From nobody@FreeBSD.org  Tue Sep 27 06:40:42 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9F01916A41F
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 27 Sep 2005 06:40:42 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3E3FE43D55
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 27 Sep 2005 06:40:42 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j8R6egGG086528
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 27 Sep 2005 06:40:42 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id j8R6egLF086527;
	Tue, 27 Sep 2005 06:40:42 GMT
	(envelope-from nobody)
Message-Id: <200509270640.j8R6egLF086527@www.freebsd.org>
Date: Tue, 27 Sep 2005 06:40:42 GMT
From: "Yuriy N. Shkandybin" <jura@networks.ru>
To: freebsd-gnats-submit@FreeBSD.org
Subject: panic with ifconfig nge
X-Send-Pr-Version: www-2.3

>Number:         86618
>Category:       kern
>Synopsis:       [nge] [panic] panic with ifconfig nge
>Confidential:   no
>Severity:       non-critical
>Priority:       high
>Responsible:    jhb
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 27 06:50:14 GMT 2005
>Closed-Date:    Wed Nov 23 18:57:46 GMT 2005
>Last-Modified:  Wed Nov 23 18:57:46 GMT 2005
>Originator:     Yuriy N. Shkandybin
>Release:        RELENG_6
>Organization:
NetAMS
>Environment:
FreeBSD ftp 6.0-BETA5 FreeBSD 6.0-BETA5 #11: Mon Sep 26 17:09:08 MSD 2005     root@server:/usr/obj/usr/src/sys/FTP  i386

>Description:
Because sc->nge_ldata allocated without zeroing memory, when  nge_stop(sc); and buffers are freed - wrong values might be there.

I belive same problem actual for HEAD too.

Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address   = 0x80030
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc0512a10
stack pointer           = 0x28:0xe4d16b3c
frame pointer           = 0x28:0xe4d16b4c
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 2818 (ifconfig)
[thread pid 2818 tid 100118 ]
Stopped at      m_freem+0x10:   testb   $0x1,0x10(%eax)
db> trace
Tracing pid 2818 tid 100118 td 0xc1f91a80
m_freem(80020,0,c1fb8400,80206910,c1fa2900) at m_freem+0x10
nge_stop(c1ec7bb8,c244c9d4,805f000,0,e4d16bc4) at nge_stop+0x1b8
nge_init_locked(2,c1f934a0,0,c1f93400,c1fb8400) at nge_init_locked+0x2a
nge_ioctl(c1fb8400,80206910,c2658cc0,c1eb92c0,c2556bcc) at nge_ioctl+0x2f1
ifhwioctl(c2658cc0,c1f91a80,c05d2298,c06a4020,c065e213) at ifhwioctl+0x634
ifioctl(c2556b20,80206910,c2658cc0,c1f91a80,0) at ifioctl+0x68
soo_ioctl(c21a4ab0,80206910,c2658cc0,c2529000,c1f91a80) at soo_ioctl+0x2e8
ioctl(c1f91a80,e4d16d04,c,c,c1f91a80) at ioctl+0x115
syscall(3b,3b,3b,3,1) at syscall+0x223
Xint0x80_syscall() at Xint0x80_syscall+0x1f
--- syscall (54, FreeBSD ELF32, ioctl), eip = 0x480db35f, esp = 0xbfbfe3dc, ebp = 0xbfbfe428 ---

kgdb
#7  0xc0635164 in trap (frame=
      {tf_fs = -415563768, tf_es = 40, tf_ds = 40, tf_edi = -1040566016, tf_esi = 11, tf_ebp = -415499444, tf_isp = -415499480, tf_ebx = 352, tf_edx = 524320, tf_ecx = 55296, tf_eax = 524320, tf_trapno = 12, tf_err = 0, tf_eip = -1068416848, tf_cs = 32, tf_eflags = 66050, tf_esp = 1000000, tf_ss = 0}) at /usr/src/sys/i386/i386/trap.c:442
#8  0xc061aaca in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#9  0xc05140b0 in m_freem (mb=0x80020) at mbuf.h:420
#10 0xc0471478 in nge_stop (sc=0xc1fa3900) at /usr/src/sys/dev/nge/if_nge.c:2125
#11 0xc04719da in nge_init_locked (sc=0xc1fa3900) at /usr/src/sys/dev/nge/if_nge.c:1685
#12 0xc04732a1 in nge_ioctl (ifp=0xc1fb8400, command=2149607696, data=0xc26f61a0 "nge0")
    at /usr/src/sys/dev/nge/if_nge.c:2018
#13 0xc055a8d4 in ifhwioctl (cmd=0, ifp=0xc1fb8400, data=0xc26f61a0 "nge0", td=0x80020) at /usr/src/sys/net/if.c:1272
#14 0xc055b108 in ifioctl (so=0xc25c2858, cmd=2149607696, data=0xc26f61a0 "nge0", td=0xc24c9a80)
    at /usr/src/sys/net/if.c:1506
#15 0xc0502308 in soo_ioctl (fp=0x80020, cmd=2149607696, data=0xc26f61a0, active_cred=0xc2190c00, td=0xc24c9a80)
    at /usr/src/sys/kern/sys_socket.c:214
#16 0xc04fac95 in ioctl (td=0xc24c9a80, uap=0xe73bfd04) at file.h:258
#17 0xc0635643 in syscall (frame=
      {tf_fs = 59, tf_es = 59, tf_ds = -1078001605, tf_edi = 3, tf_esi = 1, tf_ebp = -1077943256, tf_isp = -415498908, tf_ebx = -1077943312, tf_edx = -2145359600, tf_ecx = 134595453, tf_eax = 54, tf_trapno = 12, tf_err = 2, tf_eip = 1208857439, tf_cs = 51, tf_eflags = 583, tf_esp = -1077943332, tf_ss = 59}) at /usr/src/sys/i386/i386/trap.c:986
#18 0xc061ab1f in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200
#19 0x00000033 in ?? ()

>How-To-Repeat:
ifconfig nge0 up
>Fix:
--- if_nge.c.orig       Mon Sep 26 17:02:00 2005
+++ if_nge.c.my Mon Sep 26 16:59:26 2005
@@ -839,7 +839,7 @@
 
        /* XXX: leaked on error */
        sc->nge_ldata = contigmalloc(sizeof(struct nge_list_data), M_DEVBUF,
-           M_NOWAIT, 0, 0xffffffff, PAGE_SIZE, 0);
+           M_NOWAIT|M_ZERO, 0, 0xffffffff, PAGE_SIZE, 0);
 
        if (sc->nge_ldata == NULL) {
                printf("nge%d: no memory for list buffers!\n", unit);

>Release-Note:
>Audit-Trail:

From: Yar Tikhiy <yar@comp.chem.msu.su>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: kern/86618: [if_nge] [panic] panic with ifconfig nge
Date: Mon, 3 Oct 2005 14:13:26 +0400

 For the record: here is a detailed explanation of the problem from Yuriy.
 
 ----- Forwarded message from "Yuriy N. Shkandybin" <jura@networks.ru> -----
 
 From: "Yuriy N. Shkandybin" <jura@networks.ru>
 To: Yar Tikhiy <yar@FreeBSD.org>
 Subject: Re: kern/83011: nge vlans broken
 Date: Mon, 3 Oct 2005 14:06:45 +0400
 
 Absolutely!
 There is nge_stop() call from nge_init_locked()
 it's might be noticed from traces i've provided.
 Also i suppose problem appears due static nge nge_rx_list and nge_tx_list 
 allocation in struct nge_list_data
 This leads to trash appeares here and when
 for (i = 0; i < NGE_RX_LIST_CNT; i++) {
                if (sc->nge_ldata->nge_rx_list[i].nge_mbuf != NULL) {
                        m_freem(sc->nge_ldata->nge_rx_list[i].nge_mbuf);
                        sc->nge_ldata->nge_rx_list[i].nge_mbuf = NULL;
                }
        }
 
 performed 
 wrong sc->nge_ldata->nge_rx_list[i].nge_mbuf    appeares and this leads to 
 crash.
 
 Jura
 
 
 
 >On Mon, Oct 03, 2005 at 06:50:18AM +0000, Yuriy N. Shkandybin wrote:
 >>
 >> Sure i've tested and it's definitely fixed.
 >
 >Thanks!
 >
 >> I've got another bug with this driver
 >> See PR 86618
 >
 >Alas, I have no nge(4) hardware, so I posted a message
 >to freebsd-net asking people to review PR 86618.  The
 >problem description looks nearly correct to me though.
 >The only odd point I noticed was that nge_stop was called
 >in responce to "ifconfig nge0 up" command.  Are you sure
 >it wasn't "ifconfig nge0 down"?
 >
 >-- 
 >Yar
 >
 
 ----- End forwarded message -----
 
 -- 
 Yar
State-Changed-From-To: open->patched 
State-Changed-By: yar 
State-Changed-When: Sat Oct 15 08:30:34 GMT 2005 
State-Changed-Why:  
jhb@ fixed this issue in if_nge.c#1.82. 


Responsible-Changed-From-To: freebsd-bugs->jhb 
Responsible-Changed-By: yar 
Responsible-Changed-When: Sat Oct 15 08:30:34 GMT 2005 
Responsible-Changed-Why:  
jhb@ fixed this issue in if_nge.c#1.82. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=86618 
State-Changed-From-To: patched->closed 
State-Changed-By: jhb 
State-Changed-When: Wed Nov 23 18:57:09 GMT 2005 
State-Changed-Why:  
Should be fixed in 6.0 and later.  Problem does not exist in 5.x and earlier. 
Was introduced with the if_alloc() changes by accident it seems. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=86618 
>Unformatted:
