From owner-freebsd-stable@FreeBSD.ORG  Wed Mar 17 23:44:48 2010
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D7809106566B
	for <freebsd-stable@freebsd.org>; Wed, 17 Mar 2010 23:44:48 +0000 (UTC)
	(envelope-from dudu@dudu.ro)
Received: from mail-fx0-f224.google.com (mail-fx0-f224.google.com
	[209.85.220.224])
	by mx1.freebsd.org (Postfix) with ESMTP id 768638FC1B
	for <freebsd-stable@freebsd.org>; Wed, 17 Mar 2010 23:44:48 +0000 (UTC)
Received: by fxm24 with SMTP id 24so1111198fxm.3
	for <freebsd-stable@freebsd.org>; Wed, 17 Mar 2010 16:44:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.132.197 with SMTP id c5mr8494674fat.35.1268869487232; Wed, 
	17 Mar 2010 16:44:47 -0700 (PDT)
In-Reply-To: <ad79ad6b1003171638w393f40aao4524d2a742a37c02@mail.gmail.com>
References: <ad79ad6b1003171638w393f40aao4524d2a742a37c02@mail.gmail.com>
From: Vlad Galu <dudu@dudu.ro>
Date: Thu, 18 Mar 2010 00:44:27 +0100
Message-ID: <ad79ad6b1003171644y11885d4an9ff70e9ccfd34e2a@mail.gmail.com>
To: freebsd-stable@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: Crash in pf(4) with a fairly recent RELENG_8
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Mar 2010 23:44:49 -0000

On Thu, Mar 18, 2010 at 12:38 AM, Vlad Galu <dudu@dudu.ro> wrote:
> Luckily I could find this coredump:
>
> -- cut here --
> #0 =A0doadump () at pcpu.h:223
> #1 =A00xffffffff802f4ace in boot (howto=3D260) at ../../../kern/kern_shut=
down.c:416
> #2 =A00xffffffff802f4eab in panic (fmt=3DVariable "fmt" is not available.
> ) at ../../../kern/kern_shutdown.c:579
> #3 =A00xffffffff805064d2 in trap_fatal (frame=3D0xffffff80000345c0, eva=
=3D0)
> =A0 =A0at ../../../amd64/amd64/trap.c:857
> #4 =A00xffffffff80506e8c in trap (frame=3D0xffffff80000345c0)
> =A0 =A0at ../../../amd64/amd64/trap.c:644
> #5 =A00xffffffff804eec93 in calltrap () at ../../../amd64/amd64/exception=
.S:224
> #6 =A00xffffffff801a1140 in pf_state_tree_id_RB_MINMAX ()
> =A0 =A0at ../../../contrib/pf/net/pf.c:401
> #7 =A00xffffffff801a1210 in pf_src_tree_RB_FIND (head=3DVariable "head" i=
s
> not available.
> )
> =A0 =A0at ../../../contrib/pf/net/pf.c:396
> #8 =A00xffffffff801a3594 in pf_insert_src_node (sn=3D0xffffff8000034868,
> =A0 =A0rule=3D0xffffff0001694000, src=3D0xffffff000d75701c, af=3D2 '\002'=
)
> =A0 =A0at ../../../contrib/pf/net/pf.c:850
> #9 =A00xffffffff801acd6e in pf_test_tcp (rm=3D0xffffff8000034978,
> =A0 =A0sm=3D0xffffff8000034970, direction=3D1, kif=3D0xffffff000132ab00,
> =A0 =A0m=3D0xffffff001e052b00, off=3D20, h=3D0xffffff000d757010, pd=3D0xf=
fffff8000034990,
> =A0 =A0am=3D0xffffff8000034980, rsm=3D0xffffff8000034968, ifq=3D0x0, inp=
=3D0x0)
> =A0 =A0at ../../../contrib/pf/net/pf.c:3500
> #10 0xffffffff801ae7a6 in pf_test (dir=3D1, ifp=3D0xffffff0001201000,
> =A0 =A0m0=3D0xffffff8000034ac8, eh=3DVariable "eh" is not available.
> ) at ../../../contrib/pf/net/pf.c:7066
> #11 0xffffffff801b33a9 in pf_check_in (arg=3DVariable "arg" is not availa=
ble.
> )
> =A0 =A0at ../../../contrib/pf/net/pf_ioctl.c:3646
> -- and here --
>

The pf_src_node struct in frame #8 is this:
-- cut here--
(kgdb) p k
$1 =3D {entry =3D {rbe_left =3D 0x0, rbe_right =3D 0x0,
    rbe_parent =3D 0xffffffff00000000, rbe_color =3D 0}, addr =3D {pfa =3D =
{v4 =3D {
        s_addr =3D 1684237067}, v6 =3D {__u6_addr =3D {
          __u6_addr8 =3D "\vkcd\200???\001\000\000\000\000\000\000",
          __u6_addr16 =3D {27403, 25699, 65408, 65535, 1, 0, 0, 0},
          __u6_addr32 =3D {1684237067, 4294967168, 1, 0}}},
      addr8 =3D "\vkcd\200???\001\000\000\000\000\000\000", addr16 =3D {274=
03,
        25699, 65408, 65535, 1, 0, 0, 0}, addr32 =3D {1684237067, 429496716=
8, 1,
        0}}}, raddr =3D {pfa =3D {v4 =3D {s_addr =3D 12}, v6 =3D {__u6_addr=
 =3D {
          __u6_addr8 =3D "\f\000\000\000\000\000\000\000\000?2\001\000???",
          __u6_addr16 =3D {12, 0, 0, 0, 43776, 306, 65280, 65535},
          __u6_addr32 =3D {12, 0, 20097792, 4294967040}}},
      addr8 =3D "\f\000\000\000\000\000\000\000\000?2\001\000???", addr16 =
=3D {12,
        0, 0, 0, 43776, 306, 65280, 65535}, addr32 =3D {12, 0, 20097792,
        4294967040}}}, rule =3D {ptr =3D 0xffffff0001694000, nr =3D 2367488=
0},
  kif =3D 0xffffffff801a9858, bytes =3D {18446743523953737740,
    18446742974423724064}, packets =3D {3354, 17179869187}, states =3D 2351=
0160,
  conn =3D 4294967040, conn_rate =3D {limit =3D 23403040, seconds =3D 42949=
67040,
    count =3D 20097792, last =3D 4294967040}, creation =3D 2, expire =3D 0,
  af =3D 2 '\002', ruletype =3D 0 '\0'}
-- and here--

The byte count looks weird...