kern/118432: [ng_nat] kernel libalias: repeatable panic (double fault)

Eugene Grosbein eugen at kuzbass.ru
Tue Dec 4 10:40:02 PST 2007 

>Number:         118432
>Category:       kern
>Synopsis:       [ng_nat] kernel libalias: repeatable panic (double fault)
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Dec 04 18:40:01 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator:     Eugene Grosbein
>Release:        FreeBSD 6.3-PRERELEASE i386
>Organization:
Svyaz-Service JSC
>Environment:
System: FreeBSD gw.grosbein.pp.ru 6.3-PRERELEASE FreeBSD 6.3-PRERELEASE #2: Tue Dec  4 14:02:57 UTC 2007

>Description:

	My home router panices instantly if I run BitchX IRC client
	at the desktop which traffic flows through the panicing router.
	And I've got nice crashdump. Note that is does not panics
	when there is no BitchX running but lots of other traffic:
	SMTP/HTTP/SSH/CVSup etc.

	Here is kgdb's output:

Script started on Wed Dec  5 01:13:38 2007
kgdb: kvm_nlist(_stopped_cpus): 
kgdb: kvm_nlist(_stoppcbs): 
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".

Unread portion of the kernel message buffer:

Fatal double fault:
eip = 0xc0557f11
esp = 0xc4e2e974
ebp = 0xc4e3e9a4
panic: double fault
KDB: stack backtrace:
kdb_backtrace(100,c1091300,0,0,0,...) at 0xc04c5949 = kdb_backtrace+0x29
panic(c064dba7,c064df97,c4e3e9a4,0,0,...) at 0xc04ac2e4 = panic+0xa4
dblfault_handler() at 0xc0605702 = dblfault_handler+0x52
--- trap 0x17, eip = 0xc0557f11, esp = 0xc4e2e974, ebp = 0xc4e3e9a4 ---
AliasHandleIrcOut(c12f8000,c1145800,c15dc800,800) at 0xc0557f11 = AliasHandleIrcOut+0x21
TcpAliasOut(c12f8000,c1145800,800,1) at 0xc0554997 = TcpAliasOut+0x327
LibAliasOutTry(c12f8000,c1145800,800,1,c4e3ea50,...) at 0xc0555115 = LibAliasOutTry+0x155
LibAliasOut(c12f8000,c1145800,800) at 0xc0554fb3 = LibAliasOut+0x13
ng_nat_rcvdata(c1217480,c12ef390,0,c12bc600,c12bc654,...) at 0xc0528e0b = ng_nat_rcvdata+0xeb
ng_apply_item(c12bc600,c12ef390,1,c12ef390,c4e3ebe8,...) at 0xc0526bc5 = ng_apply_item+0x95
ng_snd_item(c12ef390,0) at 0xc0526a64 = ng_snd_item+0x484
ng_ipfw_input(c4e3ebe8,0,c4e3eae0,0,c119c400,...) at 0xc0528a6c = ng_ipfw_input+0x12c
ipfw_check_out(0,c4e3ebe8,c11b6800,2,0) at 0xc053e5f3 = ipfw_check_out+0x2a3
pfil_run_hooks(c068ef80,c4e3ec54,c11b6800,2,0) at 0xc0518b2f = pfil_run_hooks+0xcf
ip_fastforward(c119c400) at 0xc0537c11 = ip_fastforward+0x411
ether_demux(c10fb000,c119c400,c10f70b4,c4e3ecb0,c0453758,...) at 0xc05165bf = ether_demux+0x26f
ether_input(c10fb000,c119c400,c10f7018,0,c0625c86,...) at 0xc0516339 = ether_input+0x219
fxp_intr_body(c10f7000,c10fb000,40,ffffffff) at 0xc0453758 = fxp_intr_body+0x1a8
fxp_intr(c10f7000) at 0xc0453494 = fxp_intr+0x94
ithread_execute_handlers(c1096218,c1083800) at 0xc0498c31 = ithread_execute_handlers+0xe1
ithread_loop(c10f38b0,c4e3ed38,c10f38b0,c0498d10,0,...) at 0xc0498d7e = ithread_loop+0x6e
fork_exit(c0498d10,c10f38b0,c4e3ed38) at 0xc0497e28 = fork_exit+0xa8
fork_trampoline() at 0xc05f67fc = fork_trampoline+0x8
--- trap 0x1, eip = 0, esp = 0xc4e3ed6c, ebp = 0 ---
Uptime: 14m4s
Dumping 47 MB (2 chunks)
  chunk 0: 1MB (160 pages) ... ok
  chunk 1: 47MB (12032 pages) 32 16

#0  doadump () at pcpu.h:165
165	pcpu.h: No such file or directory.
	in pcpu.h
(kgdb) bt
#0  doadump () at pcpu.h:165
#1  0xc04ac076 in boot (howto=260) at /usr/local/smallworld/usr/src/sys/kern/kern_shutdown.c:409
#2  0xc04ac34b in panic (fmt=0xc064dba7 "double fault") at /usr/local/smallworld/usr/src/sys/kern/kern_shutdown.c:565
#3  0xc0605702 in dblfault_handler () at /usr/local/smallworld/usr/src/sys/i386/i386/trap.c:867
#4  0xc0557f11 in AliasHandleIrcOut (la=0xc12f8000, pip=0xc1145800, lnk=0xc15dc800, maxsize=2048) at alias_local.h:353
#5  0xc0554997 in TcpAliasOut (la=0xc12f8000, pip=0xc1145800, maxpacketsize=2048, create=1)
    at /usr/local/smallworld/usr/src/sys/netinet/libalias/alias.c:999
#6  0xc0555115 in LibAliasOutTry (la=0xc12f8000, ptr=0xc1145800 "E", maxpacketsize=2048, create=1)
    at /usr/local/smallworld/usr/src/sys/netinet/libalias/alias.c:1322
#7  0xc0554fb3 in LibAliasOut (la=0xc12f8000, ptr=0xc1145800 "E", maxpacketsize=2048)
    at /usr/local/smallworld/usr/src/sys/netinet/libalias/alias.c:1263
#8  0xc0528e0b in ng_nat_rcvdata (hook=0xc1217480, item=0xc12ef390)
    at /usr/local/smallworld/usr/src/sys/netgraph/ng_nat.c:295
#9  0xc0526bc5 in ng_apply_item (node=0xc12bc600, item=0xc12ef390, rw=1)
    at /usr/local/smallworld/usr/src/sys/netgraph/ng_base.c:2395
#10 0xc0526a64 in ng_snd_item (item=0xc12ef390, flags=0) at /usr/local/smallworld/usr/src/sys/netgraph/ng_base.c:2323
#11 0xc0528a6c in ng_ipfw_input (m0=0xc4e3ebe8, dir=-1055631340, fwa=0xc4e3eae0, tee=-1053887600)
    at /usr/local/smallworld/usr/src/sys/netgraph/ng_ipfw.c:310
#12 0xc053e5f3 in ipfw_check_out (arg=0x0, m0=0xc4e3ebe8, ifp=0xc11b6800, dir=2, inp=0x0)
    at /usr/local/smallworld/usr/src/sys/netinet/ip_fw_pfil.c:317
#13 0xc0518b2f in pfil_run_hooks (ph=0xc068ef80, mp=0xc4e3ec54, ifp=0xc11b6800, dir=2, inp=0x0)
    at /usr/local/smallworld/usr/src/sys/net/pfil.c:139
#14 0xc0537c11 in ip_fastforward (m=0xc119c400) at /usr/local/smallworld/usr/src/sys/netinet/ip_fastfwd.c:437
#15 0xc05165bf in ether_demux (ifp=0xc10fb000, m=0xc119c400) at /usr/local/smallworld/usr/src/sys/net/if_ethersubr.c:769
#16 0xc0516339 in ether_input (ifp=0xc10fb000, m=0xc119c400) at /usr/local/smallworld/usr/src/sys/net/if_ethersubr.c:623
#17 0xc0453758 in fxp_intr_body (sc=0xc10f7000, ifp=0xc10fb000, statack=180 '´', count=-1)
    at /usr/local/smallworld/usr/src/sys/dev/fxp/if_fxp.c:1715
#18 0xc0453494 in fxp_intr (xsc=0xc10f7000) at /usr/local/smallworld/usr/src/sys/dev/fxp/if_fxp.c:1536
#19 0xc0498c31 in ithread_execute_handlers (p=0xc1096218, ie=0xc1083800)
    at /usr/local/smallworld/usr/src/sys/kern/kern_intr.c:682
#20 0xc0498d7e in ithread_loop (arg=0xc10f38b0) at /usr/local/smallworld/usr/src/sys/kern/kern_intr.c:766
#21 0xc0497e28 in fork_exit (callout=0xc0498d10 <ithread_loop>, arg=0xc10f38b0, frame=0xc4e3ed38)
    at /usr/local/smallworld/usr/src/sys/kern/kern_fork.c:788
#22 0xc05f67fc in fork_trampoline () at /usr/local/smallworld/usr/src/sys/i386/i386/exception.s:208
(kgdb) bt full
#0  doadump () at pcpu.h:165
No locals.
#1  0xc04ac076 in boot (howto=260) at /usr/local/smallworld/usr/src/sys/kern/kern_shutdown.c:409
	first_buf_printf = 1
#2  0xc04ac34b in panic (fmt=0xc064dba7 "double fault") at /usr/local/smallworld/usr/src/sys/kern/kern_shutdown.c:565
	td = (struct thread *) 0xc1091300
	bootopt = 260
	newpanic = 1
	ap = 0xc06ac1b0 "\227ßdÀ¤éãÄ"
	buf = "double fault", '\0' <repeats 243 times>
#3  0xc0605702 in dblfault_handler () at /usr/local/smallworld/usr/src/sys/i386/i386/trap.c:867
No locals.
#4  0xc0557f11 in AliasHandleIrcOut (la=0xc12f8000, pip=0xc1145800, lnk=0xc15dc800, maxsize=2048) at alias_local.h:353
	hlen = Cannot access memory at address 0xc4e2e990
(kgdb) frame 4
#4  0xc0557f11 in AliasHandleIrcOut (la=0xc12f8000, pip=0xc1145800, lnk=0xc15dc800, maxsize=2048) at alias_local.h:353
353	alias_local.h: No such file or directory.
	in alias_local.h
(kgdb) quit

Script done on Wed Dec  5 01:13:59 2007


>How-To-Repeat:
	
	I do not use any kernel modules. Here is kernel config file:

options		INCLUDE_CONFIG_FILE

machine		i386
cpu		I586_CPU
ident		GW
makeoptions	DEBUG=-g		# Build kernel with gdb(1) debug symbols
options 	SCHED_4BSD		# 4BSD scheduler
options 	PREEMPTION		# Enable kernel thread preemption
options 	INET			# InterNETworking
options 	FFS			# Berkeley Fast Filesystem
options 	SOFTUPDATES		# Enable FFS soft updates support
options 	UFS_DIRHASH		# Improve performance on big directories
options 	MD_ROOT			# MD is a potential root device
options 	COMPAT_43		# Compatible with BSD 4.3 [KEEP THIS!]
options 	COMPAT_FREEBSD4		# Compatible with FreeBSD4
options 	_KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options 	KBD_INSTALL_CDEV	# install a CDEV entry in /dev
options 	ADAPTIVE_GIANT		# Giant mutex is adaptive.
device		pci
device		ata
device		atadisk		# ATA disk drives
options 	ATA_STATIC_ID	# Static device numbering

# atkbdc0 controls both the keyboard and the PS/2 mouse
device		atkbdc		# AT keyboard controller
device		atkbd		# AT keyboard

device		vga		# VGA video card driver
device		sc

device		sio		# 8250, 16[45]50 based serial ports

device		miibus		# MII bus support
device		fxp		# Intel EtherExpress PRO/100B (82557, 82558)

# Pseudo devices.
device		loop		# Network loopback
device		random		# Entropy device
device		ether		# Ethernet support
device		pty		# Pseudo-ttys (telnet etc)
device		md		# Memory "disks"
device		gif		# IPv6 and IPv4 tunneling
device		speaker

device		bpf		# Berkeley packet filter
options		AUTO_EOI_1

options		MAXCONS=8
options 	ALT_BREAK_TO_DEBUGGER
options 	CONSPEED=115200		# speed for serial console

options		IPFIREWALL
options		IPFIREWALL_VERBOSE
options		IPFIREWALL_FORWARD
options		IPDIVERT

options		DUMMYNET
options		IPSEC
options		IPSEC_ESP
options		IPSEC_FILTERGIF

options 	NFSCLIENT		#Network File System client

options		LIBALIAS
options 	NETGRAPH		# netgraph(4) system
options 	NETGRAPH_IPFW
options 	NETGRAPH_NAT
options 	NETGRAPH_SOCKET

options		INVARIANTS
options		INVARIANT_SUPPORT

options 	KDB
options 	KDB_TRACE
options 	KDB_UNATTENDED
options 	DDB
options 	DDB_NUMSYM
options 	GDB


	Then, I use fastforwarding, here is my /etc/sysctl.conf:

net.inet.ip.fastforwarding=1                                                                                             
net.inet.ip.fw.one_pass=0                                                                                                
net.inet.tcp.sendspace=65536                                                                                             
net.inet.tcp.recvspace=65536                                                                                             
net.inet.udp.recvspace=65536

	Also, I use ipfw, ng_ipfw and ng_nat here.

# ipfw list
00050 netgraph 1 ip from any to any in recv fxp1
00050 netgraph 2 ip from any to any out xmit fxp1
00060 netgraph 3 ip from any to any in recv gif0
00060 netgraph 4 ip from any to any out xmit gif0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65535 deny ip from any to any

	ngctl shows:

+ ls
There are 4 total nodes:
  Name: ngctl923        Type: socket          ID: 00000006   Num hooks: 0
  Name: uplink2         Type: nat             ID: 00000005   Num hooks: 2
  Name: uplink1         Type: nat             ID: 00000003   Num hooks: 2
  Name: ipfw            Type: ipfw            ID: 00000001   Num hooks: 4

	The nodes are created with a following rcNG startup script for ng_nat:
	ftp://www.kuzbass.ru/pub/freebsd/ng_nat.gz
	My /etc/rc.conf contains next tunnables for ng_nat script:

uplink=fxp1	
ng_nat_enable="YES"                
ng_nat_nodes="uplink1 uplink2"     
ng_nat_uplink1_interface="$uplink" 
ng_nat_uplink1_ipfw_rules="50 50"  
ng_nat_uplink1_cookies="1 2"       
ng_nat_uplink2_interface="gif0"    
ng_nat_uplink2_ipfw_rules="60 60"  
ng_nat_uplink2_cookies="3 4"       

	So you can run ng_nat to repeat my configuration.
	Feel free to request additional details.

>Fix:

	Unknown
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list