From nobody@FreeBSD.org  Tue Jan 10 13:52:13 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6D65116A41F
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 10 Jan 2006 13:52:13 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 70E0D43D5E
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 10 Jan 2006 13:52:12 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k0ADqBBf068325
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 10 Jan 2006 13:52:11 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k0ADqBhf068306;
	Tue, 10 Jan 2006 13:52:11 GMT
	(envelope-from nobody)
Message-Id: <200601101352.k0ADqBhf068306@www.freebsd.org>
Date: Tue, 10 Jan 2006 13:52:11 GMT
From: Aleksey Ovcharenko <aleksey.ovcharenko@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: PC crashed after cold reboot in 2 minutes.
X-Send-Pr-Version: www-2.3

>Number:         91597
>Category:       kern
>Synopsis:       [ipfilter] PC crashed after cold reboot in 2 minutes.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    darrenr
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 10 14:00:17 GMT 2006
>Closed-Date:    Mon Dec 25 14:48:15 GMT 2006
>Last-Modified:  Mon Dec 25 14:48:15 GMT 2006
>Originator:     Aleksey Ovcharenko
>Release:        FreeBSD 6.0-STABLE
>Organization:
>Environment:
FreeBSD localhost 6.0-STABLE FreeBSD 6.0-STABLE #0: Tue Jan 10 14:39:26 EET 2006     root@localhost:/usr/obj/usr/src/sys/KERNEL  i386
>Description:
After power on PC it crashed in 2 minutes with following error:

Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x88
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc047b634
stack pointer           = 0x28:0xd5232c08
frame pointer           = 0x28:0xd5232c24
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 36 (swi4: clock sio)

It happens only once per power on. It doesn't happen of PC was rebooted.

Kernel configured without options INET6.

Here comes backtrace:

#0  doadump () at pcpu.h:165
        in pcpu.h
(kgdb) where
#0  doadump () at pcpu.h:165
#1  0xc05c0320 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:399
#2  0xc05c069d in panic (fmt=0xc07beeb0 "from debugger") at /usr/src/sys/kern/kern_shutdown.c:555
#3  0xc049dbd2 in db_panic (addr=-1069042124, have_addr=0, count=-1, modif=0xd52329f8 "") at /usr/src/sys/ddb/db_command.c:438
#4  0xc049db42 in db_command (last_cmdp=0xc0835ae4, cmd_table=0x0, aux_cmd_tablep=0xc07f1b54, aux_cmd_tablep_end=0xc07f1b58)
    at /usr/src/sys/ddb/db_command.c:350
#5  0xc049dc55 in db_command_loop () at /usr/src/sys/ddb/db_command.c:458
#6  0xc049fe85 in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_main.c:221
#7  0xc05df657 in kdb_trap (type=0, code=0, tf=0xd5232bc8) at /usr/src/sys/kern/subr_kdb.c:473
#8  0xc078c22b in trap_fatal (frame=0xd5232bc8, eva=0) at /usr/src/sys/i386/i386/trap.c:827
#9  0xc078bf02 in trap_pfault (frame=0xd5232bc8, usermode=0, eva=136) at /usr/src/sys/i386/i386/trap.c:744
#10 0xc078ba70 in trap (frame=
      {tf_fs = 8, tf_es = 40, tf_ds = 1862271016, tf_edi = 7, tf_esi = -1018524584, tf_ebp = -719115228, tf_isp = -719115276, tf_ebx = -1017757184, tf_edx =
-1017757184, tf_ecx = -1020748672, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1069042124, tf_cs = 32, tf_eflags = 590406, tf_esp = -1017757184, tf_ss
= 0}) at /usr/src/sys/i386/i386/trap.c:434
#11 0xc07780ba in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#12 0xc047b634 in fr_derefrule (frp=0xc34a8c58) at /usr/src/sys/contrib/ipfilter/netinet/fil.c:4507
#13 0xc0495d97 in fr_delstate (is=0xc34a8c00, why=65535) at /usr/src/sys/contrib/ipfilter/netinet/ip_state.c:2779
#14 0xc0495e61 in fr_timeoutstate () at /usr/src/sys/contrib/ipfilter/netinet/ip_state.c:2815
#15 0xc04815ba in fr_slowtimer (ptr=0x0) at /usr/src/sys/contrib/ipfilter/netinet/ip_frag.c:828
#16 0xc05cf726 in softclock (dummy=0x0) at /usr/src/sys/kern/kern_timeout.c:290
#17 0xc05a44f8 in ithread_loop (arg=0xc327d200) at /usr/src/sys/kern/kern_intr.c:547
#18 0xc05a33cf in fork_exit (callout=0xc05a4340 <ithread_loop>, arg=0x0, frame=0x0) at /usr/src/sys/kern/kern_fork.c:789
#19 0xc077811c in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:208
(kgdb) bt full
#0  doadump () at pcpu.h:165
No locals.
#1  0xc05c0320 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:399
        first_buf_printf = 1
#2  0xc05c069d in panic (fmt=0xc07beeb0 "from debugger") at /usr/src/sys/kern/kern_shutdown.c:555
        td = (struct thread *) 0xc3289c80
        bootopt = 256
        newpanic = 1
        ap = 0xc3289c80 "\030\204(&#1094; a\"&#1094;"
        buf = "from debugger", '\0' <repeats 242 times>
#3  0xc049dbd2 in db_panic (addr=-1069042124, have_addr=0, count=-1, modif=0xd52329f8 "") at /usr/src/sys/ddb/db_command.c:438
No locals.
#4  0xc049db42 in db_command (last_cmdp=0xc0835ae4, cmd_table=0x0, aux_cmd_tablep=0xc07f1b54, aux_cmd_tablep_end=0xc07f1b58)
    at /usr/src/sys/ddb/db_command.c:350
        cmd = (struct command *) 0xc07a5e60
        t = 0
        modif = "\000c\203&#1102;\f\000\000\000\024*#&#1091;\r\000\000\000\000\027\207&#1102;\r\000\000\000\001\000\000\0004*#&#1091;f\201v&#1102;&#1102;&#1098;\205&#1102;\aK\000 \204\027\207&#1102;\2004\204&#1102;&#1070;c\203&#1102;x\000\000\000&#1070;c\203&#1102;\f\000\000\000X*#&#1091;&#1103;\002J&#1102;\226L}&#1102;P&#1066;I&#1102;\000\000\000\000\020\000\000\000\f\000\000\000&#1070;c\203&#1102;f&#1059;I&#1102;&#1070;c\203&#1102; [\203&#1102;x\000\000\000&#9578;*#&#1091;"
        addr = -1069042124
        count = -1
        have_addr = 0
        result = 0
#5  0xc049dc55 in db_command_loop () at /usr/src/sys/ddb/db_command.c:458
No locals.
#6  0xc049fe85 in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_main.c:221
        jb = {{_jb = {-719115588, -719115616, -719115536, -719115320, 12, -1068892634, -719115516, -1067574971, -1065428601, -1067574800, -719115536,
      -1067584048}}}
        prev_jb = (void *) 0x0
        bkpt = 0
#7  0xc05df657 in kdb_trap (type=0, code=0, tf=0xd5232bc8) at /usr/src/sys/kern/subr_kdb.c:473
        handled = -719115320
#8  0xc078c22b in trap_fatal (frame=0xd5232bc8, eva=0) at /usr/src/sys/i386/i386/trap.c:827
        eflags = 524802
        code = 524802
        type = 12
        ss = 524802
        esp = 0
        softseg = {ssd_base = 0, ssd_limit = 1048575, ssd_type = 27, ssd_dpl = 0, ssd_p = 1, ssd_xx = 4, ssd_xx1 = 0, ssd_def32 = 1, ssd_gran = 1}
        msg = 0x0
#9  0xc078bf02 in trap_pfault (frame=0xd5232bc8, usermode=0, eva=136) at /usr/src/sys/i386/i386/trap.c:744
        va = 0
        vm = (struct vmspace *) 0x0
        map = 0x1
        rv = 1
        ftype = 1 '\001'
        td = (struct thread *) 0xc3289c80
        p = (struct proc *) 0xc3288418
#10 0xc078ba70 in trap (frame=
      {tf_fs = 8, tf_es = 40, tf_ds = 1862271016, tf_edi = 7, tf_esi = -1018524584, tf_ebp = -719115228, tf_isp = -719115276, tf_ebx = -1017757184, tf_edx =
-1017757184, tf_ecx = -1020748672, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1069042124, tf_cs = 32, tf_eflags = 590406, tf_esp = -1017757184, tf_ss
= 0}) at /usr/src/sys/i386/i386/trap.c:434
        td = (struct thread *) 0xc3289c80
        p = (struct proc *) 0xc3288418
        sticks = 0
        i = 0
        ucode = 0
        type = 12
        code = 0
        eva = 136
#11 0xc07780ba in calltrap () at /usr/src/sys/i386/i386/exception.s:139
No locals.
#12 0xc047b634 in fr_derefrule (frp=0xc34a8c58) at /usr/src/sys/contrib/ipfilter/netinet/fil.c:4507
        fr = (frentry_t *) 0xc3564200
#13 0xc0495d97 in fr_delstate (is=0xc34a8c00, why=65535) at /usr/src/sys/contrib/ipfilter/netinet/ip_state.c:2779
No locals.
#14 0xc0495e61 in fr_timeoutstate () at /usr/src/sys/contrib/ipfilter/netinet/ip_state.c:2815
        ifq = (ipftq_t *) 0xc0834c40
        ifqnext = (ipftq_t *) 0x7
        tqe = (ipftqent_t *) 0xc3564200
        tqn = (ipftqent_t *) 0xc339e8c8
        is = (ipstate_t *) 0x0
#15 0xc04815ba in fr_slowtimer (ptr=0x0) at /usr/src/sys/contrib/ipfilter/netinet/ip_frag.c:828
No locals.
#16 0xc05cf726 in softclock (dummy=0x0) at /usr/src/sys/kern/kern_timeout.c:290
        c_func = (void (*)(void *)) 0xc0481560 <fr_slowtimer>
        c_arg = (void *) 0x0
        c_mtx = (struct mtx *) 0xc083d600
        c_flags = 7
        c = (struct callout *) 0xc3289c80
        bucket = (struct callout_tailq *) 0xcd4628b8
        curticks = 128501
        steps = -1065101824
        depth = 1
        mpcalls = 0
        mtxcalls = 0
        gcalls = 1
        wakeup_cookie = -1065101824
#17 0xc05a44f8 in ithread_loop (arg=0xc327d200) at /usr/src/sys/kern/kern_intr.c:547
        ithd = (struct ithd *) 0xc327d200
        ih = (struct intrhand *) 0xc3265c40
        td = (struct thread *) 0xc3289c80
        p = (struct proc *) 0xc3288418
        count = 0
        warned = 0
#18 0xc05a33cf in fork_exit (callout=0xc05a4340 <ithread_loop>, arg=0x0, frame=0x0) at /usr/src/sys/kern/kern_fork.c:789
        p = (struct proc *) 0xc3288418
        td = (struct thread *) 0xc3564200
#19 0xc077811c in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:208
No locals.
(kgdb) frame 12
#12 0xc047b634 in fr_derefrule (frp=0xc34a8c58) at /usr/src/sys/contrib/ipfilter/netinet/fil.c:4507
4507                    if (fr->fr_type == FR_T_IPF && fr->fr_satype == FRI_LOOKUP)
(kgdb) list
4502            if (fr->fr_ref == 0) {
4503                    MUTEX_EXIT(&fr->fr_lock);
4504                    MUTEX_DESTROY(&fr->fr_lock);
4505
4506    #ifdef IPFILTER_LOOKUP
4507                    if (fr->fr_type == FR_T_IPF && fr->fr_satype == FRI_LOOKUP)
4508                            ip_lookup_deref(fr->fr_srctype, fr->fr_srcptr);
4509                    if (fr->fr_type == FR_T_IPF && fr->fr_datype == FRI_LOOKUP)
4510                            ip_lookup_deref(fr->fr_dsttype, fr->fr_dstptr);
4511    #endif
(kgdb) p *fr
$1 = {fr_lock = {ipf_lkun_s = {ipf_slk = {mtx_object = {lo_class = 0xc0811004, lo_name = 0xc07beba9 "state filter rule lock",
          lo_type = 0xc07beba9 "state filter rule lock", lo_flags = 131072, lo_list = {tqe_next = 0x0, tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 4,
        mtx_recurse = 0}, ipf_lname = 0x0}, ipf_emu = {eMm_owner = 0xc0811004 "{l~&#1102;\t", eMm_heldin = 0xc07beba9 "state filter rule lock",
      eMm_magic = 3229346729, eMm_held = 131072, eMm_heldat = 0}}, fr_next = 0xc3650800, fr_grp = 0x0, fr_isc = 0xffffffff, fr_ifas = {0x0, 0x0, 0x0, 0x0},
  fr_ptr = 0x0, fr_comment = 0x0, fr_ref = 0, fr_statecnt = 1, fr_hits = 7, fr_bytes = 503, fr_lastpkt = {tv_sec = 0, tv_usec = 0}, fr_curpps = 0,
  fr_dun = {fru_data = 0x0, fru_caddr = 0x0, fru_ipf = 0x0, fru_func = 0}, fr_func = 0, fr_dsize = 0, fr_pps = 0, fr_statemax = 0, fr_flineno = 0,
  fr_type = 1, fr_flags = 1073759490, fr_logtag = 0, fr_collect = 0, fr_arg = 0, fr_loglevel = 65535, fr_age = {0, 0}, fr_v = 4 '\004', fr_icode = 0 '\0',
  fr_group = '\0' <repeats 15 times>, fr_grhead = '\0' <repeats 15 times>, fr_nattag = {ipt_un = {iptu_num = {0, 0, 0, 0},
      iptu_tag = '\0' <repeats 15 times>}, ipt_not = 0}, fr_ifnames = {'\0' <repeats 15 times>, '\0' <repeats 15 times>, '\0' <repeats 15 times>,
    '\0' <repeats 15 times>}, fr_isctag = '\0' <repeats 15 times>, fr_tifs = {{fd_ifp = 0x0, fd_ip6 = {i6 = {0, 0, 0, 0}, in4 = {s_addr = 0}, vptr = {0x0,
          0x0}, lptr = {0, 0}}, fd_ifname = '\0' <repeats 15 times>}, {fd_ifp = 0x0, fd_ip6 = {i6 = {0, 0, 0, 0}, in4 = {s_addr = 0}, vptr = {0x0, 0x0},
        lptr = {0, 0}}, fd_ifname = '\0' <repeats 15 times>}}, fr_dif = {fd_ifp = 0x0, fd_ip6 = {i6 = {0, 0, 0, 0}, in4 = {s_addr = 0}, vptr = {0x0, 0x0},
      lptr = {0, 0}}, fd_ifname = '\0' <repeats 15 times>}, fr_cksum = 1090602426}
(kgdb) p fr->fr_type
$2 = 1
(kgdb) p fr->fr_satype
(kgdb)

>How-To-Repeat:
1. Enable ipfilter="YES" and ipfs_enable="YES" on /etc/rc.conf.
2. Shutdown PC.
3. Power on PC.
>Fix:
              
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->darrenr 
Responsible-Changed-By: glebius 
Responsible-Changed-When: Tue Jan 10 14:20:32 UTC 2006 
Responsible-Changed-Why:  
To ipfilter maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=91597 

From: Aleksey Ovcharenko <aleksey.ovcharenko@gmail.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/91597: [ipfilter] PC crashed after cold reboot in 2 minutes.
Date: Fri, 13 Jan 2006 09:33:37 +0200

 TG9va3MgbGlrZSB0aGUgYnVnIGlzIG9uIElQRklMVEVSX0xPT0tVUCBzZWN0aW9uczogaWYga2Vy
 bmVsIGNvbXBpbGVkCndpdGggSVBGSUxURVIsIGJ1dCB3L28gSVBGSUxURVJfTE9PS1VQIG9wdGlv
 biAsIGl0IHdvcmtzIHN0YWJsZS4KCk9idmlvdXNseSBtb2R1bGUgY29tcGlsZWQgd2l0aCBJUEZJ
 TFRFUl9MT09LVVAgb3B0aW9ucyBieSBkZWZhdWx0LCBhbmQKdGhhdCBjYXVzZSBjcmFzaCBpZiBp
 cGYgbW9kdWxlIGxvYWRlZCBvbiBib290LgoKLS0KU2luY2VyZWx5IFlvdXJzLCBBbGVrc2V5IE92
 Y2hhcmVua28K

From: linimon@lonesome.com (Mark Linimon)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/91597: [ipfilter] PC crashed after cold reboot in 2 minutes.
Date: Sun, 26 Feb 2006 09:20:16 -0600

 ----- Forwarded message from Darren Reed <darrenr@hub.freebsd.org> -----
 
 This patch should fix this crash.
 
 Darren
 
 *** ip_state.c  28 Mar 2005 10:47:54 -0000      2.186.2.29
 --- ip_state.c  25 Feb 2006 16:18:58 -0000
 ***************
 *** 663,668 ****
 --- 663,669 ----
   		fr->fr_ref = 0;
   		fr->fr_dsize = 0;
   		fr->fr_data = NULL;
 + 		fr->fr_type = FR_T_NONE;
   
   		fr_resolvedest(&fr->fr_tif, fr->fr_v);
   		fr_resolvedest(&fr->fr_dif, fr->fr_v);
 
State-Changed-From-To: open->feedback 
State-Changed-By: darrenr 
State-Changed-When: Mon Feb 27 04:05:33 UTC 2006 
State-Changed-Why:  


http://www.freebsd.org/cgi/query-pr.cgi?pr=91597 
State-Changed-From-To: feedback->closed 
State-Changed-By: remko 
State-Changed-When: Mon Dec 25 14:48:14 UTC 2006 
State-Changed-Why:  
There was no feedback recieved about this ticket. Closing it. If there 
is feedback, please let us know so that we can either try to resolve 
this or keep this closed since it was fixed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=91597 
>Unformatted:
