From owner-freebsd-bugs@FreeBSD.ORG  Mon Aug  3 13:50:02 2009
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 43E3D106567E
	for <freebsd-bugs@hub.freebsd.org>;
	Mon,  3 Aug 2009 13:50:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 1FB728FC21
	for <freebsd-bugs@hub.freebsd.org>;
	Mon,  3 Aug 2009 13:50:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n73Do26p019116
	for <freebsd-bugs@freefall.freebsd.org>; Mon, 3 Aug 2009 13:50:02 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n73Do1j8019115;
	Mon, 3 Aug 2009 13:50:01 GMT (envelope-from gnats)
Resent-Date: Mon, 3 Aug 2009 13:50:01 GMT
Resent-Message-Id: <200908031350.n73Do1j8019115@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Mark Rekai <mark@inetu.net>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 112D5106564A
	for <freebsd-gnats-submit@FreeBSD.org>;
	Mon,  3 Aug 2009 13:49:45 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id F358D8FC20
	for <freebsd-gnats-submit@FreeBSD.org>;
	Mon,  3 Aug 2009 13:49:44 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n73Dnij7083854
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 3 Aug 2009 13:49:44 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n73DniNV083853;
	Mon, 3 Aug 2009 13:49:44 GMT (envelope-from nobody)
Message-Id: <200908031349.n73DniNV083853@www.freebsd.org>
Date: Mon, 3 Aug 2009 13:49:44 GMT
From: Mark Rekai <mark@inetu.net>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: kern/137392: crash in ip_nat.c line 2577
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Aug 2009 13:50:02 -0000


>Number:         137392
>Category:       kern
>Synopsis:       crash in ip_nat.c line 2577
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Aug 03 13:50:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Mark Rekai
>Release:        7.2-RELEASE-p2
>Organization:
INetU
>Environment:
FreeBSD xxx.xxx.xxx 7.2-RELEASE-p2 FreeBSD 7.2-RELEASE-p2 #13: Mon Jul  6 13:29:25 UTC 2009     root@xxx.xxx.xxx:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
[root@xxx /usr/obj/usr/src/sys/GENERIC]# kgdb kernel.debug /var/crash/vmcore.2 
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...

Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
cpuid = 3; apic id = 03
fault virtual address   = 0x4
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc04a4067
stack pointer           = 0x28:0xc67919d8
frame pointer           = 0x28:0xc6791a50
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 23 (irq256: bge0)
trap number             = 12
panic: page fault
cpuid = 3
Uptime: 27d15h6m42s
Physical memory: 3314 MB
Dumping 288 MB: 273 257 241 225 209 193 177 161 145 129 113 97 81 65 49 33 17 1

#0  doadump () at pcpu.h:196
196             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) list *0xc04a4067
0xc04a4067 is in nat_new (/usr/src/sys/contrib/ipfilter/netinet/ip_nat.c:2577).
2572            nat->nat_ifps[1] = np->in_ifps[1];
2573            nat->nat_ptr = np;
2574            nat->nat_p = fin->fin_p;
2575            nat->nat_mssclamp = np->in_mssclamp;
2576            if (nat->nat_p == IPPROTO_TCP)
2577                    nat->nat_seqnext[0] = ntohl(tcp->th_seq);
2578
2579            if ((np->in_apr != NULL) && ((ni->nai_flags & NAT_SLAVE) == 0))
2580                    if (appr_new(fin, nat) == -1)
2581                            return -1;
(kgdb) backtrace
#0  doadump () at pcpu.h:196
#1  0xc08075d7 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:418
#2  0xc08078a9 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:574
#3  0xc0b10b0c in trap_fatal (frame=0xc6791998, eva=4) at /usr/src/sys/i386/i386/trap.c:939
#4  0xc0b10d90 in trap_pfault (frame=0xc6791998, usermode=0, eva=4) at /usr/src/sys/i386/i386/trap.c:852
#5  0xc0b1173c in trap (frame=0xc6791998) at /usr/src/sys/i386/i386/trap.c:530
#6  0xc0af5e4b in calltrap () at /usr/src/sys/i386/i386/exception.s:159
#7  0xc04a4067 in nat_new (fin=0xc6791ac8, np=0xc837b200, natsave=0x0, flags=Variable "flags" is not available.
)
    at /usr/src/sys/contrib/ipfilter/netinet/ip_nat.c:2577
#8  0xc04a8462 in fr_checknatin (fin=0xc6791ac8, passp=0xc6791ac4)
    at /usr/src/sys/contrib/ipfilter/netinet/ip_nat.c:4122
#9  0xc049ae67 in fr_check (ip=0xc8270010, hlen=20, ifp=0xc69a2c00, out=0, mp=0xc6791bb0)
    at /usr/src/sys/contrib/ipfilter/netinet/fil.c:2572
#10 0xc049d96f in fr_check_wrapper (arg=0x0, mp=0xc6791bb0, ifp=0xc69a2c00, dir=1)
    at /usr/src/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c:178
#11 0xc08b1508 in pfil_run_hooks (ph=0xc0cf3060, mp=0xc6791c0c, ifp=0xc69a2c00, dir=1, inp=0x0)
    at /usr/src/sys/net/pfil.c:78
#12 0xc08f26ea in ip_input (m=0xce513100) at /usr/src/sys/netinet/ip_input.c:416
#13 0xc08afca5 in netisr_dispatch (num=2, m=0xce513100) at /usr/src/sys/net/netisr.c:185
#14 0xc08a5c41 in ether_demux (ifp=0xc69a2c00, m=0xce513100) at /usr/src/sys/net/if_ethersubr.c:834
#15 0xc08a6033 in ether_input (ifp=0xc69a2c00, m=0xce513100) at /usr/src/sys/net/if_ethersubr.c:692
#16 0xc05a72f4 in bge_intr (xsc=0xc69a8000) at /usr/src/sys/dev/bge/if_bge.c:3194
#17 0xc07e553b in ithread_loop (arg=0xc69a7830) at /usr/src/sys/kern/kern_intr.c:1088
#18 0xc07e2089 in fork_exit (callout=0xc07e5380 <ithread_loop>, arg=0xc69a7830, frame=0xc6791d38)
    at /usr/src/sys/kern/kern_fork.c:810
#19 0xc0af5ec0 in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:264
>How-To-Repeat:
Problem repeats periodically every few weeks across three boxes with same hardware, kernel, duty, and load at same code point.  Problem cannot be created manually.
>Fix:
unknown

>Release-Note:
>Audit-Trail:
>Unformatted: