From owner-freebsd-bugs@FreeBSD.ORG  Tue Sep 27 06:50:15 2005
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 66B8A16A41F
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 27 Sep 2005 06:50:15 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D1C9343D53
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 27 Sep 2005 06:50:14 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j8R6oEi2084471
	for <freebsd-bugs@freefall.freebsd.org>; Tue, 27 Sep 2005 06:50:14 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j8R6oEdg084470;
	Tue, 27 Sep 2005 06:50:14 GMT (envelope-from gnats)
Resent-Date: Tue, 27 Sep 2005 06:50:14 GMT
Resent-Message-Id: <200509270650.j8R6oEdg084470@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	"Yuriy N. Shkandybin" <jura@networks.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9F01916A41F
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 27 Sep 2005 06:40:42 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3E3FE43D55
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 27 Sep 2005 06:40:42 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j8R6egGG086528
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 27 Sep 2005 06:40:42 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id j8R6egLF086527;
	Tue, 27 Sep 2005 06:40:42 GMT (envelope-from nobody)
Message-Id: <200509270640.j8R6egLF086527@www.freebsd.org>
Date: Tue, 27 Sep 2005 06:40:42 GMT
From: "Yuriy N. Shkandybin" <jura@networks.ru>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-2.3
Cc: 
Subject: kern/86618: panic with ifconfig nge
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Sep 2005 06:50:15 -0000


>Number:         86618
>Category:       kern
>Synopsis:       panic with ifconfig nge
>Confidential:   no
>Severity:       non-critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 27 06:50:14 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Yuriy N. Shkandybin
>Release:        RELENG_6
>Organization:
NetAMS
>Environment:
FreeBSD ftp 6.0-BETA5 FreeBSD 6.0-BETA5 #11: Mon Sep 26 17:09:08 MSD 2005     root@server:/usr/obj/usr/src/sys/FTP  i386

>Description:
Because sc->nge_ldata allocated without zeroing memory, when  nge_stop(sc); and buffers are freed - wrong values might be there.

I belive same problem actual for HEAD too.

Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address   = 0x80030
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc0512a10
stack pointer           = 0x28:0xe4d16b3c
frame pointer           = 0x28:0xe4d16b4c
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 2818 (ifconfig)
[thread pid 2818 tid 100118 ]
Stopped at      m_freem+0x10:   testb   $0x1,0x10(%eax)
db> trace
Tracing pid 2818 tid 100118 td 0xc1f91a80
m_freem(80020,0,c1fb8400,80206910,c1fa2900) at m_freem+0x10
nge_stop(c1ec7bb8,c244c9d4,805f000,0,e4d16bc4) at nge_stop+0x1b8
nge_init_locked(2,c1f934a0,0,c1f93400,c1fb8400) at nge_init_locked+0x2a
nge_ioctl(c1fb8400,80206910,c2658cc0,c1eb92c0,c2556bcc) at nge_ioctl+0x2f1
ifhwioctl(c2658cc0,c1f91a80,c05d2298,c06a4020,c065e213) at ifhwioctl+0x634
ifioctl(c2556b20,80206910,c2658cc0,c1f91a80,0) at ifioctl+0x68
soo_ioctl(c21a4ab0,80206910,c2658cc0,c2529000,c1f91a80) at soo_ioctl+0x2e8
ioctl(c1f91a80,e4d16d04,c,c,c1f91a80) at ioctl+0x115
syscall(3b,3b,3b,3,1) at syscall+0x223
Xint0x80_syscall() at Xint0x80_syscall+0x1f
--- syscall (54, FreeBSD ELF32, ioctl), eip = 0x480db35f, esp = 0xbfbfe3dc, ebp = 0xbfbfe428 ---

kgdb
#7  0xc0635164 in trap (frame=
      {tf_fs = -415563768, tf_es = 40, tf_ds = 40, tf_edi = -1040566016, tf_esi = 11, tf_ebp = -415499444, tf_isp = -415499480, tf_ebx = 352, tf_edx = 524320, tf_ecx = 55296, tf_eax = 524320, tf_trapno = 12, tf_err = 0, tf_eip = -1068416848, tf_cs = 32, tf_eflags = 66050, tf_esp = 1000000, tf_ss = 0}) at /usr/src/sys/i386/i386/trap.c:442
#8  0xc061aaca in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#9  0xc05140b0 in m_freem (mb=0x80020) at mbuf.h:420
#10 0xc0471478 in nge_stop (sc=0xc1fa3900) at /usr/src/sys/dev/nge/if_nge.c:2125
#11 0xc04719da in nge_init_locked (sc=0xc1fa3900) at /usr/src/sys/dev/nge/if_nge.c:1685
#12 0xc04732a1 in nge_ioctl (ifp=0xc1fb8400, command=2149607696, data=0xc26f61a0 "nge0")
    at /usr/src/sys/dev/nge/if_nge.c:2018
#13 0xc055a8d4 in ifhwioctl (cmd=0, ifp=0xc1fb8400, data=0xc26f61a0 "nge0", td=0x80020) at /usr/src/sys/net/if.c:1272
#14 0xc055b108 in ifioctl (so=0xc25c2858, cmd=2149607696, data=0xc26f61a0 "nge0", td=0xc24c9a80)
    at /usr/src/sys/net/if.c:1506
#15 0xc0502308 in soo_ioctl (fp=0x80020, cmd=2149607696, data=0xc26f61a0, active_cred=0xc2190c00, td=0xc24c9a80)
    at /usr/src/sys/kern/sys_socket.c:214
#16 0xc04fac95 in ioctl (td=0xc24c9a80, uap=0xe73bfd04) at file.h:258
#17 0xc0635643 in syscall (frame=
      {tf_fs = 59, tf_es = 59, tf_ds = -1078001605, tf_edi = 3, tf_esi = 1, tf_ebp = -1077943256, tf_isp = -415498908, tf_ebx = -1077943312, tf_edx = -2145359600, tf_ecx = 134595453, tf_eax = 54, tf_trapno = 12, tf_err = 2, tf_eip = 1208857439, tf_cs = 51, tf_eflags = 583, tf_esp = -1077943332, tf_ss = 59}) at /usr/src/sys/i386/i386/trap.c:986
#18 0xc061ab1f in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200
#19 0x00000033 in ?? ()

>How-To-Repeat:
ifconfig nge0 up
>Fix:
--- if_nge.c.orig       Mon Sep 26 17:02:00 2005
+++ if_nge.c.my Mon Sep 26 16:59:26 2005
@@ -839,7 +839,7 @@
 
        /* XXX: leaked on error */
        sc->nge_ldata = contigmalloc(sizeof(struct nge_list_data), M_DEVBUF,
-           M_NOWAIT, 0, 0xffffffff, PAGE_SIZE, 0);
+           M_NOWAIT|M_ZERO, 0, 0xffffffff, PAGE_SIZE, 0);
 
        if (sc->nge_ldata == NULL) {
                printf("nge%d: no memory for list buffers!\n", unit);

>Release-Note:
>Audit-Trail:
>Unformatted: