From owner-freebsd-bugs Fri Jul 12 15:47: 6 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 98CFD37B800 for ; Fri, 12 Jul 2002 15:45:40 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 621EB43E9C for ; Fri, 12 Jul 2002 15:40:37 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6CMeRJU019589 for ; Fri, 12 Jul 2002 15:40:27 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6CMeQLm019588; Fri, 12 Jul 2002 15:40:26 -0700 (PDT) Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D09DD37B406; Fri, 12 Jul 2002 15:30:43 -0700 (PDT) Received: from woozle.rinet.ru (woozle.rinet.ru [195.54.192.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 711FB43F57; Fri, 12 Jul 2002 15:17:04 -0700 (PDT) (envelope-from marck@woozle.rinet.ru) Received: (from marck@localhost) by woozle.rinet.ru (8.11.6/8.11.6) id g6CME7X95209; Sat, 13 Jul 2002 02:14:07 +0400 (MSD) (envelope-from marck) Message-Id: <200207122214.g6CME7X95209@woozle.rinet.ru> Date: Sat, 13 Jul 2002 02:14:07 +0400 (MSD) From: Dmitry Morozovsky Reply-To: Dmitry Morozovsky To: FreeBSD-gnats-submit@FreeBSD.org Cc: luigi@FreeBSD.org, noc@rinet.ru X-Send-Pr-Version: 3.113 Subject: kern/40508: RELENG_4 after 09.07.2002 luigi's commit to ipfw and companion kernel crashes Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 40508 >Category: kern >Synopsis: RELENG_4 after 09.07.2002 luigi's commit to ipfw and companion kernel crashes >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jul 12 15:40:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Dmitry Morozovsky >Release: FreeBSD 4-STABLE i386 >Organization: Cronyx Plus LLC (RiNet ISP) >Environment: System: FreeBSD donkey.rinet.ru 4.6-STABLE FreeBSD 4.6-STABLE #1: Fri Jul 12 23:29:37 MSD 2002 root@:/var/obj/lh/src/sys/gwfn i386 >Description: After luigi's commit at 09.07.2002 to src/sys/net{,inet} (RELENG_4) kernel now crashes if dummynet shaping is configured, at least by virtually any multicast packet. kernel traceback follows: Fatal trap 12: page fault while in kernel mode fault virtual address = 0x40 fault code = supervisor read, page not present instruction pointer = 0x8:0xc019304c stack pointer = 0x10:0xc9fdfe50 frame pointer = 0x10:0xc9fdfef0 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 423 (tcsh) interrupt mask = net trap number = 12 panic: page fault syncing disks... 9 2 1 1 done Uptime: 2h29m59s dumping to dev #ad/0x20001, offset 917504 dump ata0: resetting devices .. ata0: mask=03 ostat0=50 ostat2=00 ad0: ATAPI 00 00 ata0-slave: ATAPI 00 00 ata0: mask=03 stat0=50 stat1=00 ad0: ATA 01 a5 ata0: devices=01 ad0: success setting PIO4 on generic chip done 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 --- #0 dumpsys () at /lh/src/sys/kern/kern_shutdown.c:487 487 if (dumping++) { (kgdb) bt #0 dumpsys () at /lh/src/sys/kern/kern_shutdown.c:487 #1 0xc0143e71 in boot (howto=256) at /lh/src/sys/kern/kern_shutdown.c:316 #2 0xc0144298 in poweroff_wait (junk=0xc021538c, howto=-1071558993) at /lh/src/sys/kern/kern_shutdown.c:595 #3 0xc01ebff2 in trap_fatal (frame=0xc9fdfe10, eva=64) at /lh/src/sys/i386/i386/trap.c:974 #4 0xc01ebcd1 in trap_pfault (frame=0xc9fdfe10, usermode=0, eva=64) at /lh/src/sys/i386/i386/trap.c:867 #5 0xc01eb8c3 in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16, tf_edi = 0, tf_esi = -1067717632, tf_ebp = -906101008, tf_isp = -906101188, tf_ebx = 0, tf_edx = -1067717408, tf_ecx = -1014144340, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1072091060, tf_cs = 8, tf_eflags = 66070, tf_esp = -1014144384, tf_ss = 0}) at /lh/src/sys/i386/i386/trap.c:466 #6 0xc019304c in ip_output (m0=0xc05bec00, opt=0x0, ro=0xc38d62ac, flags=34, imo=0x0) at /lh/src/sys/netinet/ip_output.c:189 #7 0xc0189b16 in transmit_event (pipe=0xc37a4f00) at /lh/src/sys/netinet/ip_dummynet.c:425 #8 0xc0189dc3 in ready_event (q=0xc372ea80) at /lh/src/sys/netinet/ip_dummynet.c:577 #9 0xc018a234 in dummynet (unused=0x0) at /lh/src/sys/netinet/ip_dummynet.c:730 #10 0xc0149c72 in softclock () at /lh/src/sys/kern/kern_timeout.c:131 #11 0xc01e17b3 in doreti_swi () #12 0x8072359 in ?? () #13 0x805bf4d in ?? () #14 0x805bb81 in ?? () #15 0x8059156 in ?? () #16 0x804a645 in ?? () #17 0x8049a6a in ?? () #18 0x8048137 in ?? () #6 0xc019304c in ip_output (m0=0xc05bec00, opt=0x0, ro=0xc38d62ac, flags=34, imo=0x0) at /lh/src/sys/netinet/ip_output.c:189 189 ia = ifatoia(ro->ro_rt->rt_ifa); (kgdb) l 184 (void)ipsec_setsocket(m, NULL); 185 #endif 186 if (args.rule != NULL) { /* dummynet already saw us */ 187 ip = mtod(m, struct ip *); 188 hlen = IP_VHL_HL(ip->ip_vhl) << 2 ; 189 ia = ifatoia(ro->ro_rt->rt_ifa); 190 goto sendit; 191 } 192 193 if (opt) { (kgdb) up #7 0xc0189b16 in transmit_event (pipe=0xc37a4f00) at /lh/src/sys/netinet/ip_dummynet.c:425 425 (void)ip_output((struct mbuf *)pkt, NULL, NULL, 0, NULL); (kgdb) l 420 * The block IS FREED HERE because it contains parameters passed 421 * to the called routine. 422 */ 423 switch (pkt->dn_dir) { 424 case DN_TO_IP_OUT: 425 (void)ip_output((struct mbuf *)pkt, NULL, NULL, 0, NULL); 426 rt_unref (pkt->ro.ro_rt) ; 427 break ; 428 429 case DN_TO_IP_IN : (kgdb) p *pkt $1 = {hdr = {mh_next = 0xc05bec00, mh_nextpkt = 0x0, mh_data = 0x0, mh_len = 0, mh_type = 13, mh_flags = 15}, rule = 0xc3878d00, dn_dir = 1, output_time = 8994965, ifp = 0xc35c2c00, dn_dst = 0xc38d62b0, ro = {ro_rt = 0x0, ro_dst = {sa_len = 16 '\020', sa_family = 2 '\002', sa_data = "\000\000à\000\000\004\000\000\000\000\000\000\000"}}, flags = 34} (kgdb) up #8 0xc0189dc3 in ready_event (q=0xc372ea80) at /lh/src/sys/netinet/ip_dummynet.c:577 577 transmit_event(p); (kgdb) l 572 /* 573 * If the delay line was empty call transmit_event(p) now. 574 * Otherwise, the scheduler will take care of it. 575 */ 576 if (p_was_empty) 577 transmit_event(p); 578 } 579 580 /* 581 * Called when we can transmit packets on WF2Q queues. Take pkts out of (kgdb) p *p $2 = {next = 0x0, pipe_nr = 1, bandwidth = 64000, delay = 0, head = 0x0, tail = 0xc38d6280, scheduler_heap = {size = 0, elements = 0, offset = 0, p = 0x0}, not_eligible_heap = {size = 0, elements = 0, offset = 0, p = 0x0}, idle_heap = {size = 0, elements = 0, offset = 84, p = 0x0}, V = 0, sum = 0, numbytes = 0, sched_time = 0, if_name = '\000' , ifp = 0x0, ready = 0, fs = {next = 0x0, fs_nr = 0, flags_fs = 9, pipe = 0xc37a4f00, parent_nr = 0, weight = 0, qsize = 8192, plr = 0, flow_mask = { dst_ip = 0, src_ip = 4294967295, dst_port = 0, src_port = 0, proto = 0 '\000', flags = 0 '\000'}, rq_size = 64, rq_elements = 5, rq = 0xc362d600, last_expired = 0, backlogged = 0, w_q = 0, max_th = 0, min_th = 0, max_p = 0, c_1 = 0, c_2 = 0, c_3 = 0, c_4 = 0, w_q_lookup = 0x0, lookup_depth = 0, lookup_step = 0, lookup_weight = 0, avg_pkt_size = 0, max_pkt_size = 0}} >How-To-Repeat: build and run kernel with IPFIREWALL & DUMMYNET & MROUTING add pipe rule: ipfw pipe 1 config bw 64Kbit/s queue 8Kbytes mask src-ip 0xffffffff ipfw add 10 pipe 1 ip from any to any via ed0 run mrouted >Fix: Don't know yet. Hopefully Luigi knows ;-P >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message