From owner-freebsd-bugs@FreeBSD.ORG  Sat Dec  9 17:40:15 2006
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 21FD616A511
	for <freebsd-bugs@hub.freebsd.org>;
	Sat,  9 Dec 2006 17:40:15 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 21DA643CAC
	for <freebsd-bugs@hub.freebsd.org>;
	Sat,  9 Dec 2006 17:39:07 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kB9HeBfb055711
	for <freebsd-bugs@freefall.freebsd.org>; Sat, 9 Dec 2006 17:40:11 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kB9HeBn8055710;
	Sat, 9 Dec 2006 17:40:11 GMT (envelope-from gnats)
Resent-Date: Sat, 9 Dec 2006 17:40:11 GMT
Resent-Message-Id: <200612091740.kB9HeBn8055710@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Andrej Zverev <az@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 6982116A416
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat,  9 Dec 2006 17:37:43 +0000 (UTC)
	(envelope-from andrey.zverev@electro-com.ru)
Received: from mail.electro-com.ru (mail.electro-com.ru [86.110.161.242])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D52AF43CA1
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat,  9 Dec 2006 17:36:37 +0000 (GMT)
	(envelope-from andrey.zverev@electro-com.ru)
Received: from az by mail.electro-com.ru with local (Exim 4.63 (FreeBSD))
	(envelope-from <andrey.zverev@electro-com.ru>) id 1Gt68r-000Efb-I6
	for FreeBSD-gnats-submit@freebsd.org; Sat, 09 Dec 2006 20:37:41 +0300
Message-Id: <E1Gt68r-000Efb-I6@mail.electro-com.ru>
Date: Sat, 09 Dec 2006 20:37:41 +0300
From: Andrej Zverev <az@FreeBSD.org>
Sender: Andrej Zverev <andrey.zverev@electro-com.ru>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: kern/106534: [panic] ipfw + dummynet
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Andrej Zverev <az@FreeBSD.org>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Dec 2006 17:40:15 -0000


>Number:         106534
>Category:       kern
>Synopsis:       [panic] ipfw + dummynet
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Dec 09 17:40:11 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Andrej Zverev
>Release:        
>Organization:
>Environment:


	
>Description:
	Using dumment for traffic shaping with about 900 queues or pipes and bandwith > 30Mbit/s
	provide panic on 6.1 and 6.2PRERELEASE

	Before panic (kernel build with INVARIANTS) on console i can show
Memory modified after free 0xc4f55800(2048) val=c75a43d4 @ 0xc4f55880
Memory modified after free 0xc4e02800(2048) val=488e26e3 @ 0xc4e028c0
dummynet: OUCH! pipe should have been idle!
Memory modified after free 0xc4e05800(2048) val=f4f21018 @ 0xc4e05880
Memory modified after free 0xc4e64000(2048) val=413c203e @ 0xc4e64080
Memory modified after free 0xc4b7d800(2048) val=98d450d7 @ 0xc4b7d880
Memory modified after free 0xc520d000(2048) val=36a81ffb @ 0xc520d080
Memory modified after free 0xc4f96000(2048) val=66407a4b @ 0xc4f961c0
Memory modified after free 0xc84c1000(2048) val=2037322e @ 0xc84c1080
Memory modified after free 0xc4f8a000(2048) val=7b38df64 @ 0xc4f8a0c0

	Time to get panic about 5-15 minutes.

ctm# ifconfig
ste0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        options=48<VLAN_MTU,POLLING>
        ether 00:11:95:cb:66:6e
        media: Ethernet 100baseTX <full-duplex>
        status: active
ste1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        options=48<VLAN_MTU,POLLING>
        ether 00:11:95:cb:66:7a
        media: Ethernet 100baseTX <full-duplex>
        status: active
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet x.y.z.a netmask 0xfffffffc broadcast x.y.z.a
        ether 00:11:95:fc:81:85
        media: Ethernet 100baseTX <full-duplex>
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        ether fa:96:da:98:10:ca
        priority 32768 hellotime 2 fwddelay 15 maxage 20
        member: ste1 flags=3<LEARNING,DISCOVER>
        member: ste0 flags=3<LEARNING,DISCOVER>



	
>How-To-Repeat:
	
>Fix:

	

--- 1.txt begins here ---

ctm# uname -v
FreeBSD 6.2-PRERELEASE #1: Fri Dec  8 14:56:55 MSK 2006     root@y.x.la-com.int:/usr/obj/usr/src/sys/CTM_DEBUG


GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".

Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
fault virtual address	= 0xc
fault code		= supervisor read, page not present
instruction pointer	= 0x20:0xc065ded3
stack pointer	        = 0x28:0xe339ab5c
frame pointer	        = 0x28:0xe339ab80
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 11 (swi4: clock sio)
trap number		= 12
panic: page fault
Uptime: 10m42s
Dumping 1007 MB (2 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 1007MB (257776 pages) 991 975 959 943 927 911 895 879 863 847 831 815 799 783 767 751 735 719 703 687 671 655 639 623 607 591 575 559 543 527 511 495 479 463 447 431 415 399 383 367 351 335 319 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15

#0  doadump () at pcpu.h:165
	in pcpu.h
(kgdb) f 0
#0  doadump () at pcpu.h:165
165	in pcpu.h
(kgdb) f 1
#1  0xc062813a in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
409			doadump();
(kgdb) f 2
#2  0xc06283d0 in panic (fmt=0xc083002b "%s") at /usr/src/sys/kern/kern_shutdown.c:565
565		boot(bootopt);
(kgdb) f 3
#3  0xc07eb314 in trap_fatal (frame=0xe339ab1c, eva=12) at /usr/src/sys/i386/i386/trap.c:837
837			panic("%s", trap_msg[type]);
(kgdb) f 4
#4  0xc07eb07b in trap_pfault (frame=0xe339ab1c, usermode=0, eva=12) at /usr/src/sys/i386/i386/trap.c:745
745			trap_fatal(frame, eva);
(kgdb) f 5
#5  0xc07eacd9 in trap (frame=
      {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = -988715436, tf_esi = 387, tf_ebp = -482759808, tf_isp = -482759864, tf_ebx = -988715520, tf_edx = 0, tf_ecx = -985141232, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1067065645, tf_cs = 32, tf_eflags = 66050, tf_esp = 0, tf_ss = -482759804})
    at /usr/src/sys/i386/i386/trap.c:435
435				(void) trap_pfault(&frame, FALSE, eva);
(kgdb) f 6
#6  0xc07d9cba in calltrap () at /usr/src/sys/i386/i386/exception.s:139
139		call	trap
Current language:  auto; currently asm
(kgdb) f 7
#7  0xc065ded3 in m_copym (m=0x0, off0=1500, len=1480, wait=1) at /usr/src/sys/kern/uipc_mbuf.c:400
400			if (off < m->m_len)
Current language:  auto; currently c
(kgdb) f 8
#8  0xc06d5784 in ip_fragment (ip=0xc547f010, m_frag=0xe339ac3c, mtu=-988715520, if_hwassist_flags=0, sw_csum=1) at /usr/src/sys/netinet/ip_output.c:975
975			m->m_next = m_copy(m0, off, len);
(kgdb) f 9
#9  0xc06d542b in ip_output (m=0xc5511700, opt=0xc4b6a800, ro=0xe339ac08, flags=1, imo=0x0, inp=0x0) at /usr/src/sys/netinet/ip_output.c:804
804		error = ip_fragment(ip, &m, ifp->if_mtu, ifp->if_hwassist, sw_csum);
(kgdb) f 10
#10 0xc06c8069 in dummynet_send (m=0xc5511700) at /usr/src/sys/netinet/ip_dummynet.c:771
771				ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL);
(kgdb) f 11
#11 0xc06c7ffc in dummynet (unused=0x0) at /usr/src/sys/netinet/ip_dummynet.c:753
753		dummynet_send(head);
(kgdb) f 12
#12 0xc0634543 in softclock (dummy=0x0) at /usr/src/sys/kern/kern_timeout.c:290
290					c_func(c_arg);
(kgdb) f 13
#13 0xc0612549 in ithread_execute_handlers (p=0xc4a51a78, ie=0xc4a9e300) at /usr/src/sys/kern/kern_intr.c:682
682			ih->ih_handler(ih->ih_argument);
(kgdb) f 14
#14 0xc0612654 in ithread_loop (arg=0xc4a19720) at /usr/src/sys/kern/kern_intr.c:765
765				ithread_execute_handlers(p, ie);
(kgdb) f 15
#15 0xc06114d0 in fork_exit (callout=0xc0612600 <ithread_loop>, arg=0xc4a19720, frame=0xe339ad38) at /usr/src/sys/kern/kern_fork.c:821
821		callout(arg, frame);
(kgdb) f 16
#16 0xc07d9d1c in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:208
208		call	fork_exit
Current language:  auto; currently asm
(kgdb) quit
--- 1.txt ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted: