From owner-freebsd-bugs@FreeBSD.ORG Sat Apr 7 11:30:06 2007 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 122E116A408 for ; Sat, 7 Apr 2007 11:30:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id E65A313C469 for ; Sat, 7 Apr 2007 11:30:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l37BU5dD000569 for ; Sat, 7 Apr 2007 11:30:05 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l37BU5NZ000567; Sat, 7 Apr 2007 11:30:05 GMT (envelope-from gnats) Resent-Date: Sat, 7 Apr 2007 11:30:05 GMT Resent-Message-Id: <200704071130.l37BU5NZ000567@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Tom Judge Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4F3B016A40A for ; Sat, 7 Apr 2007 11:21:36 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [69.147.83.33]) by mx1.freebsd.org (Postfix) with ESMTP id 3EBEF13C4B9 for ; Sat, 7 Apr 2007 11:21:36 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l37BLZWN056032 for ; Sat, 7 Apr 2007 11:21:35 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id l37BGXTN053074; Sat, 7 Apr 2007 11:16:33 GMT (envelope-from nobody) Message-Id: <200704071116.l37BGXTN053074@www.freebsd.org> Date: Sat, 7 Apr 2007 11:16:33 GMT From: Tom Judge To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.0 Cc: Subject: kern/111352: Mkdir causes integer divide fault while in kernel mode X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Apr 2007 11:30:06 -0000 >Number: 111352 >Category: kern >Synopsis: Mkdir causes integer divide fault while in kernel mode >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Apr 07 11:30:05 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Tom Judge >Release: 6.2-RELEASE + pmap.c patch (From RELENG_6 1.516.2.9) >Organization: >Environment: FreeBSD bfg.mintel.co.uk 6.2-RELEASE FreeBSD 6.2-RELEASE #10: Thu Apr 5 10:53:39 BST 2007 root@roley.mintel.co.uk:/usr/obj/usr/src/sys/PE2950 amd64 amd64 Intel(R) Xeon(R) CPU 5110 @ 1.60GHz FreeBSD FreeBSD happy.mintel.co.uk 6.2-RELEASE FreeBSD 6.2-RELEASE #10: Thu Apr 5 10:53:39 BST 2007 root@roley.mintel.co.uk:/usr/obj/usr/src/sys/PE2950 amd64 >Description: When createing directories in a file system that has been created with the average number of files per directory tuned ( to 2500 in this case ) the system panics with an "integer divide fault while in kernel mode". I have tested this on 2 different size file systems (6TB, 200GB) on 2 different machines both cause the same crash. The following tunings do no cause the crash: newfs -h 2500 /dev/mfid0s1g newfs -h 2500 -b 65536 /dev/mfid0s1g Only the following combination causes the crash: newfs -h 2500 -b 65536 -g 1048576 /dev/mfid0s1g I have several core files avaliable if furthur information is required, here is a back trace from one: kgdb /usr/obj/usr/src/sys/PE2950/kernel.debug /var/crash/vmcore.2 [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"] GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-marcel-freebsd". Unread portion of the kernel message buffer: Fatal trap 18: integer divide fault while in kernel mode cpuid = 0; apic id = 00 instruction pointer = 0x8:0xffffffff80391347 stack pointer = 0x10:0xffffffffa78736f0 frame pointer = 0x10:0xffffff0001d7a600 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 1206 (mkdir) trap number = 18 panic: integer divide fault cpuid = 0 Uptime: 4m29s Dumping 1023 MB (2 chunks) chunk 0: 1MB (156 pages) ... ok chunk 1: 1023MB (261800 pages) 1007 991 975 959 943 927 911 895 879 863 847 831 815 799 783 767 751 735 719 703 687 671 655 639 623 607 591 575 559 543 527 511 495 479 463 447 431 415 399 383 367 351 335 319 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15 #0 doadump () at pcpu.h:172 172 pcpu.h: No such file or directory. in pcpu.h (kgdb) bt #0 doadump () at pcpu.h:172 #1 0x0000000000000004 in ?? () #2 0xffffffff8029a557 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409 #3 0xffffffff8029abf1 in panic (fmt=0xffffff0029753000 "X?