From owner-freebsd-net@FreeBSD.ORG  Thu Feb 23 09:18:00 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: net@FreeBSD.org
Delivered-To: freebsd-net@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9493016A420
	for <net@FreeBSD.org>; Thu, 23 Feb 2006 09:18:00 +0000 (GMT)
	(envelope-from kris@obsecurity.org)
Received: from elvis.mu.org (elvis.mu.org [192.203.228.196])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5499C43D46
	for <net@FreeBSD.org>; Thu, 23 Feb 2006 09:18:00 +0000 (GMT)
	(envelope-from kris@obsecurity.org)
Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196])
	by elvis.mu.org (Postfix) with ESMTP id 0B15A1A3C1C
	for <net@FreeBSD.org>; Thu, 23 Feb 2006 01:18:00 -0800 (PST)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id 19A3B51472; Thu, 23 Feb 2006 04:17:59 -0500 (EST)
Date: Thu, 23 Feb 2006 04:17:58 -0500
From: Kris Kennaway <kris@obsecurity.org>
To: Kris Kennaway <kris@obsecurity.org>
Message-ID: <20060223091758.GA58825@xor.obsecurity.org>
References: <20060223081945.GA57934@xor.obsecurity.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="ZPt4rx8FFjLCG7dd"
Content-Disposition: inline
In-Reply-To: <20060223081945.GA57934@xor.obsecurity.org>
User-Agent: Mutt/1.4.2.1i
Cc: net@FreeBSD.org
Subject: Re: bpf panic
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2006 09:18:00 -0000


--ZPt4rx8FFjLCG7dd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Feb 23, 2006 at 03:19:46AM -0500, Kris Kennaway wrote:
> I ran tcpdump and killall tcpdump in a loop on 7.0, and after a few
> minutes it panicked with:
>=20
> Fatal trap 12: page fault while in kernel mode
> cpuid =3D 0; apic id =3D 00
> fault virtual address   =3D 0x8
> fault code      =3D supervisor read, page not present
> instruction pointer     =3D 0x20:0xc058d0fb
> stack pointer          =3D 0x28:0xe5007c04
> frame pointer          =3D 0x28:0xe5007c28
> code segment    =3D base 0x0, limit 0xfffff, type 0x1b
>                 =3D DPL 0, pres 1, def32 1, gran 1
> processor eflags =3D interrupt enabled, resume, IOPL =3D 0
> current process  =3D 9 (em0 taskq)
> [thread pid 9 tid 100019 ]
> Stopped at      bpf_mtap+0xf:   cmpl    $0,0x8(%edi)
> db> wh
> Tracing pid 9 tid 100019 td 0xc63d6340
> bpf_mtap(0,c8f46500,1,2,c63d0001) at bpf_mtap+0xf
> ether_input(c6455c00,c8f46500,c8f46500,c6588880,1) at ether_input+0x15f
> em_rxeof(c656e800,63,1,c06f7be0,c656e9cc) at em_rxeof+0x423
> em_handle_rxtx(c656e800,1,c06fbfa7,50,c658889c) at em_handle_rxtx+0x5b
> taskqueue_run(c6588880,c658889c,c06f0e27,0,1) at taskqueue_run+0x104
> taskqueue_thread_loop(c656e9dc,e5007d38,c06f5c42,31a,c656e9dc) at taskque=
ue_thread_loop+0x6b
> fork_exit(c053b5f8,c656e9dc,e5007d38) at fork_exit+0xc5
> fork_trampoline() at fork_trampoline+0x8
> --- trap 0x1, eip =3D 0, esp =3D 0xe5007d6c, ebp =3D 0 ---
> db>

On another machine:

Memory modified after free 0xce4cb800(2048) val=3Da028c0de @ 0xce4cb800
Memory modified after free 0xcc889800(2048) val=3Da028c0de @ 0xcc889800
Memory modified after free 0xce2b1000(2048) val=3Da020c0de @ 0xce2b1000


Fatal trap 12: page fault while in kernel mode
cpuid =3D 0; apic id =3D 00
fault virtual address   =3D 0x8
fault code              =3D supervisor read, page not present
instruction pointer     =3D 0x20:0xc05b033b
stack pointer           =3D 0x28:0xf562f860
frame pointer           =3D 0x28:0xf562f884
code segment            =3D base 0x0, limit 0xfffff, type 0x1b
                        =3D DPL 0, pres 1, def32 1, gran 1
processor eflags        =3D interrupt enabled, resume, IOPL =3D 0
current process         =3D 29269 (nfsd)
[thread pid 29269 tid 100044 ]
Stopped at      bpf_mtap+0xf:   cmpl    $0,0x8(%edi)
db> wh
Tracing pid 29269 tid 100044 td 0xcc532b60
bpf_mtap(0,ce16ae00,4,f562f8ac,f562f8a8) at bpf_mtap+0xf
fxp_encap(cc546000,ce16ae00,c071eeba,4c2,cc53c0f8) at fxp_encap+0x282
fxp_start_body(cc53c000,0,c071eeba,49a,cc53c000) at fxp_start_body+0x22d
fxp_start(cc53c000,138,0,cc53c000) at fxp_start+0x3c
if_start(cc53c000,0,c0732081,180,2afd2) at if_start+0x88
ether_output_frame(cc53c000,ce16ae00,6,f562fadc,f562fa7c) at ether_output_f=
rame+0x1c1
ether_output(cc53c000,ce16ae00,f562fadc,cc869bb8,cc86b1f8) at ether_output+=
0x4bb
ip_output(ce16ae00,0,f562fad8,0,0) at ip_output+0x8a9
udp_output(cc86b1f8,ce16ae00,cc765750,0,cc532b60) at udp_output+0x545
udp_send(cc863298,0,ce16ae00,cc765750,0) at udp_send+0x41
sosend(cc863298,cc765750,0,ce16ae00,0) at sosend+0x49e
nfsrv_send(cc863298,cc765750,ce16ae00,1ff,0) at nfsrv_send+0xb9
nfssvc_nfsd(cc532b60,0,c07396f8,9a,f562fc78) at nfssvc_nfsd+0x6a6
nfssvc(cc532b60,f562fd04,8,cc532b60,ccb68420) at nfssvc+0x1f0
syscall(3b,3b,3b,0,0) at syscall+0x304
Xint0x80_syscall() at Xint0x80_syscall+0x1f
--- syscall (155, FreeBSD ELF32, nfssvc), eip =3D 0x280c2173, esp =3D 0xbfb=
fe4dc, ebp =3D 0xbfbfe4f8 ---
db>
--ZPt4rx8FFjLCG7dd
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFD/X3GWry0BWjoQKURAgOJAKD/DaB8r2ncqmSqBYW4XWjCmQchPQCeIuap
nPT21neeEdR+f57a4Q5Bp7o=
=ul51
-----END PGP SIGNATURE-----

--ZPt4rx8FFjLCG7dd--