From owner-freebsd-current Mon Apr 8 15:59:39 2002 Delivered-To: freebsd-current@freebsd.org Received: from owa1.digisle.com (ex-owa-sj.digisle.com [165.193.27.217]) by hub.freebsd.org (Postfix) with ESMTP id C01DF37B434 for ; Mon, 8 Apr 2002 15:59:12 -0700 (PDT) Received: from digisle.net ([206.220.227.145] RDNS failed) by owa1.digisle.com over TLS secured channel with Microsoft SMTPSVC(5.0.2195.2966); Mon, 8 Apr 2002 15:59:12 -0700 Message-ID: <3CB220BF.A98DCB82@digisle.net> Date: Mon, 08 Apr 2002 15:59:11 -0700 From: Maksim Yevmenkin Organization: Digital Island X-Mailer: Mozilla 4.78 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-current@freebsd.org Subject: Fatal double fault on -current Content-Type: multipart/mixed; boundary="------------F53DCFF46B83320730353000" X-OriginalArrivalTime: 08 Apr 2002 22:59:12.0145 (UTC) FILETIME=[FF958010:01C1DF50] Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. --------------F53DCFF46B83320730353000 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hackers, for the last couple of days i was able to crash my -current laptop with "Fatal double fault" panic whenever i wanted. i have created a small "spherical cow" :) to demonstrate the problem (see attached). this is pretty much what my code does. just compile and load the "cow" and then try # ngctl msg cow: moo i'm suspecting m_split() and have attached tiny path that fixes problem for me. of course it might be just my fault :) and i'm missing some small thing. "... if you think you found the bug - you don't... " thanks, max --------------F53DCFF46B83320730353000 Content-Type: text/plain; charset=us-ascii; name="ng_cow.c" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ng_cow.c" /* * ng_cow.c * * Copyright (c) 2001-2002 Maksim Yevmenkin * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include #include #include #include #include #include #include #include #include #define NG_COW_NODE_TYPE "cow" #define NGM_COW_COOKIE 1018303300 #define NGM_COW_MOO 1 /* MALLOC define */ #ifdef NG_SEPARATE_MALLOC MALLOC_DEFINE(M_NETGRAPH_COW, "cow", "Netgraph spherical cow"); #else #define M_NETGRAPH_COW M_NETGRAPH #endif /* NG_SEPARATE_MALLOC */ /* Netgraph node methods */ static ng_constructor_t ng_cow_constructor; static ng_rcvmsg_t ng_cow_rcvmsg; static ng_shutdown_t ng_cow_shutdown; static ng_newhook_t ng_cow_newhook; static ng_connect_t ng_cow_connect; static ng_rcvdata_t ng_cow_rcvdata; static ng_disconnect_t ng_cow_disconnect; static int ng_cow_modevent __P((module_t, int, void *)); /* Netgraph node command list */ static const struct ng_cmdlist ng_cow_cmdlist[] = { { NGM_COW_COOKIE, NGM_COW_MOO, "moo", NULL, NULL }, { 0, } }; /* Netgraph type descriptor */ static struct ng_type typestruct = { NG_ABI_VERSION, NG_COW_NODE_TYPE, /* typename */ ng_cow_modevent, /* modevent */ ng_cow_constructor, /* constructor */ ng_cow_rcvmsg, /* control message */ ng_cow_shutdown, /* destructor */ ng_cow_newhook, /* new hook */ NULL, /* find hook */ ng_cow_connect, /* connect hook */ ng_cow_rcvdata, /* data */ ng_cow_disconnect, /* disconnect hook */ ng_cow_cmdlist /* node command list */ }; NETGRAPH_INIT(cow, &typestruct); MODULE_VERSION(ng_cow, 1); static int ng_cow_moo __P((void)); static struct mbuf * ng_cow_prepend __P((struct mbuf *, int)); /***************************************************************************** ***************************************************************************** ** Netgraph node interface ***************************************************************************** *****************************************************************************/ static node_p the_node = NULL; /* * Handle loading and unloading for this node type */ static int ng_cow_modevent(mod, event, data) module_t mod; int event; void *data; { int error = 0; switch (event) { case MOD_LOAD: error = ng_make_node_common(&typestruct, &the_node); if (error != 0) break; error = ng_name_node(the_node, NG_COW_NODE_TYPE); if (error != 0) { NG_NODE_UNREF(the_node); the_node = NULL; break; } break; case MOD_UNLOAD: error = EBUSY; break; default: error = EOPNOTSUPP; break; } return (error); } /* ng_cow_modevent */ /* * Only one node is allowed and it is created when module is loaded */ static int ng_cow_constructor(node) node_p node; { return (EINVAL); } /* ng_cow_constructor */ /* * We do not allow any hook to be connected to the node. */ static int ng_cow_newhook(node, hook, name) node_p node; hook_p hook; char const *name; { return (EINVAL); } /* ng_cow_newhook */ /* * Just say NO! */ static int ng_cow_connect(hook) hook_p hook; { return (EINVAL); } /* ng_cow_connect */ /* * Hook disconnection */ static int ng_cow_disconnect(hook) hook_p hook; { return (0); } /* ng_cow_disconnect */ /* * Do local shutdown processing */ static int ng_cow_shutdown(node) node_p node; { if (ng_make_node_common(&typestruct, &the_node) != 0) { the_node = NULL; goto out; } if (ng_name_node(the_node, NG_COW_NODE_TYPE) != 0) { NG_NODE_UNREF(the_node); the_node = NULL; } out: return (0); } /* ng_cow_shutdown */ /* * Process incoming messages */ static int ng_cow_rcvmsg(node, item, hook) node_p node; item_p item; hook_p hook; { struct ng_mesg *msg = NULL; int error = 0; /* Detach message */ NGI_GET_MSG(item, msg); /* Process message */ switch (msg->header.typecookie) { case NGM_COW_COOKIE: switch (msg->header.cmd) { case NGM_COW_MOO: error = ng_cow_moo(); break; default: error = EINVAL; break; } break; default: error = EINVAL; break; } NG_FREE_MSG(msg); return (error); } /* ng_cow_rcvmsg */ /* * Receive data on a hook */ static int ng_cow_rcvdata(hook, item) hook_p hook; item_p item; { NG_FREE_ITEM(item); return (0); } /* ng_cow_rcvdata */ /* * MOO */ static int ng_cow_moo(void) { #define DATA_SIZE 4100 #define CHUNK_SIZE 128 struct mbuf *m0 = NULL, *m = NULL, *first = NULL, *last = NULL; char data[DATA_SIZE]; int error = 0; bzero(data, sizeof(data)); MGETHDR(m0, M_DONTWAIT, MT_DATA); if (m0 == NULL) return (ENOBUFS); /* Copy data into mbuf starting at +4 bytes */ m0->m_pkthdr.len = m0->m_len = 4; m_copyback(m0, m0->m_len, sizeof(data), data); /* Prepend mbuf with 4 bytes */ m0 = ng_cow_prepend(m0, 4); if (m0 == NULL) return (ENOBUFS); /* Split result mbuf into chunks and link then via m_nextpkt */ while (m0 != NULL) { int len = m0->m_pkthdr.len; if (len > CHUNK_SIZE) { m = m_split(m0, CHUNK_SIZE, M_DONTWAIT); if (m == NULL) { error = ENOBUFS; break; } } /* Prepend chunk with another 4 bytes */ m0 = ng_cow_prepend(m0, 4); if (m0 == NULL) { error = ENOBUFS; break; } /* Add chunk to the list */ m0->m_nextpkt = NULL; if (last == NULL) first = last = m0; else { last->m_nextpkt = m0; last = m0; } m0 = m; m = NULL; } NG_FREE_M(m0); NG_FREE_M(m); while (first != NULL) { m = first->m_nextpkt; m_freem(first); first = m; } return (error); } /* ng_cow_moo */ /* * prepend mbuf with size bytes */ static struct mbuf * ng_cow_prepend(m, size) struct mbuf *m; int size; { M_PREPEND(m, size, M_DONTWAIT); if (m == NULL || (m->m_len < size && (m = m_pullup(m, size)) == NULL)) return (NULL); return (m); } /* ng_cow_prepend */ --------------F53DCFF46B83320730353000 Content-Type: text/plain; charset=us-ascii; name="Makefile" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="Makefile" CFLAGS+= -g KMOD= ng_cow SRCS= ng_cow.c NOMAN= .include --------------F53DCFF46B83320730353000 Content-Type: text/plain; charset=us-ascii; name="uipc_mbuf.c.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="uipc_mbuf.c.diff" --- uipc_mbuf.c.orig Mon Apr 8 14:40:23 2002 +++ uipc_mbuf.c Mon Apr 8 14:40:43 2002 @@ -584,6 +584,7 @@ if (remain > MHLEN) { /* m can't be the lead packet */ MH_ALIGN(n, 0); + n->m_len = 0; n->m_next = m_split(m, len, wait); if (n->m_next == NULL) { (void) m_free(n); --------------F53DCFF46B83320730353000 Content-Type: text/plain; charset=us-ascii; name="info.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="info.txt" FreeBSD beetle 5.0-CURRENT FreeBSD 5.0-CURRENT #20: Mon Apr 8 14:45:30 PDT 2002 max@beetle:/usr/src/sys/i386/compile/BEETLE i386 Fatal double fault: eip = 0xc01bb5b4 esp = 0xc9ffc000 ebp = 0xc9ffc00c panic: double fault Copyright (c) 1992-2002 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 5.0-CURRENT #20: Mon Apr 8 14:45:30 PDT 2002 max@beetle:/usr/src/sys/i386/compile/BEETLE Preloaded elf kernel "/boot/kernel/kernel" at 0xc03ba000. Preloaded elf module "/boot/kernel/nmdm.ko" at 0xc03ba0a8. Timecounter "i8254" frequency 1193182 Hz Timecounter "TSC" frequency 597789434 Hz CPU: Pentium III/Pentium III Xeon/Celeron (597.79-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0x681 Stepping = 1 Features=0x383f9ff real memory = 134086656 (130944K bytes) avail memory = 126636032 (123668K bytes) Pentium Pro MTRR support enabled Using $PIR table, 10 entries at 0xc00f0130 npx0: on motherboard npx0: INT 16 interface pcib0: at pcibus 0 on motherboard pci0: on pcib0 pcib1: at device 1.0 on pci0 pci1: on pcib1 pci1: at device 0.0 (no driver attached) isab0: at device 3.0 on pci0 isa0: on isab0 isab1: at device 5.0 on pci0 atapci0: port 0xfff0-0xffff at device 5.1 on pci0 ata0: at 0x1f0 irq 14 on atapci0 ata1: at 0x170 irq 15 on atapci0 uhci0: port 0xff80-0xff9f irq 11 at device 5.2 on pci0 usb0: on uhci0 usb0: USB revision 1.0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhub1: Texas Instruments UT-USB41 hub, class 9/0, rev 1.00/1.00, addr 2 uhub1: 4 ports with 4 removable, self powered pci0: at device 5.3 (no driver attached) pci0: at device 9.0 (no driver attached) pcm0: port 0xfefc-0xfeff,0xff00-0xff3f mem 0xefff8000-0xefffffff irq 11 at device 12.0 on pci0 pcm0: ac97 codec invalid or not present (id == 0) xl0: <3Com 3c905C-TX Fast Etherlink XL> port 0xfd80-0xfdff mem 0xefff7f80-0xefff7fff irq 11 at device 15.0 on pci0 xl0: Ethernet address: 00:00:39:8c:1e:26 miibus0: on xl0 xlphy0: <3c905C 10/100 internal PHY> on miibus0 xlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto orm0: