From eg@gate.zonov.ru  Wed Oct 19 12:23:01 2011
Return-Path: <eg@gate.zonov.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2D021106566C;
	Wed, 19 Oct 2011 12:23:01 +0000 (UTC)
	(envelope-from eg@gate.zonov.ru)
Received: from gate.zonov.ru (rev130.gate.zonov.ru [195.94.244.130])
	by mx1.freebsd.org (Postfix) with ESMTP id 6AA508FC0A;
	Wed, 19 Oct 2011 12:22:59 +0000 (UTC)
Received: from gate.zonov.ru (localhost [127.0.0.1])
	by gate.zonov.ru (8.14.5/8.14.3) with ESMTP id p9JCAEqL004985;
	Wed, 19 Oct 2011 16:10:14 +0400 (MSD)
	(envelope-from eg@gate.zonov.ru)
Received: (from root@localhost)
	by gate.zonov.ru (8.14.5/8.14.5/Submit) id p9JCADIn004984;
	Wed, 19 Oct 2011 16:10:13 +0400 (MSD)
	(envelope-from eg)
Message-Id: <201110191210.p9JCADIn004984@gate.zonov.ru>
Date: Wed, 19 Oct 2011 16:10:13 +0400 (MSD)
From: Eugene Grosbein <egrosbein@rdtc.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc: qingli@freebsd.org
Subject: [panic] [arp] Repeatable panic in ARP code
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         161805
>Category:       kern
>Synopsis:       [regression] [panic] [arp] Repeatable panic in ARP code
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    qingli
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 19 12:30:10 UTC 2011
>Closed-Date:    
>Last-Modified:  Wed Feb 15 12:30:18 UTC 2012
>Originator:     Eugene Grosbein
>Release:        FreeBSD 8.2-STABLE i386
>Organization:
RDTC JSC
>Environment:
System: FreeBSD gate.zonov.ru 8.2-STABLE FreeBSD 8.2-STABLE #0: Mon Oct 17 20:10:46 MSD 2011 root@gate.zonov.ru:/data/obj/data/src/sys/Office-8 i386

>Description:
	This FreeBSD 8.2-STABLE/i386 system was built from RELENG_8 sources of 17 October 2011.
	It runs mpd-5.3 accepting PPtP connections with proxyarp enabled.
	It panices instantly when an user establishes PPtP connection
	and generates crashdump.

>How-To-Repeat:

	Full rc.conf/mpd.conf/etc. are available on request. kgdb shows:

Script started on Wed Oct 19 16:01:10 2011
kgdb /usr/obj/data/src/sys/Office-8/kernel.debug vmcore.0
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...

Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address	= 0x0
fault code		= supervisor read, page not present
instruction pointer	= 0x20:0xc09d7df9
stack pointer	        = 0x28:0xe80d09d4
frame pointer	        = 0x28:0xe80d0a04
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 2820 (arp)
trap number		= 12
panic: page fault
cpuid = 1
Uptime: 52s
Physical memory: 2031 MB
Dumping 191 MB: 176 160 144 128 112 96 80 64 48 32 16

Reading symbols from /boot/kernel/dummynet.ko...Reading symbols from /boot/kernel/dummynet.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/dummynet.ko
Reading symbols from /boot/kernel/ng_socket.ko...Reading symbols from /boot/kernel/ng_socket.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_socket.ko
Reading symbols from /boot/kernel/netgraph.ko...Reading symbols from /boot/kernel/netgraph.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/netgraph.ko
Reading symbols from /boot/kernel/ng_mppc.ko...Reading symbols from /boot/kernel/ng_mppc.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_mppc.ko
Reading symbols from /boot/kernel/rc4.ko...Reading symbols from /boot/kernel/rc4.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/rc4.ko
Reading symbols from /boot/kernel/ng_ether.ko...Reading symbols from /boot/kernel/ng_ether.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_ether.ko
Reading symbols from /boot/modules/ng_ipacct.ko...done.
Loaded symbols for /boot/modules/ng_ipacct.ko
Reading symbols from /boot/kernel/ng_tee.ko...Reading symbols from /boot/kernel/ng_tee.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_tee.ko
Reading symbols from /boot/kernel/ng_pptpgre.ko...Reading symbols from /boot/kernel/ng_pptpgre.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_pptpgre.ko
Reading symbols from /boot/kernel/ng_ksocket.ko...Reading symbols from /boot/kernel/ng_ksocket.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_ksocket.ko
Reading symbols from /boot/kernel/ng_iface.ko...Reading symbols from /boot/kernel/ng_iface.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_iface.ko
Reading symbols from /boot/kernel/ng_ppp.ko...Reading symbols from /boot/kernel/ng_ppp.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_ppp.ko
Reading symbols from /boot/kernel/ng_tcpmss.ko...Reading symbols from /boot/kernel/ng_tcpmss.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_tcpmss.ko
#0  doadump () at pcpu.h:231
231	pcpu.h: No such file or directory.
	in pcpu.h
(kgdb) bt
#0  doadump () at pcpu.h:231
#1  0xc08cd7a3 in boot (howto=260) at /data/src/sys/kern/kern_shutdown.c:441
#2  0xc08cda07 in panic (fmt=Variable "fmt" is not available.
) at /data/src/sys/kern/kern_shutdown.c:614
#3  0xc0c3aadc in trap_fatal (frame=0xe80d0994, eva=0) at /data/src/sys/i386/i386/trap.c:978
#4  0xc0c3ab79 in trap_pfault (frame=0xe80d0994, usermode=0, eva=0) at /data/src/sys/i386/i386/trap.c:840
#5  0xc0c3b859 in trap (frame=0xe80d0994) at /data/src/sys/i386/i386/trap.c:559
#6  0xc0c2216c in calltrap () at /data/src/sys/i386/i386/exception.s:168
#7  0xc09d7df9 in in_lltable_lookup (llt=0xc6143400, flags=Variable "flags" is not available.
) at /data/src/sys/netinet/in.c:1463
#8  0xc098233f in lla_rt_output (rtm=0xc67f0500, info=0xe80d0a7c) at if_llatbl.h:196
#9  0xc098f857 in route_output (m=0xc68a0600, so=0xc5920b44) at /data/src/sys/net/rtsock.c:638
#10 0xc098b498 in raw_usend (so=0xc5920b44, flags=Variable "flags" is not available.
) at /data/src/sys/net/raw_usrreq.c:238
#11 0xc098e695 in rts_send (so=0xc5920b44, flags=0, m=0xc68a0600, nam=0x0, control=0x0, td=0xc655a000)
    at /data/src/sys/net/rtsock.c:386
#12 0xc0930c3a in sosend_generic (so=0xc5920b44, addr=0x0, uio=0xe80d0c48, top=0xc68a0600, control=0x0, flags=0, 
    td=0xc655a000) at /data/src/sys/kern/uipc_socket.c:1294
#13 0xc092ccff in sosend (so=0xc5920b44, addr=0x0, uio=0xe80d0c48, top=0x0, control=0x0, flags=0, td=0xc655a000)
    at /data/src/sys/kern/uipc_socket.c:1338
#14 0xc0913ea3 in soo_write (fp=0xc6887c78, uio=0xe80d0c48, active_cred=0xc5957100, flags=0, td=0xc655a000)
    at /data/src/sys/kern/sys_socket.c:100
#15 0xc090cdf7 in dofilewrite (td=0xc655a000, fd=3, fp=0xc6887c78, auio=0xe80d0c48, offset=-1, flags=0) at file.h:239
#16 0xc090d0e8 in kern_writev (td=0xc655a000, fd=3, auio=0xe80d0c48) at /data/src/sys/kern/sys_generic.c:447
#17 0xc090d16f in write (td=0xc655a000, uap=0xe80d0cec) at /data/src/sys/kern/sys_generic.c:363
#18 0xc0c3b0d2 in syscall (frame=0xe80d0d28) at subr_syscall.c:114
#19 0xc0c221d1 in Xint0x80_syscall () at /data/src/sys/i386/i386/exception.s:266
#20 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) frame 7
#7  0xc09d7df9 in in_lltable_lookup (llt=0xc6143400, flags=Variable "flags" is not available.
) at /data/src/sys/netinet/in.c:1463

1463				if ((*sa ^ *addr) & *mask) {
(kgdb) l
1458			addr = (const char *)l3addr;
1459			len = ((const struct sockaddr_in *)l3addr)->sin_len;
1460			lim = addr + len;
1461	
1462			for ( ; addr < lim; sa++, mask++, addr++) {
1463				if ((*sa ^ *addr) & *mask) {
1464	#ifdef DIAGNOSTIC
1465					log(LOG_INFO, "IPv4 address: \"%s\" is not on the network\n",
1466					    inet_ntoa(((const struct sockaddr_in *)l3addr)->sin_addr));
1467	#endif
(kgdb) p sa
No symbol "sa" in current context.
(kgdb) p addr
No symbol "addr" in current context.
(kgdb) p mask
No symbol "mask" in current context.

>Fix:

	Unknown.


>Release-Note:
>Audit-Trail:

From: Eugene Grosbein <egrosbein@rdtc.ru>
To: bug-followup@FreeBSD.ORG
Cc: qingli@FreeBSD.ORG
Subject: Re: kern/161805: [panic] [arp] Repeatable panic in ARP code
Date: Wed, 19 Oct 2011 20:14:30 +0700

 Hi!
 
 I've downgraded my kernel to tag=RELENG_8 date=2011.10.10.19.00.00,
 just before recent MFC to ARP code and panic disappeared.
 
 Eugene Grosbein
Responsible-Changed-From-To: freebsd-bugs->qingli 
Responsible-Changed-By: glebius 
Responsible-Changed-When: Wed Oct 19 19:16:50 UTC 2011 
Responsible-Changed-Why:  
Definitely looks related to recent merges by Qing. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=161805 

From: Eugene Grosbein <egrosbein@rdtc.ru>
To: "Li, Qing" <qing.li@bluecoat.com>
Cc: Larry Baird <lab@gta.com>, "net@freebsd.org" <net@freebsd.org>,
        bug-followup@freebsd.org
Subject: Re: kern/161805 - patch is on its way
Date: Thu, 20 Oct 2011 16:03:00 +0700

 20.10.2011 14:41, Li, Qing :
 > Hi, 
 > 
 > I believe I have identified the root cause based on the data provided by Larry Baird, but I am 
 > still verifying the patch against the mpd5 code. In a nutshell, the host route installed by mpd5
 > appears to be missing a flag resulting in the crash.
 > 
 > In the meantime, please try the following fix and let me know if it also work for you.
 > 
 > 	http://people.freebsd.org/~qingli/in.c.diff
 > 
 > Thanks,
 > 
 > -- Qing
 
 Thank you for quick responce. This patch works, no more panics and proxyarp works too.
 
 Eugene Grosbein

From: Eugene Grosbein <egrosbein@rdtc.ru>
To: "Li, Qing" <qing.li@bluecoat.com>
Cc: Larry Baird <lab@gta.com>, bug-followup@FreeBSD.ORG
Subject: Re: kern/161805 - patch is on its way
Date: Sat, 22 Oct 2011 21:25:32 +0700

 22.10.2011 03:15, Li, Qing :
 > Hi,
 > 
 > The latest patch is not much different from the last one. If you could just confirm it once
 > again then I will make a commit tonight.
 
 I've just tested updated patch, it work too. Please commit.
 
 Eugene Grosbein

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/161805: commit references a PR
Date: Tue, 25 Oct 2011 04:06:40 +0000 (UTC)

 Author: qingli
 Date: Tue Oct 25 04:06:29 2011
 New Revision: 226713
 URL: http://svn.freebsd.org/changeset/base/226713
 
 Log:
   Exclude host routes when checking for prefix coverage on multiple
   interfaces. A host route has a NULL mask so check for that condition.
   I have also been told by developers who customize the packet output
   path with direct manipulation of the route entry (or the outgoing
   interface to be specific). This patch checks for the route mask
   explicitly to make sure custom code will not panic.
   
   PR:		kern/161805
   MFC after:	3 days
 
 Modified:
   head/sys/netinet/in.c
 
 Modified: head/sys/netinet/in.c
 ==============================================================================
 --- head/sys/netinet/in.c	Tue Oct 25 01:47:33 2011	(r226712)
 +++ head/sys/netinet/in.c	Tue Oct 25 04:06:29 2011	(r226713)
 @@ -1429,12 +1429,21 @@ in_lltable_rtcheck(struct ifnet *ifp, u_
  	 * on one interface and the corresponding outgoing packet leaves
  	 * another interface.
  	 */
 -	if (rt->rt_ifp != ifp) {
 +	if (!(rt->rt_flags & RTF_HOST) && rt->rt_ifp != ifp) {
  		const char *sa, *mask, *addr, *lim;
  		int len;
  
 -		sa = (const char *)rt_key(rt);
  		mask = (const char *)rt_mask(rt);
 +		/*
 +		 * Just being extra cautious to avoid some custom
 +		 * code getting into trouble.
 +		 */
 +		if (mask == NULL) {
 +			RTFREE_LOCKED(rt);
 +			return (EINVAL);
 +		}
 +
 +		sa = (const char *)rt_key(rt);
  		addr = (const char *)l3addr;
  		len = ((const struct sockaddr_in *)l3addr)->sin_len;
  		lim = addr + len;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/161805: commit references a PR
Date: Fri, 28 Oct 2011 03:58:52 +0000 (UTC)

 Author: qingli
 Date: Fri Oct 28 03:58:33 2011
 New Revision: 226877
 URL: http://svn.freebsd.org/changeset/base/226877
 
 Log:
   MFC 226713
   
   Exclude host routes when checking for prefix coverage on multiple
   interfaces. A host route has a NULL mask so check for that condition.
   I have also been told by developers who customize the packet output
   path with direct manipulation of the route entry (or the outgoing
   interface to be specific). This patch checks for the route mask
   explicitly to make sure custom code will not panic.
   
   PR:		kern/161805
 
 Modified:
   stable/8/sys/netinet/in.c
 Directory Properties:
   stable/8/sys/   (props changed)
   stable/8/sys/amd64/include/xen/   (props changed)
   stable/8/sys/cddl/contrib/opensolaris/   (props changed)
   stable/8/sys/contrib/dev/acpica/   (props changed)
   stable/8/sys/contrib/pf/   (props changed)
 
 Modified: stable/8/sys/netinet/in.c
 ==============================================================================
 --- stable/8/sys/netinet/in.c	Fri Oct 28 03:42:41 2011	(r226876)
 +++ stable/8/sys/netinet/in.c	Fri Oct 28 03:58:33 2011	(r226877)
 @@ -1449,12 +1449,21 @@ in_lltable_rtcheck(struct ifnet *ifp, u_
  	 * on one interface and the corresponding outgoing packet leaves
  	 * another interface.
  	 */
 -	if (rt->rt_ifp != ifp) {
 +	if (!(rt->rt_flags & RTF_HOST) && rt->rt_ifp != ifp) {
  		const char *sa, *mask, *addr, *lim;
  		int len;
  
 -		sa = (const char *)rt_key(rt);
  		mask = (const char *)rt_mask(rt);
 +		/*
 +		 * Just being extra cautious to avoid some custom
 +		 * code getting into trouble.
 +		 */
 +		if (mask == NULL) {
 +			RTFREE_LOCKED(rt);
 +			return (EINVAL);
 +		}
 +
 +		sa = (const char *)rt_key(rt);
  		addr = (const char *)l3addr;
  		len = ((const struct sockaddr_in *)l3addr)->sin_len;
  		lim = addr + len;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: Eugene Grosbein <egrosbein@rdtc.ru>
To: bug-followup@FreeBSD.ORG
Cc:  
Subject: Re: kern/161805: [regression] [panic] [arp] Repeatable panic in ARP
 code
Date: Tue, 01 Nov 2011 21:32:43 +0700

 Hi!
 
 Thank you again for fixing this.
 The PR should be closed now: MFC has been done and verified by us.
 
 Eugene Grosbein

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/161805: commit references a PR
Date: Tue,  1 Nov 2011 18:29:14 +0000 (UTC)

 Author: qingli
 Date: Tue Nov  1 18:29:06 2011
 New Revision: 227002
 URL: http://svn.freebsd.org/changeset/base/227002
 
 Log:
   MFC 226713
   
   Exclude host routes when checking for prefix coverage on multiple
   interfaces. A host route has a NULL mask so check for that condition.
   I have also been told by developers who customize the packet output
   path with direct manipulation of the route entry (or the outgoing
   interface to be specific). This patch checks for the route mask
   explicitly to make sure custom code will not panic.
   
   PR:		kern/161805
   Approved by:	re (kib)
 
 Modified:
   stable/9/sys/netinet/in.c
 Directory Properties:
   stable/9/sys/   (props changed)
   stable/9/sys/amd64/include/xen/   (props changed)
   stable/9/sys/boot/   (props changed)
   stable/9/sys/boot/i386/efi/   (props changed)
   stable/9/sys/boot/ia64/efi/   (props changed)
   stable/9/sys/boot/ia64/ski/   (props changed)
   stable/9/sys/boot/powerpc/boot1.chrp/   (props changed)
   stable/9/sys/boot/powerpc/ofw/   (props changed)
   stable/9/sys/cddl/contrib/opensolaris/   (props changed)
   stable/9/sys/conf/   (props changed)
   stable/9/sys/contrib/dev/acpica/   (props changed)
   stable/9/sys/contrib/octeon-sdk/   (props changed)
   stable/9/sys/contrib/pf/   (props changed)
   stable/9/sys/contrib/x86emu/   (props changed)
 
 Modified: stable/9/sys/netinet/in.c
 ==============================================================================
 --- stable/9/sys/netinet/in.c	Tue Nov  1 18:28:33 2011	(r227001)
 +++ stable/9/sys/netinet/in.c	Tue Nov  1 18:29:06 2011	(r227002)
 @@ -1431,12 +1431,21 @@ in_lltable_rtcheck(struct ifnet *ifp, u_
  	 * on one interface and the corresponding outgoing packet leaves
  	 * another interface.
  	 */
 -	if (rt->rt_ifp != ifp) {
 +	if (!(rt->rt_flags & RTF_HOST) && rt->rt_ifp != ifp) {
  		const char *sa, *mask, *addr, *lim;
  		int len;
  
 -		sa = (const char *)rt_key(rt);
  		mask = (const char *)rt_mask(rt);
 +		/*
 +		 * Just being extra cautious to avoid some custom
 +		 * code getting into trouble.
 +		 */
 +		if (mask == NULL) {
 +			RTFREE_LOCKED(rt);
 +			return (EINVAL);
 +		}
 +
 +		sa = (const char *)rt_key(rt);
  		addr = (const char *)l3addr;
  		len = ((const struct sockaddr_in *)l3addr)->sin_len;
  		lim = addr + len;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: Eugene Grosbein <egrosbein@rdtc.ru>
To: qingli@freebsd.org, bug-followup@freebsd.org
Cc:  
Subject: Re: kern/161805: [regression] [panic] [arp] Repeatable panic in ARP
 code
Date: Wed, 15 Feb 2012 19:29:32 +0700

 Hi!
 
 Please close kern/161805 as it was resolved long time ago.
 
 Eugene Grosbein
>Unformatted:
