netbsd-bugs: kern/26471: ipfilter 4.1.3 crashes the system every few hours

Subject: kern/26471: ipfilter 4.1.3 crashes the system every few hours
To: None <gnats-bugs@gnats.NetBSD.org>
From: None <arto@selonen.org>
List: netbsd-bugs
Date: 07/29/2004 05:57:31
>Number:         26471
>Category:       kern
>Synopsis:       ipfilter 4.1.3 crashes the system every few hours
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jul 29 08:22:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Arto Selonen
>Release:        -current with sources from ~20040728
>Organization:
>Environment:
NetBSD blah 2.0G NetBSD 2.0G (BLAH) #58: Wed Jul 28 10:16:22 EEST 2004  blah@blah:/obj/sys/arch/i386/compile/BLAH i386

>Description:
System was upgraded from 2.0G (~20040719) with sources from anoncvs-fi
mirror on 20040728. After the upgrade uptimes are: 7 hours, 3 hours.
The system crashes with the following found on console:

kernel: page fault trap, code=0                                                 
Stopped at netbsd:fr_send_icmp_err+0x18b: addl 0x8(%edx),%eax                   

db> tr                                                                          
fr_send_icmp_err(...) at netbsd:fr_send_icmp_err+0x18b                          
fr_check                                                                        
fr_check_wrapper                                                                
pfil_run_hooks                                                                  
ip_input                                                                        
ipintr                                                                          
DDB lost frame for netbsd:Xsoftnet                                              
Xsoftnet                                                                        
-- Interrupt --                                                                 

I also have a forced crash dump (db> reboot 0x104) from the first
crash.

More info about the system can be found from these open ipfilter-related
PRs: kern/25087, kern/25761
Here is the latest dmesg, in case there are changes compared to the one
found from above PRs (no changes to kernel config due to trying to
maintain ability to compare fixes for other problem reports):

NetBSD 2.0G (BLAH) #58: Wed Jul 28 10:16:22 EEST 2004
        blah@blah:/obj/sys/arch/i386/compile/BLAH
total memory = 1023 MB
avail memory = 998 MB
BIOS32 rev. 0 found at 0xfda74
mainbus0 (root)
cpu0 at mainbus0: (uniprocessor)
cpu0: Intel Pentium 4 (686-class), 1794.26 MHz, id 0xf24
cpu0: features 3febfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR>
cpu0: features 3febfbff<PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX>
cpu0: features 3febfbff<FXSR,SSE,SSE2,SS,HTT,TM>
cpu0: "Intel(R) Pentium(R) 4 CPU 1.80GHz"
cpu0: I-cache 12K uOp cache 8-way, D-cache 8 KB 64B/line 4-way
cpu0: L2 cache 512 KB 64B/line 8-way
cpu0: ITLB 4K/4M: 64 entries
cpu0: DTLB 4K/4M: 64 entries
cpu0: using thermal monitor 1
cpu0: 16 page colors
pci0 at mainbus0 bus 0: configuration mode 1
pci0: i/o space, memory space enabled, rd/line, rd/mult, wr/inv ok
pchb0 at pci0 dev 0 function 0
pchb0: Intel 82845 Host (rev. 0x04)
pchb0: random number generator enabled
agp0 at pchb0: aperture at 0xf8000000, size 0x4000000
ppb0 at pci0 dev 1 function 0: Intel 82845 AGP (rev. 0x04)
pci1 at ppb0 bus 1
pci1: memory space enabled
ppb1 at pci0 dev 30 function 0: Intel 82801BA Hub-to-PCI Bridge (rev. 0x05)
pci2 at ppb1 bus 2
pci2: i/o space, memory space enabled
vga1 at pci2 dev 9 function 0: Matrox MGA Millennium II 2164W (rev. 0x00)
wsdisplay0 at vga1 kbdmux 1: console (80x25, vt100 emulation)
wsmux1: connecting to wsdisplay0
fxp0 at pci2 dev 10 function 0: i82550 Ethernet, rev 12
fxp0: interrupting at irq 3
fxp0: Ethernet address 00:02:b3:60:b1:d7
inphy0 at fxp0 phy 1: i82555 10/100 media interface, rev. 4
inphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
fxp1 at pci2 dev 12 function 0: i82550 Ethernet, rev 12
fxp1: interrupting at irq 10
fxp1: Ethernet address 00:02:b3:60:b6:5d
inphy1 at fxp1 phy 1: i82555 10/100 media interface, rev. 4
inphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
pcib0 at pci0 dev 31 function 0
pcib0: Intel 82801BA LPC Interface Bridge (rev. 0x05)
piixide0 at pci0 dev 31 function 1
piixide0: Intel 82801BA IDE Controller (ICH2) (rev. 0x05)
piixide0: bus-master DMA support present
piixide0: primary channel wired to compatibility mode
piixide0: primary channel interrupting at irq 14
atabus0 at piixide0 channel 0
piixide0: secondary channel wired to compatibility mode
piixide0: secondary channel interrupting at irq 15
atabus1 at piixide0 channel 1
uhci0 at pci0 dev 31 function 2: Intel 82801BA USB Controller (rev. 0x05)
uhci0: interrupting at irq 12
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
Intel 82801BA SMBus Controller (SMBus serial bus, revision 0x05) at pci0 dev 31 
function 3 not configured
uhci1 at pci0 dev 31 function 4: Intel 82801BA USB Controller (rev. 0x05)
uhci1: interrupting at irq 9
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
isa0 at pcib0
com0 at isa0 port 0x3f8-0x3ff irq 4: ns16550a, working fifo
pckbc0 at isa0 port 0x60-0x64
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
sysbeep0 at pcppi0
isapnp0 at isa0 port 0x279: ISA Plug 'n Play device support
npx0 at isa0 port 0xf0-0xff: using exception 16
fdc0 at isa0 port 0x3f0-0x3f7 irq 6 drq 2
isapnp0: no ISA Plug 'n Play devices found
fd0 at fdc0 drive 0: 1.44MB, 80 cyl, 2 head, 18 sec
IPsec: Initialized Security Association Processing.
wd0 at atabus0 drive 0: <MAXTOR 6L080L4>
wd0: drive supports 16-sector PIO transfers, LBA addressing
wd0: 76345 MB, 155114 cyl, 16 head, 63 sec, 512 bytes/sect x 156355584 sectors
wd0: 32-bit data port
wd0: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 6 (Ultra/133)
wd1 at atabus0 drive 1: <MAXTOR 6L080L4>
wd1: drive supports 16-sector PIO transfers, LBA addressing
wd1: 76345 MB, 155114 cyl, 16 head, 63 sec, 512 bytes/sect x 156355584 sectors
wd1: 32-bit data port
wd1: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 6 (Ultra/133)
wd0(piixide0:0:0): using PIO mode 4, Ultra-DMA mode 5 (Ultra/100) (using DMA dat
a transfers)
wd1(piixide0:0:1): using PIO mode 4, Ultra-DMA mode 5 (Ultra/100) (using DMA dat
a transfers)
atapibus0 at atabus1: 2 targets
cd0 at atapibus0 drive 0: <CD-S520/A, , 1.7X> cdrom removable
cd0: 32-bit data port
cd0: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 2 (Ultra/33)
cd0(piixide0:1:0): using PIO mode 4, Ultra-DMA mode 2 (Ultra/33) (using DMA data
 transfers)
uhub2 at uhub1 port 2
uhub2: Intel product 0x1122, class 9/0, rev 1.10/0.00, addr 2
uhub2: 4 ports with 4 removable, self powered
boot device: wd0
root on wd0a dumps on wd0b
root file system type: ffs
fxp0: Microcode loaded: int delay: 1000 usec, max bundle: 6
fxp1: Microcode loaded: int delay: 1000 usec, max bundle: 6
wsdisplay0: screen 1 added (80x25, vt100 emulation)
wsdisplay0: screen 2 added (80x25, vt100 emulation)
wsdisplay0: screen 3 added (80x25, vt100 emulation)
wsdisplay0: screen 4 added (80x25, vt100 emulation)

Further details can be provided upon request. I'm willing to test any
patches that might improve the situation. Any and all help appreciated.
>How-To-Repeat:
The setup is fairly complex, so I doubt it could be easily replicated.
There is ipfilter, NAT, IPSEC transport tunnels, gif(4), transparent proxy w/ squid (forced with port redirect), ...
I am not yet aware of any specific traffic that might cause this, but
will try to collect something...
>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted: