Date: Wed, 17 Jul 2002 00:45:45 +0900 From: qhwt@myrealbox.com To: luigi@freebsd.org Cc: current@freebsd.org Subject: integer devide fault in dummynet_io Message-ID: <20020716154545.GA696.qhwt@myrealbox.com>
next in thread | raw e-mail | index | archive | help
--OgqxwSJOaUobr8KG
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Hello. I have the following rules in my ipfw.rules:
pipe 1 config bw 3kbit/s
add 1000 pipe 1 log logamount 0 tcp from any to me 80 setup in
add 1010 pipe 1 log logamount 0 tcp from any to me 25 setup in
so that I can log and slow down incoming Nimda/open-relay probes.
After new ipfw code came into the tree, my machine started to panic
occasionally after thirty minutes or so connected to the Internet.
After a few panics, I managed to get the backtrace. Unfortunately the
line number seems to be screwed, but it's still enough to spot where
it panicked (attached).
In the frame 15 in dummynet_io(), fs->weight was holding zero at line 1182,
which leads to a zero-division. Suprisingly, 'action' was O_LOG rather than
O_PIPE or O_QUEUE, even though the function is assuming only one of them.
I'm running current as of 2002-06-29(UTC) with the following files
updated to more recent revisions:
/sys/netinet/ip_fw.h 1.70
/sys/netinet/ip_fw2.c 1.3
/usr/src/sbin/ipfw/ipfw2.c 1.3
Any idea to fix this?
--OgqxwSJOaUobr8KG
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="screenlog.0"
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
IdlePTD at physical address 0x004cc000
initial pcb at physical address 0x0034fe40
panicstr: bwrite: buffer is not busy???
panic messages:
---
Fatal trap 18: integer divide fault while in kernel mode
instruction pointer = 0x8:0xc02d198b
stack pointer = 0x10:0xc6251b08
frame pointer = 0x10:0xc6251b8c
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 12 (swi1: net)
trap number = 18
panic: integer divide fault
syncing disks... panic: bwrite: buffer is not busy???
Uptime: 1h4m54s
Dumping 63 MB
ata0: resetting devices .. ata0: mask=03 ostat0=50 ostat2=00
ad0: ATAPI 00 00
ata0-slave: ATAPI 00 00
ata0: mask=03 stat0=50 stat1=00
ad0: ATA 01 a5
ata0: devices=01
ad0: success setting PIO4 on generic chip
done
16 32 48
---
b#0 0xc018b4c1 in doadump () at /usr/src/sys/kern/kern_shutdown.c:353
353 }
(kgdb) bt
#0 0xc018b4c1 in doadump () at /usr/src/sys/kern/kern_shutdown.c:353
#1 0xc018b94b in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:353
#2 0xc018bb2d in panic (fmt=0xc02eb9cb "bwrite: buffer is not busy???")
at /usr/src/sys/kern/kern_shutdown.c:353
#3 0xc01c4ea2 in bwrite (bp=0xc2523120) at /usr/src/sys/kern/vfs_bio.c:1368
#4 0xc01c642e in vfs_bio_awrite (bp=0xc2523120)
at /usr/src/sys/kern/vfs_bio.c:1368
#5 0xc0160b4b in spec_fsync (ap=0xc6251950)
at /usr/src/sys/fs/specfs/spec_vnops.c:837
#6 0xc016068c in spec_vnoperate (ap=0xc6251950)
at /usr/src/sys/fs/specfs/spec_vnops.c:837
#7 0xc026e743 in ffs_sync (mp=0xc1275000, waitfor=2, cred=0xc09dcd80,
td=0xc031eb20) at /usr/src/sys/ufs/ffs/ffs_vfsops.c:813
#8 0xc01d65bb in sync (td=0xc031eb20, uap=0x0)
at /usr/src/sys/kern/vfs_syscalls.c:584
#9 0xc018b5bc in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:353
#10 0xc018bb2d in panic (fmt=0xc030ccde "%s")
at /usr/src/sys/kern/kern_shutdown.c:353
#11 0xc02c0683 in trap_fatal (frame=0xc6251ac8, eva=0)
at /usr/src/sys/i386/i386/trap.c:655
#12 0xc02c00c2 in trap (frame={tf_fs = 24, tf_es = -1070727152, tf_ds = 16,
tf_edi = 1, tf_esi = 0, tf_ebp = -970646644, tf_isp = -970646796,
tf_ebx = 3145728, tf_edx = 0, tf_ecx = 0, tf_eax = 1, tf_trapno = 18,
tf_err = 0, tf_eip = -1070786165, tf_cs = 8, tf_eflags = 66118,
tf_esp = 0, tf_ss = 0}) at /usr/src/sys/i386/i386/trap.c:655
#13 0xc02d198b in __qdivrem (uq=3145728, vq=0, arq=0x0)
at /usr/src/sys/libkern/qdivrem.c:277
#14 0xc02d1e2e in __udivdi3 (a=3145728, b=0)
at /usr/src/sys/libkern/udivdi3.c:51
#15 0xc01f9c69 in dummynet_io (m=0xc0a10d00, pipe_nr=1, dir=2, fwa=0xc6251c44)
at /usr/src/sys/netinet/ip_dummynet.c:1227
#16 0xc01ffcf2 in ip_input (m=0xc0a10d00)
at /usr/src/sys/netinet/ip_input.c:843
#17 0xc0200452 in ipintr () at /usr/src/sys/netinet/ip_input.c:843
#18 0xc0178ed7 in swi_net (dummy=0x0) at /usr/src/sys/kern/kern_intr.c:561
#19 0xc0178bf6 in ithread_loop (arg=0xc09f8100)
at /usr/src/sys/kern/kern_intr.c:561
#20 0xc0177ec6 in fork_exit (callout=0xc0178a34 <ithread_loop>,
arg=0xc09f8100, frame=0xc6251d48) at /usr/src/sys/kern/kern_fork.c:734
(kgdb) frame 15
#15 0xc01f9c69 in dummynet_io (m=0xc0a10d00, pipe_nr=1, dir=2, fwa=0xc6251c44)
at /usr/src/sys/netinet/ip_dummynet.c:1227
1227 }
(kgdb) list
1222 splx(s);
1223 if (q)
1224 q->drops++ ;
1225 m_freem(m);
1226 return ENOBUFS ;
1227 }
1228
1229 /*
1230 * Below, the rt_unref is only needed when (pkt->dn_dir == DN_TO_IP_OUT)
1231 * Doing this would probably save us the initial bzero of dn_pkt
(kgdb) # hmm...
(kgdb) print fs->weight
$1 = 0
(kgdb) print action
$2 = 42
(kgdb) print fwa->rule->cmd[fwa->rule->act_ofs].opcode
$3 = O_LOG
(kgdb) print *fs
$4 = {next = 0x0, fs_nr = 0, flags_fs = 0, pipe = 0xc13cf100, parent_nr = 0,
weight = 0, qsize = 50, plr = 0, flow_mask = {dst_ip = 0, src_ip = 0,
dst_port = 0, src_port = 0, proto = 0 '\000', flags = 0 '\000'},
rq_size = 1, rq_elements = 1, rq = 0xc121c650, last_expired = 0,
backlogged = 0, w_q = 0, max_th = 0, min_th = 0, max_p = 0, c_1 = 0,
c_2 = 0, c_3 = 0, c_4 = 0, w_q_lookup = 0x0, lookup_depth = 0,
lookup_step = 0, lookup_weight = 0, avg_pkt_size = 0, max_pkt_size = 0}
(kgdb) qhwt@gzl$ exit
--OgqxwSJOaUobr8KG--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020716154545.GA696.qhwt>