/") at /usr/src/sys/kern/kern_shutdown.c:565 #4 0xffffffff803f62ff in trap_fatal (frame=0xffffff0029753000, eva=18446742974994109272) at /usr/src/sys/amd64/amd64/trap.c:660 #5 0xffffffff803f67a2 in trap (frame= {tf_rdi = 0, tf_rsi = 0, tf_rdx = 0, tf_rcx = 1951858688, tf_r8 = 2500, tf_r9 = 2975, tf_rax = 1951858688, tf_rbx = -2050457600, tf_rbp = -1099480717824, tf_r10 = 246016, tf_r11 = 184512, tf_r12 = -1098707543808, tf_r13 = 246015, tf_r14 = -2050457600, tf_r15 = 255, tf_trapno = 18, tf_addr = 0, tf_flags = 2147483648012, tf_err = 0, tf_rip = -2143743161, tf_cs = 8, tf_rflags = 66182, tf_rsp = -1484310784, tf_ss = 16}) at /usr/src/sys/amd64/amd64/trap.c:469 #6 0xffffffff803e1a6b in calltrap () at /usr/src/sys/amd64/amd64/exception.S:168 #7 0xffffffff80391347 in ffs_valloc (pvp=0xffffff002f24d7c0, mode=16877, cred=0x0, vpp=0xffffffffa7873798) at libkern.h:56 #8 0xffffffff803b8a5e in ufs_mkdir (ap=0xffffffffa78739a0) at /usr/src/sys/ufs/ufs/ufs_vnops.c:1386 #9 0xffffffff8043b355 in VOP_MKDIR_APV (vop=0x74570000, a=0xffffffffa78739a0) at vnode_if.c:1251 #10 0xffffffff80310e19 in kern_mkdir (td=0xffffff002f24d7c0, path=0xffffff003dabe400 "", segflg=4, mode=511) at vnode_if.h:653 #11 0xffffffff803f7151 in syscall (frame= {tf_rdi = 140737488348678, tf_rsi = 511, tf_rdx = 4294967295, tf_rcx = 1, tf_r8 = 0, tf_r9 = 140737488347272, tf_rax = 136, tf_rbx = 2, tf_rbp = 140737488348024, tf_r10 = 4294967295, tf_r11 = 582, tf_r12 = 140737488348678, tf_r13 = 140737488348008, tf_r14 = 0, tf_r15 = 0, tf_trapno = 12, tf_addr = 34367037072, tf_flags = 0, tf_err = 2, tf_rip = 34367037084, tf_cs = 43, tf_rflags = 518, tf_rsp = 140737488347720, tf_ss = 35}) at /usr/src/sys/amd64/amd64/trap.c:792 #12 0xffffffff803e1c08 in Xfast_syscall () at /usr/src/sys/amd64/amd64/exception.S:270 #13 0x00000008006f5e9c in ?? () Previous frame inner to this frame (corrupt stack?) (kgdb) frame 7 #7 0xffffffff80391347 in ffs_valloc (pvp=0xffffff002f24d7c0, mode=16877, cred=0x0, vpp=0xffffffffa7873798) at libkern.h:56 56 static __inline u_int min(u_int a, u_int b) { return (a < b ? a : b); } (kgdb) list 51 static __inline int imax(int a, int b) { return (a > b ? a : b); } 52 static __inline int imin(int a, int b) { return (a < b ? a : b); } 53 static __inline long lmax(long a, long b) { return (a > b ? a : b); } 54 static __inline long lmin(long a, long b) { return (a < b ? a : b); } 55 static __inline u_int max(u_int a, u_int b) { return (a > b ? a : b); } 56 static __inline u_int min(u_int a, u_int b) { return (a < b ? a : b); } 57 static __inline quad_t qmax(quad_t a, quad_t b) { return (a > b ? a : b); } 58 static __inline quad_t qmin(quad_t a, quad_t b) { return (a < b ? a : b); } 59 static __inline u_long ulmax(u_long a, u_long b) { return (a > b ? a : b); } 60 static __inline u_long ulmin(u_long a, u_long b) { return (a < b ? a : b); } (kgdb) frame 8 #8 0xffffffff803b8a5e in ufs_mkdir (ap=0xffffffffa78739a0) at /usr/src/sys/ufs/ufs/ufs_vnops.c:1386 1386 error = UFS_VALLOC(dvp, dmode, cnp->cn_cred, &tvp); (kgdb) list 1381 /* 1382 * Must simulate part of ufs_makeinode here to acquire the inode, 1383 * but not have it entered in the parent directory. The entry is 1384 * made later after writing "." and ".." entries. 1385 */ 1386 error = UFS_VALLOC(dvp, dmode, cnp->cn_cred, &tvp); 1387 if (error) 1388 goto out; 1389 ip = VTOI(tvp); 1390 ip->i_gid = dp->i_gid; (kgdb) >How-To-Repeat: Create a new file system on the disk with the following newfs: newfs -h 2500 -b 65536 -g 1048576 /dev/mfid0s1g Mount the file system on /data. mkdir /data/test mkdir /data/test/test (Crashes here) >Fix: >Release-Note: >Audit-Trail: >Unformatted: