From owner-freebsd-bugs  Sun Mar 23 10:10:20 2003
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 73A8137B401
	for <freebsd-bugs@hub.freebsd.org>; Sun, 23 Mar 2003 10:10:17 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3AC3E43FB1
	for <freebsd-bugs@hub.freebsd.org>; Sun, 23 Mar 2003 10:10:15 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h2NIAFNS061485
	for <freebsd-bugs@freefall.freebsd.org>; Sun, 23 Mar 2003 10:10:15 -0800 (PST)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h2NIAFHO061484;
	Sun, 23 Mar 2003 10:10:15 -0800 (PST)
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 74C3A37B401
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 23 Mar 2003 10:06:11 -0800 (PST)
Received: from hotmail.com (f103.pav2.hotmail.com [64.4.37.103])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 058E943F85
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 23 Mar 2003 10:06:11 -0800 (PST)
	(envelope-from lazykang@hotmail.com)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
	 Sun, 23 Mar 2003 10:06:10 -0800
Received: from 218.246.96.6 by pv2fd.pav2.hotmail.msn.com with HTTP;
	Sun, 23 Mar 2003 18:06:10 GMT
Message-Id: <F103XXUv1MJ3G9Vbj2l000025c4@hotmail.com>
Date: Mon, 24 Mar 2003 02:06:10 +0800
From: "Kang Liu" <lazykang@hotmail.com>
To: FreeBSD-gnats-submit@FreeBSD.org
Subject: kern/50216: kernel panic on 5.0-current when use ipfw2 with dynamic rules
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         50216
>Category:       kern
>Synopsis:       kernel panic on 5.0-current when use ipfw2 with dynamic rules
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Mar 23 10:10:14 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Kang Liu
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
Beijing University of Technology
>Environment:
System: FreeBSD cnproxy.bjpu.edu.cn 5.0-CURRENT FreeBSD 5.0-CURRENT #2: Sun 
Mar 23 21:35:41 CST 2003 
root@cnproxy.bjpu.edu.cn:/usr/obj/usr/src/sys/CNPROXY i386
DELL poweredge2650 CPU: 2*Intel(R) Xeon(TM) CPU 2.00GHz (1993.54-MHz 
686-class CPU) (SMP and HyperThreading are both enabled in kenrel 
configuration file)
>Description:
  I tried to use ipfw2 with dynamic rules by commands shown below:
ipfw add allow tcp from any to any established
ipfw add allow tcp from 192.168.0.0/16 to server_ip some_ports limit 
src-addr 20 setup
ipfw add allow udp from 192.168.0.0/16 to server_ip some_ports
ipfw add allow tcp from some_ip to server_ip some_ports limit src-addr 80 
setup
... and so on
The kernel will panic immediately while network connection is active. If I 
use static rules instead of those dynamic rules or disable network 
connection by use "ifconfig bge0 down", nothing happens.
I've add "options DDB" and some other debug options into my kernel configure 
file, I get the following message when kernel panic:
----Start of message---
Memory modified after free 0xc9471f0 (124)
panic: Most recently used by IpFw/IpAcct
cpuid=3;lapic.id=0300000
Stack bactrace:
backtrace(c0349879,3000000,C035a79a,e231fabe,1) at backtrace+0x17
panic(c035a79a,c03524d7,7c,c082ab64,c082ab40) at panic+0x10a
mtrash_ctor(c9471f00,80,0,54d,3) at mtrash_ctor+0x5d
uma_zalloc_arg(c082ab40,0,101,c034bc1,1be) at uma_zalloc_arg+0x17f
malloc(48,c037ef20,101,2700001b,e231fc70) at malloc+0xdc
add_dyn_rule(e231fc90,27,c9472180,c9472180,0)at add_dyn_rule+0x7b
install_state(c8fdd70,c8fdd764,e231fc70,e231fbf4,c01f1954)at 
install_state+0x1fd
ipfw_chk(e231fc70,c01cc3ad,c03a96a0,1,c0348bc1)at ipfw_chk+0x9a1
ip_input(c3b52000,0,c0351940,e9,c8b6a240)at ip_input+0x2c3
swi_net(0,0,c0347569,217,c3b18000)at swi_net+0x112
ithread_loop(c3b17080,e231fd48,c0347300,363,0)at ithread_loop+0x182
fork_exit(c01c3190,c3b17080,e231fd48)at fork_exit+0xc4
fork_trampoline()at fork_trampoline+0x1a
--trap 0x1,eip=0,esp=0xe231fd7c,ebp=0--
Debygger("panic")
Stopped at Debugger+0xff:xchgl %ebx,in_Debugger,0
----End of Message---
I copy the message above from screen,I'm not sure whether I've typed it 
exactly as displayed on the screen.I hope it is helpful.
>How-To-Repeat:
use dynamic rules with ipfw2.
(I do not have a machine with only a single CPU to run freebsd-current, the 
problem might be related to SMP or HTT).
>Fix:
Sorry, I can not give and patch now.
The only way I found to get rid of this problem is run ipfw2 with static 
rules instead of dynamic rules.

_________________________________________________________________
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail

>Release-Note:
>Audit-Trail:
>Unformatted:
 >rules

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message