Date: Fri, 26 Aug 2005 18:40:22 GMT From: Pawel Malachowski <pawmal-posting@freebsd.lublin.pl> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/85258: changing promisc mode on nic can lead to kernel panic Message-ID: <200508261840.j7QIeMD0025909@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/85258; it has been noted by GNATS.
From: Pawel Malachowski <pawmal-posting@freebsd.lublin.pl>
To: FreeBSD-gnats-submit@freebsd.org
Cc: freebsd-bugs@freebsd.org
Subject: Re: kern/85258: changing promisc mode on nic can lead to kernel panic
Date: Fri, 26 Aug 2005 20:30:24 +0200
On Wed, Aug 24, 2005 at 12:10:20PM +0000, Pawel Malachowski wrote:
> FYI, when polling enable was set to 0, ifconfig promisc and -promisc in loop,
> system was running safely during all night (>18h).
>
> After enabling polling, it crashed within 5 minutes...
> With same backtrace.
To sum up, factors are:
. dummynet configured for outgoing packets seems to be needed;
. frequent changes of fxp flags, one can use link0 (setting promisc
is not needed at all);
. kern.polling.enable=1.
I've prepared static kernel for debugging, much better backtrace below. :)
Test setup:
ipfw pipe 100 config bw 512kbit/s queue 20KB mask src-ip 0xffffffff
ipfw add 100 pipe 100 ip from any to any out xmit wan0
(wan0 is renamed fxp0)
while [ 1 ]
do
ifconfig $1 link0
sleep 1
ifconfig $1 -link0
sleep 1
done
And ping -f from another box to speed things up. ;)
Full reproducable for me within 10-20 minutes.
(kgdb) bt
#0 doadump () at pcpu.h:159
#1 0xc060c948 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:410
#2 0xc060cbc6 in panic (fmt=0xc081e7fd "m_copym, offset > size of mbuf chain") at /usr/src/sys/kern/kern_shutdown.c:566
#3 0xc063e500 in m_copym (m=0x0, off0=16380, len=5124, wait=1) at /usr/src/sys/kern/uipc_mbuf.c:385
#4 0xc0697780 in ip_fragment (ip=0xc13fa820, m_frag=0xc7aafc44, mtu=-1051870208, if_hwassist_flags=0, sw_csum=1)
at /usr/src/sys/netinet/ip_output.c:974
#5 0xc0697405 in ip_output (m=0xc13ef700, opt=0xc13fa820, ro=0xc7aafc10, flags=0, imo=0x0, inp=0x0)
at /usr/src/sys/netinet/ip_output.c:798
#6 0xc068b731 in transmit_event (pipe=0xc16e3d00) at /usr/src/sys/netinet/ip_dummynet.c:454
#7 0xc068bab4 in ready_event (q=0xc172e280) at /usr/src/sys/netinet/ip_dummynet.c:624
#8 0xc068c04b in dummynet (unused=0x0) at /usr/src/sys/netinet/ip_dummynet.c:779
#9 0xc0617b12 in softclock (dummy=0x0) at /usr/src/sys/kern/kern_timeout.c:279
#10 0xc05fb4b8 in ithread_loop (arg=0xc12b9500) at /usr/src/sys/kern/kern_intr.c:547
#11 0xc05fa92c in fork_exit (callout=0xc05fb394 <ithread_loop>, arg=0xc12b9500, frame=0xc7aafd48)
at /usr/src/sys/kern/kern_fork.c:791
#12 0xc07a0a4c in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:209
(kgdb) up 3
#3 0xc063e500 in m_copym (m=0x0, off0=16380, len=5124, wait=1) at /usr/src/sys/kern/uipc_mbuf.c:385
385 KASSERT(m != NULL, ("m_copym, offset > size of mbuf chain"));
(kgdb) l
380 KASSERT(len >= 0, ("m_copym, negative len %d", len));
381 MBUF_CHECKSLEEP(wait);
382 if (off == 0 && m->m_flags & M_PKTHDR)
383 copyhdr = 1;
384 while (off > 0) {
385 KASSERT(m != NULL, ("m_copym, offset > size of mbuf chain"));
386 if (off < m->m_len)
387 break;
388 off -= m->m_len;
389 m = m->m_next;
(kgdb) up
#4 0xc0697780 in ip_fragment (ip=0xc13fa820, m_frag=0xc7aafc44, mtu=-1051870208, if_hwassist_flags=0, sw_csum=1)
at /usr/src/sys/netinet/ip_output.c:974
974 m->m_next = m_copy(m0, off, len);
(kgdb) l
969 len = ip->ip_len - off;
970 m->m_flags |= M_LASTFRAG;
971 } else
972 mhip->ip_off |= IP_MF;
973 mhip->ip_len = htons((u_short)(len + mhlen));
974 m->m_next = m_copy(m0, off, len);
975 if (m->m_next == NULL) { /* copy failed */
976 m_free(m);
977 error = ENOBUFS; /* ??? */
978 ipstat.ips_odropped++;
(kgdb) up
#5 0xc0697405 in ip_output (m=0xc13ef700, opt=0xc13fa820, ro=0xc7aafc10, flags=0, imo=0x0, inp=0x0)
at /usr/src/sys/netinet/ip_output.c:798
798 error = ip_fragment(ip, &m, ifp->if_mtu, ifp->if_hwassist, sw_csum);
(kgdb) l
793 * Too large for interface; fragment if possible. If successful,
794 * on return, m will point to a list of packets to be sent.
795 */
796 /*if (ifp->if_mtu) {
797 }*/
798 error = ip_fragment(ip, &m, ifp->if_mtu, ifp->if_hwassist, sw_csum);
799 if (error)
800 goto bad;
801 for (; m; m = m0) {
802 m0 = m->m_nextpkt;
(kgdb) p *ifp
$3 = {if_softc = 0xc1475000, if_link = {tqe_next = 0xc143b800, tqe_prev = 0xc1461004},
if_xname = "lo0", '\0' <repeats 12 times>, if_dname = 0xc07f45e0 "lo", if_dunit = 0, if_addrhead = {
tqh_first = 0xc14d0c00, tqh_last = 0xc1553260}, if_klist = {kl_lock = 0xc08db5a0, kl_list = {slh_first = 0x0}},
if_pcount = 0, if_carp = 0x0, if_bpf = 0x0, if_index = 3, if_timer = 0, if_nvlans = 0, if_flags = 32841,
if_capabilities = 0, if_capenable = 0, if_linkmib = 0x0, if_linkmiblen = 0, if_data = {ifi_type = 24 '\030',
ifi_physical = 0 '\0', ifi_addrlen = 0 '\0', ifi_hdrlen = 0 '\0', ifi_link_state = 0 '\0', ifi_recvquota = 0 '\0',
ifi_xmitquota = 0 '\0', ifi_datalen = 80 'P', ifi_mtu = 16384, ifi_metric = 0, ifi_baudrate = 0, ifi_ipackets = 223,
ifi_ierrors = 0, ifi_opackets = 223, ifi_oerrors = 0, ifi_collisions = 0, ifi_ibytes = 38240, ifi_obytes = 38240,
ifi_imcasts = 0, ifi_omcasts = 0, ifi_iqdrops = 0, ifi_noproto = 0, ifi_hwassist = 0, ifi_epoch = 1, ifi_lastchange = {
tv_sec = 1, tv_usec = 29757}}, if_multiaddrs = {tqh_first = 0xc151b3a0, tqh_last = 0xc151b0a0}, if_amcount = 0,
if_output = 0xc0670efc <looutput>, if_input = 0, if_start = 0, if_ioctl = 0xc0671104 <loioctl>, if_watchdog = 0,
if_init = 0, if_resolvemulti = 0, if_spare1 = 0x0, if_spare2 = 0x0, if_spare3 = 0x0, if_spare_flags1 = 0,
if_spare_flags2 = 0, if_snd = {ifq_head = 0x0, ifq_tail = 0x0, ifq_len = 0, ifq_maxlen = 50, ifq_drops = 0, ifq_mtx = {
mtx_object = {lo_class = 0xc0877e1c, lo_name = 0xc147500c "lo0", lo_type = 0xc082186a "if send queue",
lo_flags = 196608, lo_list = {tqe_next = 0xc14d0c7c, tqe_prev = 0xc1475218}, lo_witness = 0xc08e1680}, mtx_lock = 4,
mtx_recurse = 0}, ifq_drv_head = 0x0, ifq_drv_tail = 0x0, ifq_drv_len = 0, ifq_drv_maxlen = 0, altq_type = 0,
altq_flags = 0, altq_disc = 0x0, altq_ifp = 0xc1475000, altq_enqueue = 0, altq_dequeue = 0, altq_request = 0,
altq_clfier = 0x0, altq_classify = 0, altq_tbr = 0x0, altq_cdnr = 0x0}, if_broadcastaddr = 0x0, lltables = 0x0,
if_label = 0x0, if_prefixhead = {tqh_first = 0x0, tqh_last = 0xc1475168}, if_afdata = {0x0 <repeats 28 times>, 0xc1470c00,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, if_afdata_initialized = 1, if_afdata_mtx = {mtx_object = {
lo_class = 0xc0877e1c, lo_name = 0xc082185a "if_afdata", lo_type = 0xc082185a "if_afdata", lo_flags = 196608,
lo_list = {tqe_next = 0xc14750fc, tqe_prev = 0xc0880d20}, lo_witness = 0xc08e16a8}, mtx_lock = 4, mtx_recurse = 0},
if_starttask = {ta_link = {stqe_next = 0x0}, ta_pending = 0, ta_priority = 0, ta_func = 0xc066dc04 <if_start_deferred>,
ta_context = 0xc1475000}}
--
Paweł Małachowski
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200508261840.j7QIeMD0025909>