netbsd-bugs: kern/29582: panic on NetBSD 2.0_STABLE bridge with ipnat ftp proxy

Subject: kern/29582: panic on NetBSD 2.0_STABLE bridge with ipnat ftp proxy
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <j+nbsd@2005.salmi.ch>
List: netbsd-bugs
Date: 03/03/2005 00:15:01
>Number:         29582
>Category:       kern
>Synopsis:       panic on NetBSD 2.0_STABLE bridge with ipnat ftp proxy
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Mar 03 00:15:00 +0000 2005
>Originator:     Jukka Salmi
>Release:        NetBSD 2.0_STABLE
>Environment:
System: NetBSD octopus.salmi.ch 2.0_STABLE NetBSD 2.0_STABLE (OCTOPUS) #0: Mon Feb 28 00:15:15 CET 2005  root@moray.salmi.ch:/build/nbsd/i386/sys/arch/i386/compile/OCTOPUS i386
Architecture: i386
Machine: i386
ipf: IP Filter: v4.1.3 (396)
Kernel: IP Filter: v4.1.3               
>Description:
On a Soekris net4501 running NetBSD 2.0_STABLE I get reproducible panics.
The machine has three ethernet interfaces: sip0 and sip1 are bridged (ipfilter
enabled), sip2 has an IP address (management interface). The following ipnat
mappings are configured:

	map sip0 0/0 -> 0/0 proxy port ftp ftp/tcp
	map sip1 0/0 -> 0/0 proxy port ftp ftp/tcp

>How-To-Repeat:
Setup as described above; on a client connected to sip0 connect
anonymously to an FTP server (I used mirror.switch.ch, IPv4) and execute
the following commands:

	ftp> ls
	229 Entering Extended Passive Mode (|||59715|)
	150 Here comes the directory listing.
	[...]
	226 Directory send OK.
	ftp> pas
	Passive mode: off; fallback to active mode: off.
	ftp> ls
	500 Bad EPRT protocol.
	200 PORT command successful. Consider using PASV.
	150 Here comes the directory listing.
	[...]
	226 Directory send OK.
	ftp> pas
	Passive mode: on; fallback to active mode: on.
	ftp> ls
	^C
	421 Service not available, user interrupt. Connection closed.
	ftp> 

Shortly after I issue ^C the bridge panics:

panic: m_copydata
Stopped at      netbsd:cpu_Debugger+0x4:        popl    %ebp
db> trace /l
cpu_Debugger(0,c33bf0b1,c0eb8157,c0c95b38,c019ed2f) at netbsd:cpu_Debugger+0x4
panic(c0216805,c0eb8138,c0eb8119,21,c0c95b84) at netbsd:panic+0xa9
m_copydata(c0eca800,84,2,c0eb8157,612ebbdf) at netbsd:m_copydata+0x41
ippr_ftp_process(c0c95c5c,c0eb8400,c0eb8000,1,c0c95c5c) at netbsd:ippr_ftp_process+0x274
ippr_ftp_in(c0c95c5c,c0e78d00,c0eb8400,c33bf00e,c33bf022) at netbsd:ippr_ftp_in+0x4a
appr_check(c0c95c5c,c0eb8400,0,0,c0c95c58) at netbsd:appr_check+0xd6
fr_natin(c0c95c5c,c0eb8400,1,1,5c34) at netbsd:fr_natin+0x4e
fr_checknatin(c0c95c5c,c0c95c58,0,a5,4) at netbsd:fr_checknatin+0x2a7
fr_check(c33bf00e,14,c0e25040,0,c0c95d48) at netbsd:fr_check+0x24a
fr_check_wrapper(0,c0c95d48,c0e25040,1,c0eca800) at netbsd:fr_check_wrapper+0x8e
pfil_run_hooks(c0c524e0,c0c95db8,c0e25040,1,0) at netbsd:pfil_run_hooks+0x44
bridge_ipf(0,c0c95db8,c0e25040,1,c0eca800) at netbsd:bridge_ipf+0xe6
pfil_run_hooks(c0e79124,c0c95dfc,c0e25040,1,c0e25040) at netbsd:pfil_run_hooks+0x44
bridge_forward(c0e79000,c0eca800,c0de3a3c,c33bf000,0) at netbsd:bridge_forward+0x100
bridge_input(c0e25040,c0eca800,1000003,0,b7) at netbsd:bridge_input+0x17f
ether_input(c0e25040,c0eca800,420,6420,c0e252c0) at netbsd:ether_input+0x16c
sip_rxintr(c0e25000,1,c0e25040,c0de5e60,0) at netbsd:sip_rxintr+0x47e
sip_intr(c0e25000,0,c0c90010,30,10) at netbsd:sip_intr+0x6b
Xintr_legacy5() at netbsd:Xintr_legacy5+0xa4
--- interrupt ---
cpu_switch(c0c58080,0,1,0,0) at netbsd:cpu_switch+0x9f
ltsleep(c0c57ee0,4,c0217b49,0,0) at netbsd:ltsleep+0x1da
uvm_scheduler(c0c57ec0,1,c0c91014,c91000,c9b000) at netbsd:uvm_scheduler+0x76
check_console(0,0,0,0,0) at netbsd:check_console
db> 

dmesg output:
NetBSD 2.0_STABLE (OCTOPUS) #0: Mon Feb 28 00:15:15 CET 2005
	root@moray.salmi.ch:/build/nbsd/i386/sys/arch/i386/compile/OCTOPUS
total memory = 65148 KB
avail memory = 52028 KB
BIOS32 rev. 0 found at 0xf7840
mainbus0 (root)
cpu0 at mainbus0: (uniprocessor)
cpu0: AMD Am5x86 W/B 133/160 (486-class), id 0x4f4
cpu0: features 1<FPU>
pci0 at mainbus0 bus 0: configuration mode 1
pci0: i/o space, memory space enabled, rd/line, rd/mult, wr/inv ok
elansc0 at pci0 dev 0 function 0: AMD Elan SC520 System Controller
elansc0: product 0 stepping 1.1, CPU clock 133MHz
hifn0 at pci0 dev 16 function 0: Hifn 7955, rev. 0
hifn0: 3DES/AES, 32KB dram, interrupting at irq 10
sip0 at pci0 dev 18 function 0: NatSemi DP83815 10/100 Ethernet, rev 00
sip0: interrupting at irq 11
sip0: Ethernet address 00:00:24:c1:9a:a8
nsphyter0 at sip0 phy 0: DP83815 10/100 media interface, rev. 1
nsphyter0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
sip1 at pci0 dev 19 function 0: NatSemi DP83815 10/100 Ethernet, rev 00
sip1: interrupting at irq 5
sip1: Ethernet address 00:00:24:c1:9a:a9
nsphyter1 at sip1 phy 0: DP83815 10/100 media interface, rev. 1
nsphyter1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
sip2 at pci0 dev 20 function 0: NatSemi DP83815 10/100 Ethernet, rev 00
sip2: interrupting at irq 9
sip2: Ethernet address 00:00:24:c1:9a:aa
nsphyter2 at sip2 phy 0: DP83815 10/100 media interface, rev. 1
nsphyter2: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
isa0 at mainbus0
com0 at isa0 port 0x3f8-0x3ff irq 4: ns16550a, working fifo
com0: console
com1 at isa0 port 0x2f8-0x2ff irq 3: ns16550a, working fifo
wdc0 at isa0 port 0x1f0-0x1f7 irq 14
atabus0 at wdc0 channel 0
npx0 at isa0 port 0xf0-0xff: using exception 16
md0: internal 10240 KB image area
initializing IPsec... done
IPsec: Initialized Security Association Processing.
wd0 at atabus0 drive 0: <SanDisk SDCFB-128>
wd0: drive supports 1-sector PIO transfers, LBA addressing
wd0: 122 MB, 980 cyl, 8 head, 32 sec, 512 bytes/sect x 250880 sectors
wd0: drive supports PIO mode 4
boot device: wd0
root on md0a
root file system type: ffs

>Fix:
I would if I could...