Date: Sat, 13 Jul 2002 02:14:07 +0400 (MSD) From: Dmitry Morozovsky <marck@rinet.ru> To: FreeBSD-gnats-submit@FreeBSD.org Cc: luigi@FreeBSD.org, noc@rinet.ru Subject: kern/40508: RELENG_4 after 09.07.2002 luigi's commit to ipfw and companion kernel crashes Message-ID: <200207122214.g6CME7X95209@woozle.rinet.ru>
next in thread | raw e-mail | index | archive | help
>Number: 40508
>Category: kern
>Synopsis: RELENG_4 after 09.07.2002 luigi's commit to ipfw and companion kernel crashes
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Jul 12 15:40:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Dmitry Morozovsky
>Release: FreeBSD 4-STABLE i386
>Organization:
Cronyx Plus LLC (RiNet ISP)
>Environment:
System: FreeBSD donkey.rinet.ru 4.6-STABLE FreeBSD 4.6-STABLE #1: Fri Jul 12 23:29:37 MSD 2002 root@:/var/obj/lh/src/sys/gwfn i386
>Description:
After luigi's commit at 09.07.2002 to src/sys/net{,inet} (RELENG_4)
kernel now crashes if dummynet shaping is configured, at least by
virtually any multicast packet.
kernel traceback follows:
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x40
fault code = supervisor read, page not present
instruction pointer = 0x8:0xc019304c
stack pointer = 0x10:0xc9fdfe50
frame pointer = 0x10:0xc9fdfef0
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 423 (tcsh)
interrupt mask = net
trap number = 12
panic: page fault
syncing disks... 9 2 1 1
done
Uptime: 2h29m59s
dumping to dev #ad/0x20001, offset 917504
dump ata0: resetting devices .. ata0: mask=03 ostat0=50 ostat2=00
ad0: ATAPI 00 00
ata0-slave: ATAPI 00 00
ata0: mask=03 stat0=50 stat1=00
ad0: ATA 01 a5
ata0: devices=01
ad0: success setting PIO4 on generic chip
done
64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
---
#0 dumpsys () at /lh/src/sys/kern/kern_shutdown.c:487
487 if (dumping++) {
(kgdb) bt
#0 dumpsys () at /lh/src/sys/kern/kern_shutdown.c:487
#1 0xc0143e71 in boot (howto=256) at /lh/src/sys/kern/kern_shutdown.c:316
#2 0xc0144298 in poweroff_wait (junk=0xc021538c, howto=-1071558993) at /lh/src/sys/kern/kern_shutdown.c:595
#3 0xc01ebff2 in trap_fatal (frame=0xc9fdfe10, eva=64) at /lh/src/sys/i386/i386/trap.c:974
#4 0xc01ebcd1 in trap_pfault (frame=0xc9fdfe10, usermode=0, eva=64) at /lh/src/sys/i386/i386/trap.c:867
#5 0xc01eb8c3 in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16, tf_edi = 0, tf_esi = -1067717632, tf_ebp = -906101008,
tf_isp = -906101188, tf_ebx = 0, tf_edx = -1067717408, tf_ecx = -1014144340, tf_eax = 0, tf_trapno = 12, tf_err = 0,
tf_eip = -1072091060, tf_cs = 8, tf_eflags = 66070, tf_esp = -1014144384, tf_ss = 0}) at /lh/src/sys/i386/i386/trap.c:466
#6 0xc019304c in ip_output (m0=0xc05bec00, opt=0x0, ro=0xc38d62ac, flags=34, imo=0x0) at /lh/src/sys/netinet/ip_output.c:189
#7 0xc0189b16 in transmit_event (pipe=0xc37a4f00) at /lh/src/sys/netinet/ip_dummynet.c:425
#8 0xc0189dc3 in ready_event (q=0xc372ea80) at /lh/src/sys/netinet/ip_dummynet.c:577
#9 0xc018a234 in dummynet (unused=0x0) at /lh/src/sys/netinet/ip_dummynet.c:730
#10 0xc0149c72 in softclock () at /lh/src/sys/kern/kern_timeout.c:131
#11 0xc01e17b3 in doreti_swi ()
#12 0x8072359 in ?? ()
#13 0x805bf4d in ?? ()
#14 0x805bb81 in ?? ()
#15 0x8059156 in ?? ()
#16 0x804a645 in ?? ()
#17 0x8049a6a in ?? ()
#18 0x8048137 in ?? ()
#6 0xc019304c in ip_output (m0=0xc05bec00, opt=0x0, ro=0xc38d62ac, flags=34, imo=0x0) at /lh/src/sys/netinet/ip_output.c:189
189 ia = ifatoia(ro->ro_rt->rt_ifa);
(kgdb) l
184 (void)ipsec_setsocket(m, NULL);
185 #endif
186 if (args.rule != NULL) { /* dummynet already saw us */
187 ip = mtod(m, struct ip *);
188 hlen = IP_VHL_HL(ip->ip_vhl) << 2 ;
189 ia = ifatoia(ro->ro_rt->rt_ifa);
190 goto sendit;
191 }
192
193 if (opt) {
(kgdb) up
#7 0xc0189b16 in transmit_event (pipe=0xc37a4f00) at /lh/src/sys/netinet/ip_dummynet.c:425
425 (void)ip_output((struct mbuf *)pkt, NULL, NULL, 0, NULL);
(kgdb) l
420 * The block IS FREED HERE because it contains parameters passed
421 * to the called routine.
422 */
423 switch (pkt->dn_dir) {
424 case DN_TO_IP_OUT:
425 (void)ip_output((struct mbuf *)pkt, NULL, NULL, 0, NULL);
426 rt_unref (pkt->ro.ro_rt) ;
427 break ;
428
429 case DN_TO_IP_IN :
(kgdb) p *pkt
$1 = {hdr = {mh_next = 0xc05bec00, mh_nextpkt = 0x0, mh_data = 0x0, mh_len = 0, mh_type = 13, mh_flags = 15}, rule = 0xc3878d00,
dn_dir = 1, output_time = 8994965, ifp = 0xc35c2c00, dn_dst = 0xc38d62b0, ro = {ro_rt = 0x0, ro_dst = {sa_len = 16 '\020',
sa_family = 2 '\002', sa_data = "\000\000à\000\000\004\000\000\000\000\000\000\000"}}, flags = 34}
(kgdb) up
#8 0xc0189dc3 in ready_event (q=0xc372ea80) at /lh/src/sys/netinet/ip_dummynet.c:577
577 transmit_event(p);
(kgdb) l
572 /*
573 * If the delay line was empty call transmit_event(p) now.
574 * Otherwise, the scheduler will take care of it.
575 */
576 if (p_was_empty)
577 transmit_event(p);
578 }
579
580 /*
581 * Called when we can transmit packets on WF2Q queues. Take pkts out of
(kgdb) p *p
$2 = {next = 0x0, pipe_nr = 1, bandwidth = 64000, delay = 0, head = 0x0, tail = 0xc38d6280, scheduler_heap = {size = 0, elements = 0,
offset = 0, p = 0x0}, not_eligible_heap = {size = 0, elements = 0, offset = 0, p = 0x0}, idle_heap = {size = 0, elements = 0,
offset = 84, p = 0x0}, V = 0, sum = 0, numbytes = 0, sched_time = 0, if_name = '\000' <repeats 15 times>, ifp = 0x0, ready = 0,
fs = {next = 0x0, fs_nr = 0, flags_fs = 9, pipe = 0xc37a4f00, parent_nr = 0, weight = 0, qsize = 8192, plr = 0, flow_mask = {
dst_ip = 0, src_ip = 4294967295, dst_port = 0, src_port = 0, proto = 0 '\000', flags = 0 '\000'}, rq_size = 64, rq_elements = 5,
rq = 0xc362d600, last_expired = 0, backlogged = 0, w_q = 0, max_th = 0, min_th = 0, max_p = 0, c_1 = 0, c_2 = 0, c_3 = 0, c_4 = 0,
w_q_lookup = 0x0, lookup_depth = 0, lookup_step = 0, lookup_weight = 0, avg_pkt_size = 0, max_pkt_size = 0}}
>How-To-Repeat:
build and run kernel with IPFIREWALL & DUMMYNET & MROUTING
add pipe rule:
ipfw pipe 1 config bw 64Kbit/s queue 8Kbytes mask src-ip 0xffffffff
ipfw add 10 pipe 1 ip from any to any via ed0
run mrouted
>Fix:
Don't know yet. Hopefully Luigi knows ;-P
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207122214.g6CME7X95209>