From cohene@MIT.EDU Mon Apr 28 00:26:58 2003 Return-Path: Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C862937B401 for ; Mon, 28 Apr 2003 00:26:58 -0700 (PDT) Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB09B43FAF for ; Mon, 28 Apr 2003 00:26:57 -0700 (PDT) (envelope-from cohene@MIT.EDU) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id h3S7Qpro006674; Mon, 28 Apr 2003 03:26:51 -0400 (EDT) Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h3S7Qo1G011231; Mon, 28 Apr 2003 03:26:51 -0400 (EDT) Received: from buzzword-bingo.mit.edu (BUZZWORD-BINGO.MIT.EDU [18.7.16.73]) ) by melbourne-city-street.mit.edu (8.12.4/8.12.4) with ESMTP id h3S7QoU8003524; Mon, 28 Apr 2003 03:26:50 -0400 (EDT) Received: (from cohene@localhost) by buzzword-bingo.mit.edu (8.9.3p2) id DAA14551; Mon, 28 Apr 2003 03:26:50 -0400 (EDT) Message-Id: <200304280726.DAA14551@buzzword-bingo.mit.edu> Date: Mon, 28 Apr 2003 03:26:50 -0400 From: Eric Cohen Sender: cohene@MIT.EDU Reply-To: Eric Cohen To: FreeBSD-gnats-submit@freebsd.org Cc: Eric Cohen Subject: "Fatal trap 12" from bridge code with ipfw enabled, when passing a traceroute. X-Send-Pr-Version: 3.113 X-GNATS-Notify: >Number: 51485 >Category: kern >Synopsis: "Fatal trap 12" from bridge code with ipfw enabled, when passing a traceroute. >Confidential: no >Severity: critical >Priority: high >Responsible: ipfw >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Apr 28 00:30:11 PDT 2003 >Closed-Date: Mon Jun 02 04:27:21 PDT 2003 >Last-Modified: Mon Jun 02 04:27:21 PDT 2003 >Originator: Eric Cohen >Release: FreeBSD 5.0-RELEASE i386 >Organization: >Environment: System: FreeBSD 5.0-RELEASE FreeBSD 5.0-RELEASE #2: Sat Apr 26 15:53:04 PDT 2003 root@:/usr/src/sys/i386/compile/DATA i386 Dell OptiPlex GXa PII/233 192MB, NatSemi DP83815 10/100, 3Com 3c905-TX (full dmesg output in attached tgz). >Description: I have setup a bridge with an ipfw firewall (see attached archive for output of "ipfw list" (ipfw_list.txt), and other pertitnent configuration information). When I do a traceroute from outside to a machine on the other side of the bridge (note that this also causes near simultaneous tcp traffic, as the output of the traceroute is sent across the network from outside via ssh), a trap 12 occurs on the bridge machine. Here is the applicable firewall rule: 02800 unreach port udp from any to 209.204.154.240/30 dst-port 33435-33524 in via sis0 If I remove this rule and reboot, the bridge will run for a little while, then if there is some icmp traffic, the brige machine will appear frozen (no trap this time). It is, however, still servicing interrupts, as I can switch vt's, turn numlock on/off etc, and even the bridge is still functioning (i.e. relaying packets), but all non-interrupt driven routines of the os are frozen. I also see this behavior if I set the firewall to be completely open. I have narrowed the trap problem down to net/bridge.c::bdg_forward line 963. It looks like ip_fw_chk_ptr (set to ipfw_chk in this case) is called just before doing "m0 = args.m;", but args.m is set NULL by the call to ipfw_chk. We then get the trap when "EH_RESTORE(m0);" attempts to dereference m0 (see debug.txt in the attached archive for a log of the debugging session). I did not attempt to debug the freezing problem, but it seems likely to be related. As an aside, the call to bdg_forward appears to be missing from the backtrace (the bt contains only the caller of bdg_forward, ether_input), but if you look at the eip in frame #14 "trap", you see that it falls within bdg_forward, which makes sense given the state of frame #15 (ether_input). I suspect this is an easy fix for someone who knows this code? I don't know it though, and don't have the time to understand it well enough right now. I'd be happy to send the core, or post it somewhere, if someone wants it. >How-To-Repeat: Do a traceroute from a machine outside of my bridge to a machine inside of the bridge, via an ssh session from within the bridge to the machine outside of the bridge. Use the attached firewall ruleset. This is 100% reproducable. >Fix: begin 644 bridge_ipfw_bug.tgz M'XL(`.]5K#X``^P[:W.C1K;Y>OD5Y]JY4_)$EFA`@#2Q:SVV/%'%#]78DW7J MUBT5C\8B1D!XV%:R\]_O.=T@`=8\LEN;_1)J1@+ZO%]]NM7VN5O>#XKGXIM_ MWZ4R534-XQM57IUO35.9^8UJF2/-U"S+U!&>C4;:-Z#^&V7:7&5>.!G`-UF2 M?-8&3TO.HS]#H#_W^E_2^V]P=G)[\G_[<.^[33P*39@^.AD0R]S M\N7P<>4E&1\PY=W5!P$[&F@#!KWSC/.W-V<'RFF2KK/P?EF`AHX%>@\W25`\ M.1F'\Z2,?:<(D[@/L]@;*._.WD*80T!0>075!R]YY!GWP5U#L>1`K-[QF&=. M!//2C4(/+D*/QSF".K$/ZZ0$Q%.>>.0E*PY%`M[2B>\YA`4!#),,_#`OLM`M M"X[4TY#GD`0TC/+P##R>%4X8XU#LAR1>/E!NURF'O7R9/!'&.HSO]XARCI*2 M4"W0)8I+>CANGD3((UI#G``JDSEQL88`!4!-!P`-HO7HGACV.0H0"5I(A\SR MY.3$)`CO2[(%/NV%NFT>"HE7:Y_G#X=D-S?W]P:#@9(Z<>A-P(FBQ'/+8`+X M$:!N<5+@;;Z6`+#B>>[<\WRB'!X>*N=.@48M,B<%IDT@Q1$(G#(JX&D91JA3 M7$4"K!*?*W+H,0ERG/'L,<-5'ED4TB2,"Q0=*M+V1'WV5$UW5&8KF*S>0PL$-H!,)4C' M-UW7MY4@.RX M$4>#(8URA0$_NT:BJ('BE5E&XE94&FPU`WIA]BMC$\C#7(7G2/WN0!%.CLN5 MV[(%P3.M#IZM_Q4E7\<>!CUESD/>KZ(I1SE6F"DX@#$'7XRY#VD1KO@$V,K* ME;-RE1)%-M;@\JV"H:=.2"]>%((1?\2LS@%CV4]BK@`S`>UEV&`:8*LP-H$Q MM)]F`S,,'%6!6:8(XWT5P$\<'QE`[P"<`HD,Y3\*7_&QR)=EX2=/\<";:+JF MX/^6'7PIW7??O5%Z#UC9#A2EN@&W^*C(5/X:.4;,4O9UB:\QSPA\PJ\=!CTW/:)D,/H8*K_Q MHUTB/0;YP@T34LJTD)I14W,U3R5J][R(^9,@ETDN\3<4^T-=6P M^[!RGC=/!R)W/L.0V;JJ[(\VXJOFJ&+H1@_0>R3A/1;X`381&*+10YP*X4Z8OLM8,DRG[9L6::Y8?$.L``7*W3'$6X]!;U0)8-@GPY(0%%O,C[27U M,LB'@?R_0"9)FI-ZAHT\K`T/YED;'IA]6_J>J[7HXQ2)!D MXWXO@D60B\J/@1`L.-TS4]S[=*^KZMA@NF;+83^D M&:0"I7MLN[&DRA=NBB\.[3&SQZ95O0SSQDM[K%60S_02BP=CQG@\JM[ZSUOB MWG.'N+,=)#VP2:+I1XYEV18Q3"5IBQFJI=KRK4>J5"K("?,(3)-9U:N6C)I$ MR84EC(]?\*EAC-#2AK2T-O)\FRQ-$2VM+=!_Q\X#N]>,O)"6Q5!]+#]M%5,O)'((+%+2PC+*K)J2[1HU)>PT M,N@YV?U74AJ9I+0ML])S-%]$?U@LJ:U;1$F2;JAA5GE.E]HV58DSI:E.IA]7 M!#&*!$&L<@\+_HP-5X^\D)3%4<6182?P?9/?,2X"!$,T<9UXGRKO@C'1ICRV MM,U$7\WS`3#]KXS[TS(._W^J=Q97[S$)_8-F:>V]$E[HP_G)QN\9#6>)K&(C40"VOGK>D/.>&RP:#GONN`SI-'WVW/3:=G%44?6D:AW'D>8X M&S=<5ZNA>EO7J<_\8S\JC)ZJ&WX%MB-*7<[E\&Q3\N6@A M1V',X77O!=:!JQBZ6>C?\X&W![0]4^043_6*V89G*QL<#;/*5\RQ980VAO0FHN4Y0IHFB[".5,(#A M:YB?SRX6/UQ?_W@#KX?*9M$W?+U=_R%0QE/:Y\""5-):,A>24`43>P9!F/$G M?!@T<(:;>^33^^_9_/SOBXOKD[/I&?SC'T`"AVGP!$?HF0/XO;78G/ZP>#^] MN;U^/^VMU(,WE3RTHBH2%&)*4PE:$I98*G%1UF!%UWU2)%`9X\U&&[%T*W-: MCQ%?K*V>QW$=2N*GN/!&<@TZ'S]EB+N[.[@EC1,LWD]$32RQPQP>>;;&F6<5 M1DY&^RE$&%=[&"9-_,Y,6$VJ*-#"6S[T#EKVVSR@U?/!"F-XI;Z!QH5:-<1_ M(O=PP*GC@>1RBB:M%JD$/7($5Q\N+MZT2*$6M-<3RSZ@IMNZNJ3\$/4N%ED9 M<>0+OMS$S^7):1TRM#,E,\(?TFNI:MXF144RQ*9:^&:1%EGO%5''PEQ#K%0$ MD=[I.D:T63EOI0=UR[YXLZ)%9=O)NX*^HO69P&\E&?9E\`IF\P6FVOSZ_>WB M;'KU\^+\XN3=`>4<22MM>T!4_0QMW!-B\39A\O+GZ^FMW45>/7JI;P_7]U*>;LEH9F%PN,P=[!>BO!_*"C? M_'*U6J-Q^K3#YRUIBY$VEC"DBT$7=X9E?XG)XM.R_0'S1NR$BIKVP'DJVKWF&U0OO!N?5'Q)>^GW*==H5T@52"(1'P!\+'U MYB/P"`/]$_IA))%X:>VMVJQ-E^V24Z06L9?XY!HL`DNJ;"[MDU85EJ:@EU/` MQ[8;&D4/N^L(.Z2BK11FN8^->R*2?-67<2EW1`_Z9U>+V^O%V[-W&*9G?>C6 M@(:U1-HT9#@+>#+9K?1;/^..N@ M2T/JBST/"'WSD%A['=:[:!+:*GF$VDS8"B*6FS:PNL;51I\WKM,UKK9#0UR< M=9LL#9VP)=(UDZXW9=V(B:R=+6M7[6*9;2RQ(Q\XZ@:Y(;>K=Y&E5;U5NF7I M/'>Q.GVE96B[_.EWC6*-MLJZ=I>&48L=@0@E7CDF3_MLZQJOJ^Y(>VDD*7'# M2%Y7S]&H'08.A8'QDEM7A9&T3\2=EG&-79[QG`ZRJ;U@^I)C-PA,*:GHDJ%: M>FN^:2`85>NM1?UNJ%NJ]$KM2QF#9L>`C)EV@\@.GQ&1,/8V[#UNNO86HRNP MS?XX6]Z5W3:_(O1Y-TWM\0ZO2A>Y1B?'>3<`QUHG`-4M9=ST!';5D>?YNQUD;T.,M.^/B*#H(N\*PTD!:\MMD,_5W>0[5V1C&8NO!;1Z(PTP]BB\.Z25WW!A^:*#0)3NPC:KO*Y6RNF=Y%W MV=/N&'+7LOREC%AOCXZ.&[L*'21#;D-IMW!D=4VT,B0 MO4&'=3>?3+6>`:/:0-*P6Y1N%IG2IK\X\-72ZJQ+8_2RX+T05N]:W93.R4M7 M8ADM';L[5*UEJ%+O%[SDM)_QJ]PT%W>TOWLI_ M^C327]>???FX^O_/GO]CFLH,_S/^.O_W9US;$WL][P#8>*P= M:JJJB_W;ZE@?S+/D%RR(`Z4+;(W[^$D_%^&G+CY-\6F+3S$Z9N)3$Y\"9FPH M_T7DW_-[L4N>!&*7XD-,VY]Y6*SIS:D3A3@/Q*$S@!/LAP3;7!P8RAZY/U!J MX48#]?#]]&)Z&!;,SV[I0*(N]AUX%GI_<_P\ M&N1)''J#F!>389EGPSSSAODZE[]4>+XW`<>!?69N+TA M'6L8RJ?J:Z_^S<&P,.;5@7(;KKB7E.(,VEYH:R-C#^C`XZ\EC[TU,#;6F:W! M#[^U(6]O3EMPFLXLR[1MBR!/YQ\F,$?3A>4*9K/A]A;N>!(/3WG$,[1"#[$& MEGUX^<-O8-KFH1?1_A)BTP[ZM=ABPGE@[QV/RS#F,^2,\L/,%Y.#B9,QW!0\ M%8>VCL!`G'/N%"5ZX`CG;S7`?OO[\_F'_D^7T_[9M#^_F?91[/[ES?O^_&3: MOSR=]D_O[/[-=-Z_O'V/+]_1RY/^Z>7U3_W+R[MCA?:98,572;86)]>PX=3, MT5B#GCPD=J`XCTZX`3E"AZK62+6PB>LQFPF(61P6(<;*;R3FN^GU)2_H)X;2 M14\6?*74QL$8!A)CLT->G:U3XO19G<#W*Z=8PN9,WC&@_58);26[";8B%=3L MZI;.I8D#>H'C<>6#^*WDV_GL/11$K@\6$BXR.F):18**JVQ?55(O=(F/,#-@ MJV_H%W?0,PP5+NX.8)GD8H-V?CJK]MR/B0!AE3FH77'P/1$3T&4NI!4,%.<^ M_8-1LZZ#S^].SGN<.[%"?@9%0<<*!QOR?T#)SF9`=[J\$> MH859"+!B+PC0,<3*EM)D\]GLS@#,>5VGS?$B2VCK]!A$R-!JR2$3X5?0XL0V MG.2Y1N%[%J@09K\",VBTXD0`K`:P*H!1$Z"2!^L/#GF6>+)ET^^+I\DI!]4X1<$JFK(\*-;B\)/6$9MQI/>\"C*JE5F)'); M`S(:TC=#GMH9PF_M#V@XEG*/*PT]J6'U),?<2D-#ZB2?/*FAU]10W6JHUQJ. MFPH:;06-K18-!34:&FV&7+4Y1$FE56GQB:P2M' MG+)(E.>(>.JGR0ITC+/1X>T=G#M8H84Z41@_P-U%(Q0-&6[6+ILTBYV@N],D MGCHQ@HG-)H8Z,,;Q7=.`W4SU`SKS2ZJ:!Q,T.`<(_N86:Q#'(0S98T*5G9$(* M3@J!B\,K`E%)@*X%4 M9!HOG=C#UC2(DC1==_315,OJP]44>R839YD,O"B)>4M%/:"*I0=D/CT8"7E, MS.Q?0=NH+7F=S\ZOMW^38(.[+CC]8(GQM4PB'Z%(((;=QN&/;T$?C/9D@1!A M0B3D(Z"&J9!][F3TTV0D1&G)9%'YU*M0M[8.%7@WEZ>'4?C`P5N&:8XQWIN> MSH?3^7PXO]&&5[.W;R^FM+\#I]>7\Y/;&3[*OV"1Z$*-IQ#[/68.\=]+1;#I M;8DW&U[+VIB*M$^C4'19\XO9'##'GI+LH9,4%624%@(P$Z,O1V;UGWH<"LO$ M0G\E%\:Y$0VL^(D^B60)W\29NHU(`8SE&0UO;OXXIT+"UD&@8,.NJ^HQ5LM$ M;7E>6+DJLD:#_)8Z8DSDG[LP:=58[,7J M6:661[0,.IVUK]+^_]NWMMW$D2#Z'+["+]%.)(/[:AL418*0G64W!)0$95>C M?>!B9ZPA@&*)KD'7H^^U:".)800+"/(L24OTV` MP.[:DV,;X*2D`4TH"%!X%Y+Q)R=2V[4HU."8^M-HK-9(<8MNKKDP#>2;EB98 M3^NS2MDTJF)^GZSVN*!&6J>-2:3WR>/6AF@&I<5T_OB(%ME,';("2=:Z[;3? M7SF$$0:ULU;>E2$F%T[JI-N"^6KXNH1D%G(F2!MZ]L'WZX%'I>?S?W6VA92R(*#=A>J>>!#.84",F3HX:%]Z3RT&?3LSU:5D/:@"1']P,/`9Q23PL81 M*SJ"-P\\A=H3%V9/5'N23&Q[$ON>*$%70H2TT"W_'_#65_=3EY3[VU[DGI#"_ M>!#HE`XK#\W;F\[-^X;CJ<.(^K3>?`&%R7_XL)_42)D<;_8T6WJC9#G*]'Z\ M@SD3Z$2I>?:Q*.1"Q@/:;'E7+>>=$G5GJ*+,-7ZD"RM3L8E2:U579>GH*/_` M4_>4$_'R,WA-L<"!&A9N.!OE<\#4&?P!-;AZ&O!7U]%K-76/X-F_%S2'`JR& MNX2QGG/HBLQ4+U(]G3$\GS=_T0L1*2Y5+>:?\2QMI7`NH:'WM(TFC_F&/M<9 M)3%^@&17_W]!)+$^9OPC/P(H7_\GE$NY6?_GN/[/F+#K_S\%6D#K*C&L"WX^ MZ+NMVUZS?=F\NW=O!S>8@MT^S">=NTOWKM/M7U_][78'U_<=M+APGI:9@T<< M*B<)E,*^$T9]-I=9(MIM'KQ5GE!$;&,@/E/!POHBM0S"GT3A>;7H:4G/=[G9O[GOJWM%/3^89'1!VC<]WK M]5O-R[_6P=GE^3P4JV@T&K30:3SGO1TG>@HMO!46L1H_E`4UJ%=K=&ODZ#SC MV`EN'VI+P31)ES]P`OA*_L=CM.O\#U(1\[_PBBR$D;`:M17',J*)%Y&JB,IU"R_R!(E+..]R;)F M?)@O8*[8;\;_RLV1&GQ[3!0Y00D'ZI?\YK8H81E%$!.EOJ(LQ]OV^-\D75:5 MBJ&40\&_S!:XZK5AXV?0A[!YW#'9Y\HYG0W(QO-`>-;C8/S.9,FLUQ>.!YY\\[]BOO8%(WFU"VL<&5 MB-PFV8\%-H5>U%DQ#S!NYH/1 MWM/:N"SPQ='MAZ3(EV9^2`YLWS^Z?0E/K>@A,'M09H?=`PZ4;/8<#<")R1VAT[!6!G@XF[J$)>[P@U=2BN8X_,! MOYO#Y-%X79:\(A4=;E,W\.K_/6%; M6%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%C\\O@"HH5# %]@!X```` ` end >Release-Note: >Audit-Trail: Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: johan Responsible-Changed-When: Tue May 6 12:36:41 PDT 2003 Responsible-Changed-Why: Over to maintainer group. http://www.freebsd.org/cgi/query-pr.cgi?pr=51485 From: "Ted Mittelstaedt" To: , Cc: Subject: Re: kern/51485: "Fatal trap 12" from bridge code with ipfw enabled, when passing a traceroute. Date: Fri, 9 May 2003 23:47:05 -0700 Can you try replacing the 3c905 card with a better card such as an Intel Pro 100 and see if the problem keeps happening? Ted Mittelstaedt tedm@toybox.placo.com State-Changed-From-To: open->patched State-Changed-By: maxim State-Changed-When: Fri May 23 02:38:57 PDT 2003 State-Changed-Why: Fixed in rev. 1.63 sys/net/bridge.c in -CURRENT. http://www.freebsd.org/cgi/query-pr.cgi?pr=51485 State-Changed-From-To: patched->closed State-Changed-By: maxim State-Changed-When: Mon Jun 2 04:26:07 PDT 2003 State-Changed-Why: -STABLE does not consist a vulnerable code. http://www.freebsd.org/cgi/query-pr.cgi?pr=51485 >Unformatted: