netbsd-bugs: kern/2266: fatal bug in netns code

Subject: kern/2266: fatal bug in netns code
To: None <gnats-bugs@NetBSD.ORG>
From: Michael L. VanLoon <michaelv@HeadCandy.com>
List: netbsd-bugs
Date: 03/26/1996 22:38:24
>Number:         2266
>Category:       kern
>Synopsis:       fatal bug in netns code
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Mar 27 01:50:02 1996
>Last-Modified:
>Originator:     Michael L. VanLoon
>Organization:
HeadCandy Associates... Sweets for the lobes.
>Release:        NetBSD-current, 2/25 thru 3/25, at least<NetBSD-current source date>
>Environment:
AMD 486DX2/80 EISA machine running current
	
System: NetBSD MindBender.HeadCandy.com 1.1B NetBSD 1.1B (MINDBENDER) #305: Tue Mar 26 20:06:11 PST 1996 michaelv@MindBender.HeadCandy.com:/usr/src/sys/arch/i386/compile/MINDBENDER i386


>Description:
Recently I have been getting panics while connected with
a new ISP.  The panics appear to be in the netns code.  I've been
using this kernel config file, and basically the same kernel for many
months.  I must have only recently started getting xns packets.

The panic and stack trace go like this:

	Stopped at _spp_ctlinput+0x56: movw 0(%ecx),%ax  [ecx is zero]

	_spp_ctlinput(f [HOST-REDIRECT], f8209544 [_icmpsrc (== 210)], 0) at "
	_pfctlinput(f, f8209544, f8209544, f8209544, 0, 6,
	            f8209564 [_icmpgw (== 210)], 0) at _pfctlinput+0x2c
	_icmp_input(f88ab500, 14) at _icmp_input+0x3de
	_ipintr(7e, f821bd8c, f88abb80, f81566a8, f8745000) at _ipintr+0x41d
	_Xsoftnet() at _Xsoftnet+0x2d
	--- interrupt ---
	0:

_spp_ctlinput+0x56 is line 630 of /sys/netns/spp_usrreq.c (cvs v1.10).

I have a feeling that this code path has not been tested in a long
time.  This panic happened in two different kernels.  One was a kernel
built on, and from sources supped on 2/25.  It has been working
flawlessly with PPP connected to my previous ISP.  Previous kernels
built with the same sources had worked likewise, for the last year or
so.  It wasn't until I connected to a new ISP a few days ago, that
these panics started happening.

The second kernel is one supped and built 3/25.  It dies in exactly
the same place, with exactly the same stack trace data.  I have a
feeling that the last few days with my new ISP are the first time I've
actually received real xns packets.  It appears that building a kernel
without xns support has fixed the problem.

Here is my current config file (with "options NS" commented out -- the
only change between the last broken kernel, and my current working
kernel):

#
# STINGRAY -- Config for Michael VanLoon's i386 box stingray.cc.iastate.edu
# MINDBENDER -- modified for change to MindBender.HeadCandy.com
#

machine		i386
#options	I386_CPU
options		I486_CPU
options		I586_CPU
options		MINDBENDER

maxusers	64

options		TIMEZONE=480
options		DST=1

options 	DUMMY_NOPS		# slow nops needed?
#options	INSECURE		# allow /dev/mem writing by X
#options	USER_LDT		# for WINE
options		MACHINE_NONCONTIG	# non-contiguous memory hole (640k-1MB)
options		COMPAT_09		# backwards NetBSD-0.9 compat
options		COMPAT_10		# backwards NetBSD-1.0 compat
options		COMPAT_12		# backwards NetBSD-1.1 compat
options		COMPAT_43		# backwards 4.3BSD compat
#options	TCP_COMPAT_42		# backwards 4.2/BNR2 net compat
options		COMPAT_NOMID		# compat with 386BSD, BSDI, NetBSD 0.8
options		SWAPPAGER		# swap pager
options		VNODEPAGER		# vnode pager -- mmap of files
options		DEVPAGER		# device pager -- mmap of devices
options		KTRACE			# syscall kernel tracing
options		FIFO			# FIFOs/pipes
options		FFS			# Unix File System/Fast File System
options		FDESC			# File Descriptor fs
options		KERNFS			# Kernel fs
options		PROCFS			# Process fs
options		PORTAL			# Portal fs
options		MSDOSFS			# MS-DOS fs
options		UMAPFS			# UMAP fs
options		UNION			# Union fs
options		QUOTA			# quotas
options		MFS			# Memory fs
options		NULLFS			# Null fs
options		CD9660			# ISO-9660 & Rock Ridge CD-ROM fs
options		INET			# internet/IP services
options		NFSCLIENT		# NFS client capability
options		NFSSERVER		# NFS server capability
options		GATEWAY			# route between interfaces
#options	NS			# XNS networking
#options	ISO			# ISO OSI networking
#options	TPIP			# TPIP OSI
#options	EON			# OSI tunneling over IP
#options	CCITT			# CCITT X.25
#options	LLC			# LLC X.25
#options	HDLC			# HDLC X.25
options		XSERVER			# allow X server
options		UCONSOLE		# allow user console grabbing (X)
options		LKM			# loadable kernel modules
options		COMPAT_FREEBSD		# Run FreeBSD binaries
options		COMPAT_IBCS2		# iBCS2 compat (SCO & ISC)
options		COMPAT_SVR4		# SVR4 compat
options		COMPAT_LINUX		# Run Linux binaries
#options	MATH_EMULATE		# software FP emulation?

options		COM_ESP			# use Hayes ESP port
options		COM_HAYESP		# use Hayes ESP port
#options	COMCONSOLE=2		# serial-port console
#options	COMADDR=0x2f8		# on our com2 (0-x), PC COM2 (1-4)

options		SYSVMSG			# System V message queues; see msg.h
options		SYSVSEM			# System V semaphores; see sem.h
options		SYSVSHM			# System V shared memory
options		SHMMAXPGS=1024

makeoptions	DEBUG="-g"		# compile full symbol table
options		DDB			# kernel low-level debugger
options		DIAGNOSTIC		# generate diagnostic messages

options		PCVT_NSCREENS=9		# number of virtual terminals
options		PCVT_PRETTYSCRNS	# make screen-saver do something
options		PCVT_INHIBIT_NUMLOCK=0	# keep that damn thing on!!!

config		netbsd	root on sd0 swap on sd0 and sd1 and sd2 and sd3 and wd0

# Bus interface:
mainbus0 at root

isa0	at mainbus0
eisa0	at mainbus0
pci0	at mainbus0

# Math coprocessor/emulation support:
npx0	at isa? port 0xf0 irq 13	# math coprocessor

# Console drivers:
#pc0	at isa? port 0x60 irq 1		# generic PC console device
vt0	at isa? port 0x60 irq 1		# virtual terminals

# Hayes ESP board:
com0	at isa? port 0x3e8 irq 9	# at PC COM3

# "standard" PeeCee com ports:
com1	at isa? port 0x3f8 irq 4	# at PC COM1
com2	at isa? port 0x2f8 irq 3	# at PC COM2
#com3	at isa? port 0x3e8 irq 5	# at PC COM3
#com4	at isa? port 0x2e8 irq 9	# at PC COM4

# BocaBoard quad-16550 with normal com driver:
boca0	at isa? port 0x180 irq 12	# BOCA 8-port serial card
com*	at boca? slave?

# Parallel ports:
lpt0	at isa? port 0x378		# at PC LPT1
lpt1	at isa? port 0x278		# at PC LPT2

# Logitech bus mouse:
#lms0	at isa? port 0x23c irq 5	# Logictech bus mouse
#mms0	at isa? port 0x23c irq 5	# Microsoft InPort mouse
#pms0	at isa? port 0x60 irq 12	# PS/2 auxiliary port mouse

# SCSI controllers and devices:
bt0	at isa? port 0x330 irq ? drq ?	# BusLogic [57]4X SCSI controllers
#bt1	at eisa? port ? irq ? drq ?	# BusLogic [57]4X SCSI controllers
#bt2	at pci? port ? irq ? drq ?	# BusLogic [57]4X SCSI controllers
scsibus* at bt?
ahb0    at eisa?			# Adaptec 174[024] SCSI controllers
scsibus* at ahb?
#ncr*	at pci? bus ? dev ?		# NCR 538XX SCSI controllers
#scsibus* at ncr?

sd0	at scsibus? target 0 lun 0
sd1	at scsibus? target 1 lun 0
sd*	at scsibus? target ? lun ?	# SCSI disk drives
st*	at scsibus? target ? lun ?	# SCSI tape drives
cd*	at scsibus? target ? lun ?	# SCSI CD-ROM drives
ch*	at scsibus? target ? lun ?	# SCSI autochangers

# Floppy drives:
fdc0	at isa? port 0x3f0 irq 6 drq 2	# standard PC floppy controllers
fd*	at fdc? drive ?

# AT ST506 (IDE/MFM/RLL/ESDI) hard drives:
wdc0	at isa? port 0x1f0 irq 14	# ST506, ESDI, and IDE controllers
wdc1	at isa? port 0x170 irq ?
wd*	at wdc? drive ?

#wt0	at isa? port 0x300 irq 5 drq 1	# Archive and Wangtek QIC tape drives

# Mitsumi CD-ROM:
#mcd0	at isa? port 0x300 irq 5	# Mitsumi CD-ROM drives

# Ethernet drivers:
ed0	at isa? port 0x280 iomem 0xd0000 irq 10	# WD/SMC, 3C503, and NE[12]000
#eg0	at isa? ...				# 3C505 ethernet cards
#el0	at isa? port 0x300 irq 9		# 3C501 ethernet cards
ep0	at isa? port ? irq ?			# 3C509 ethernet cards
#ie0	at isa? port 0x360 iomem 0xd0000 irq 7	# StarLAN & 3C507
#le0	at isa? port 0x320 irq 10 drq 7		# IsoLan, NE2100, and DEPCA

# Sound devices:
#sb0	at isa? port 0x220 irq 7 drq 1	# SoundBlaster
wss0	at isa? port 0x530 irq 7 drq 0	# Windows Sound System
#pas0	at isa? port 0x220 irq 7 drq 1	# ProAudio Spectrum
# GUS flags is record drq for full-duplex:
#gus0	at isa? port 0x220 irq 7 drq 1 flags 6 # Gravis Ultra Sound
#spkr0	at isa? ...

# Pseudo devices:
pseudo-device	loop	1		# network loopback
pseudo-device	bpfilter 4		# packet filter
pseudo-device	sl	2		# CSLIP
pseudo-device	ppp	2		# PPP
pseudo-device	tun	2		# network tunneling over tty
pseudo-device	pty	64		# pseudo-terminals
pseudo-device	tb	1		# tablet line discipline
pseudo-device	vnd	4		# paging to files
pseudo-device	ccd	4		# concatenated disk device

	
>How-To-Repeat:
Build a kernel with "options NS", and receive real xns
traffic.  I don't know the exact data that trips the bug, but the data
I know is above.
	
>Fix:
Heck if I know -- this ain't my bag. :-)
	
>Audit-Trail:
>Unformatted: