod32.com.tr</A><BR> </body>
 
 </html>
 
 ------=_NextPart_000_0001_01C9CF5C.A8DF7F10--
 

From: Vladimir Kurtukov <vk@kbb.ru>
To: bug-followup@FreeBSD.org
Cc:  
Subject: kern/131601: [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0)
Date: Fri,  8 May 2009 08:46:33 +0800

 use my patch, it works
 
 also, these who using ipnat ftp proxy, need to apply this patch.
 
 --- ip_ftp_pxy.c.orig   2007-06-04 10:54:35.000000000 +0800
 +++ ip_ftp_pxy.c        2009-05-08 08:48:04.000000000 +0800
 @@ -1010,6 +1010,8 @@
                 return 0;
         } else if (mlen < 0) {
                 return 0;
 +       } else if (nat->nat_aps == NULL) {
 +               return 0;
         }
 
         aps = nat->nat_aps;
 
 ---
 Best regards, 
   Vladimir
  
Responsible-Changed-From-To: freebsd-ipfw->freebsd-net 
Responsible-Changed-By: ae 
Responsible-Changed-When: Mon Jun 6 11:24:06 UTC 2011 
Responsible-Changed-Why:  
Reassign to freebsd-net@. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=131601 
Responsible-Changed-From-To: freebsd-net->cy 
Responsible-Changed-By: cy 
Responsible-Changed-When: Wed Jul 3 05:20:55 UTC 2013 
Responsible-Changed-Why:  
Mine. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=131601 
>Unformatted:
