From owner-freebsd-stable@FreeBSD.ORG  Sat Oct 31 01:23:52 2009
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A9F49106566C
	for <freebsd-stable@freebsd.org>; Sat, 31 Oct 2009 01:23:52 +0000 (UTC)
	(envelope-from npapke@acm.org)
Received: from idcmail-mo1so.shaw.ca (idcmail-mo1so.shaw.ca [24.71.223.10])
	by mx1.freebsd.org (Postfix) with ESMTP id 73F0D8FC16
	for <freebsd-stable@freebsd.org>; Sat, 31 Oct 2009 01:23:52 +0000 (UTC)
Received: from pd2ml2so-ssvc.prod.shaw.ca ([10.0.141.134])
	by pd2mo1so-svcs.prod.shaw.ca with ESMTP; 30 Oct 2009 19:23:51 -0600
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.0 c=1 a=68cLX4VTzOUA:10
	a=VF9RaR9bft6c8SsOr3WyFg==:17 a=N54-gffFAAAA:8
	a=lvbMJxvVAAAA:8 a=luTzMvsUMoM8qbpgfkcA:9 a=bHt9PIIbL7lkM9c0MP4A:7
	a=8D6RPzWrqAFcrZqetdMTuii3u5oA:4 a=nAPXUAfsBmEA:10
	a=nEbC6mTbn5IriWlR:21 a=_YDlBiBXMnYkrC6v:21
Received: from unknown (HELO proven.lan) ([24.85.241.34])
	by pd2ml2so-dmz.prod.shaw.ca with ESMTP; 30 Oct 2009 19:23:51 -0600
Received: from proven.lan (localhost [127.0.0.1])
	by proven.lan (8.14.3/8.14.3) with ESMTP id n9V1Npwx024621;
	Fri, 30 Oct 2009 18:23:51 -0700 (PDT) (envelope-from npapke@acm.org)
Received: from localhost (localhost [[UNIX: localhost]])
	by proven.lan (8.14.3/8.14.3/Submit) id n9V1NpNs024620;
	Fri, 30 Oct 2009 18:23:51 -0700 (PDT) (envelope-from npapke@acm.org)
X-Authentication-Warning: proven.lan: npapke set sender to npapke@acm.org
	using -f
From: Norbert Papke <npapke@acm.org>
Organization: Archaeological Filing
To: pyunyh@gmail.com, freebsd-stable@freebsd.org
Date: Fri, 30 Oct 2009 18:23:51 -0700
User-Agent: KMail/1.9.10
References: <200910292156.19845.npapke@acm.org>
	<20091030165451.GA17243@michelle.cdnetworks.com>
In-Reply-To: <20091030165451.GA17243@michelle.cdnetworks.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200910301823.51274.npapke@acm.org>
Cc: 
Subject: Re: 7.2 Stable Crash - possibly related to if_re
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Oct 2009 01:23:52 -0000

On October 30, 2009, Pyun YongHyeon wrote:
> On Thu, Oct 29, 2009 at 09:56:19PM -0700, Norbert Papke wrote:
> > This occurred shortly after "scp"ing from a VirtualBox VM to the host. 
> > The file transfer got stuck.  The "re" interface stopped working. 
> > Shortly afterwards, the host crashed.  The "re" interface was used by the
> > host, the guest was using a different NIC in bridged mode.
> >
> >
> > FreeBSD proven.lan 7.2-STABLE FreeBSD 7.2-STABLE #5 r198666: Thu Oct 29
> > 18:36:57 PDT 2009
> >
> > Fatal trap 12: page fault while in kernel mode
> > cpuid = 0; apic id = 00
> > fault virtual address   = 0x18
>
> It looks like a NULL pointer dereference, possibly mbuf related
> one.
>
> > fault code              = supervisor write data, page not present
> > instruction pointer     = 0x8:0xffffffff80d476ee
> > stack pointer           = 0x10:0xffffff8000078ae0
> > frame pointer           = 0x10:0xffffff8000078b40
> > code segment            = base 0x0, limit 0xfffff, type 0x1b
> >                         = DPL 0, pres 1, long 1, def32 0, gran 1
> > processor eflags        = interrupt enabled, resume, IOPL = 0
> > current process         = 18 (swi5: +)
> > Physical memory: 8177 MB
> >
> >

> > #9  0xffffffff807e710e in calltrap ()
> > at /usr/public/freebsd/sources/stable/sys/amd64/amd64/exception.S:218
> > #10 0xffffffff80d476ee in re_rxeof () from /boot/kernel/if_re.ko
>
> Hmm, I think there is a missing information here. Not sure where it
> dereferenced a NULL pointer in re_rxeof(). 

>> #11 0xffffffff80d4a481 in re_int_task (arg=Variable "arg" is not available.
>> ) 
>> 
at /usr/public/freebsd/sources/stable/sys/modules/re/../../dev/re/if_re.c:2191  

I am not sure how much I trust frame 10.  The instruction 
at "0xffffffff80d476ee" is the one after the "retq" from re_rxeof().  Frame 
11 seems OK to me.  The "struct rl_softc*", in particular, looks plausible 
but I don't know enough to say for sure.

> Because that this is the 
> first report for NULL pointer dereference in Rx handler I need more
> information how to reproduce it with minimal configuration. Can you
> also reproduce the issues without virtual box?

I am trying but no luck so far.

> By chance, did you stop the re0 interface with ifconfig when you
> noticed the file transfer got stuck?

It is possible.  I had it happen twice.  The first time I definitely tried 
to "down" re.  I cannot recall what I did the second time.  The crash dump is 
from the second time.

Thanks very much for the response.  I'll try to come up with a better test 
case.  If I succeed, I will report back.

Cheers,
 
-- Norbert Papke.
   npapke@acm.org


http://saveournet.ca
Protecting your Internet's level playing field