From owner-freebsd-stable@FreeBSD.ORG  Wed Mar 26 00:51:31 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C5BD0106566B
	for <freebsd-stable@freebsd.org>; Wed, 26 Mar 2008 00:51:31 +0000 (UTC)
	(envelope-from pyunyh@gmail.com)
Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.168])
	by mx1.freebsd.org (Postfix) with ESMTP id 527C58FC17
	for <freebsd-stable@freebsd.org>; Wed, 26 Mar 2008 00:51:28 +0000 (UTC)
	(envelope-from pyunyh@gmail.com)
Received: by wf-out-1314.google.com with SMTP id 25so3174655wfa.7
	for <freebsd-stable@freebsd.org>; Tue, 25 Mar 2008 17:51:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta;
	h=domainkey-signature:received:received:received:received:date:from:to:cc:subject:message-id:reply-to:references:mime-version:content-type:content-disposition:in-reply-to:user-agent;
	bh=bmAqierTlFQ4tjXjYYO8g8ZuHHk+sq50i8ZVVfkZqvI=;
	b=LAvj556uO4VhIUCUw6f9RElXC0DlSb7F+w9HHQR4OGxtLuo0fmeY2PLEvdq9HSkk4/6nGzTWq07mrpiAj2P6Jax91L0RrAoxe6J+nk12uQzwwJ4piNy3Ul/SnVjbBzS8UyUdYB80DO7QDe2k9737MRgFOcG+gfGrm9hP8YM2j28=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
	h=date:from:to:cc:subject:message-id:reply-to:references:mime-version:content-type:content-disposition:in-reply-to:user-agent;
	b=ox6aQQOPrZWFre5IE2bcbDErpQ/DoG9v8eM7OG+0x7TImkr38RUfwe0dkh+TQkCGnlcbmUEe2oZ2RS/WoodI6Cb0xGudQN4XR2JIa9IfxXoOkRB9o28hDMYnH4GP33D4jqmycjFBrostJIhV7ckrilMZgdusRzt6bnuGhVzpMnI=
Received: by 10.142.158.17 with SMTP id g17mr4736995wfe.106.1206492688210;
	Tue, 25 Mar 2008 17:51:28 -0700 (PDT)
Received: from michelle.cdnetworks.co.kr ( [211.53.35.84])
	by mx.google.com with ESMTPS id 32sm17644067wfa.13.2008.03.25.17.51.25
	(version=TLSv1/SSLv3 cipher=OTHER);
	Tue, 25 Mar 2008 17:51:26 -0700 (PDT)
Received: from michelle.cdnetworks.co.kr (localhost.cdnetworks.co.kr
	[127.0.0.1])
	by michelle.cdnetworks.co.kr (8.13.5/8.13.5) with ESMTP id
	m2Q0pMSs090352
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 26 Mar 2008 09:51:22 +0900 (KST)
	(envelope-from pyunyh@gmail.com)
Received: (from yongari@localhost)
	by michelle.cdnetworks.co.kr (8.13.5/8.13.5/Submit) id m2Q0pKSs090351; 
	Wed, 26 Mar 2008 09:51:20 +0900 (KST)
	(envelope-from pyunyh@gmail.com)
Date: Wed, 26 Mar 2008 09:51:20 +0900
From: Pyun YongHyeon <pyunyh@gmail.com>
To: Mike Tancsa <mike@sentex.net>
Message-ID: <20080326005120.GA90104@cdnetworks.co.kr>
References: <200803251844.m2PIisxZ021929@lava.sentex.ca>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="jRHKVT23PllUwdXP"
Content-Disposition: inline
In-Reply-To: <200803251844.m2PIisxZ021929@lava.sentex.ca>
User-Agent: Mutt/1.4.2.1i
Cc: freebsd-stable@freebsd.org
Subject: Re: RELENG_7 panic
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: pyunyh@gmail.com
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Mar 2008 00:51:31 -0000


--jRHKVT23PllUwdXP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Tue, Mar 25, 2008 at 02:44:58PM -0400, Mike Tancsa wrote:
 > I have a RELENG_7 box running in a netboot environment that is 
 > crashing every few days.  I dont have a disk on it yet, so I have no 
 > where to send the coredump.  But I hooked up a serial cable and made 
 > it drop to debugger.  We are going to try a USB connected disk and 
 > configure it as swap so that we can then try and drop the coredump to 
 > it.  Any other suggestions on how to track this down ?
 > 

I guess rl(4) hardware received too long/short frame such that
subsequent code in driver tried to copy recevied frame with invalid
length. I don't have data sheet for rl(4) hardwares so I'm not sure
how this can happen.
Anyway, try attached patch.

 > 
 > db> where
 > Tracing pid 24 tid 100023 td 0xc4cc4cc0
 > kdb_enter(c08587d4,e5301000,1,e5273a9c,e5273a8c,...) at kdb_enter+0x33
 > vm_fault(c1071000,e5301000,1,0,14990740,...) at vm_fault+0x178
 > trap_pfault(0,0,c1072d80,c1072d38,c4d50558,...) at trap_pfault+0x20e
 > trap(e5273bdc) at trap+0x3fa
 > calltrap() at calltrap+0x6
 > --- trap 0xc, eip = 0xc07f5cb6, esp = 0xe5273c1c, ebp = 0xe5273c54 ---
 > generic_bcopy(e5300836,7ac5,0,c4dacc00,0,...) at generic_bcopy+0x1a
 > rl_rxeof(c05c3466,c4cc4cc0,0,1,1273cbc,...) at rl_rxeof+0x139
 > rl_intr(c4d27000,0,c0841c05,46b,0,...) at rl_intr+0xba
 > ithread_loop(c4d809d0,e5273d38,0,0,0,...) at ithread_loop+0x1ab
 > fork_exit(c059da60,c4d809d0,e5273d38) at fork_exit+0x99
 > fork_trampoline() at fork_trampoline+0x8
 > --- trap 0, eip = 0, esp = 0xe5273d70, ebp = 0 ---
 > db> panic
 > panic: from debugger
 > cpuid = 1
 > KDB: stack backtrace:
 > db_trace_self_wrapper(c0845ff1,e52736cc,c05c3367,c4d97340,e52736c8,...) 
 > at db_trace_self_wrapper+0x26
 > kdb_backtrace(c4d97340,e52736c8,c05e1a92,c0830310,c4d97374,...) at 
 > kdb_backtrace+0x29
 > mi_switch(1,0,1,104,0,...) at mi_switch+0x47
 > sched_bind(c4cc4cc0,0,c0843f3c,10e,e527370c,...) at sched_bind+0x60
 > boot(c0844067,1,0,0,1,...) at boot+0x47
 > panic(c0829200,e5273810,c0467c95,c05e3cc3,0,...) at panic+0x13b
 > db_panic(c05e3cc3,0,ffffffff,e527377c,c0469c00,...) at db_panic+0x17
 > db_command_loop(c05e3cc3,0,86,1,0,...) at db_command_loop+0x2f5
 > db_trap(a,0,1,a,e5273924,...) at db_trap+0xc5
 > kdb_trap(a,0,e5273924,0,c4d50558,...) at kdb_trap+0x96
 > trap(e5273924) at trap+0x57b
 > calltrap() at calltrap+0x6
 > --- trap 0xa, eip = 0xc05e3cc3, esp = 0xe5273964, ebp = 0xe527398c ---
 > kdb_enter(c08587d4,e5301000,1,e5273a9c,e5273a8c,...) at kdb_enter+0x33
 > vm_fault(c1071000,e5301000,1,0,14990740,...) at vm_fault+0x178
 > trap_pfault(0,0,c1072d80,c1072d38,c4d50558,...) at trap_pfault+0x20e
 > trap(e5273bdc) at trap+0x3fa
 > calltrap() at calltrap+0x6
 > --- trap 0xc, eip = 0xc07f5cb6, esp = 0xe5273c1c, ebp = 0xe5273c54 ---
 > generic_bcopy(e5300836,7ac5,0,c4dacc00,0,...) at generic_bcopy+0x1a
 > rl_rxeof(c05c3466,c4cc4cc0,0,1,1273cbc,...) at rl_rxeof+0x139
 > rl_intr(c4d27000,0,c0841c05,46b,0,...) at rl_intr+0xba
 > ithread_loop(c4d809d0,e5273d38,0,0,0,...) at ithread_loop+0x1ab
 > fork_exit(c059da60,c4d809d0,e5273d38) at fork_exit+0x99
 > fork_trampoline() at fork_trampoline+0x8
 > --- trap 0, eip = 0, esp = 0xe5273d70, ebp = 0 ---
 > db>
 > 

-- 
Regards,
Pyun YongHyeon

--jRHKVT23PllUwdXP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="rl.patch"

--- sys/pci/if_rl.c.orig	2008-03-04 13:07:34.000000000 +0900
+++ sys/pci/if_rl.c	2008-03-26 09:35:49.000000000 +0900
@@ -1117,17 +1117,19 @@
 		 * datasheet makes absolutely no mention of this and
 		 * RealTek should be shot for this.
 		 */
-		if ((uint16_t)(rxstat >> 16) == RL_RXSTAT_UNFINISHED)
+		total_len = rxstat >> 16;
+		if (total_len == RL_RXSTAT_UNFINISHED)
 			break;
 
-		if (!(rxstat & RL_RXSTAT_RXOK)) {
+		if (!(rxstat & RL_RXSTAT_RXOK) ||
+		    total_len < ETHER_MIN_LEN ||
+		    total_len > ETHER_MAX_LEN + ETHER_VLAN_ENCAP_LEN) {
 			ifp->if_ierrors++;
 			rl_init_locked(sc);
 			return;
 		}
 
 		/* No errors; receive the packet. */
-		total_len = rxstat >> 16;
 		rx_bytes += total_len + 4;
 
 		/*

--jRHKVT23PllUwdXP--