From owner-freebsd-current Tue Jul 16 8:45:49 2002 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1FD5237B400; Tue, 16 Jul 2002 08:45:43 -0700 (PDT) Received: from smtp-send.myrealbox.com (smtp-send.myrealbox.com [192.108.102.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id ACCF143E6A; Tue, 16 Jul 2002 08:45:42 -0700 (PDT) (envelope-from qhwt@myrealbox.com) Received: from localhost qhwt@smtp-send.myrealbox.com [61.195.119.93] by smtp-send.myrealbox.com with NetMail SMTP Agent $Revision: 3.9 $ on Novell NetWare; Tue, 16 Jul 2002 09:45:41 -0600 Date: Wed, 17 Jul 2002 00:45:45 +0900 From: qhwt@myrealbox.com To: luigi@freebsd.org Cc: current@freebsd.org Subject: integer devide fault in dummynet_io Message-ID: <20020716154545.GA696.qhwt@myrealbox.com> Reply-To: current@freebsd.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="OgqxwSJOaUobr8KG" Content-Disposition: inline User-Agent: Mutt/1.5.1i X-Dispatcher: imput version 20000228(IM140) Lines: 146 Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --OgqxwSJOaUobr8KG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hello. I have the following rules in my ipfw.rules: pipe 1 config bw 3kbit/s add 1000 pipe 1 log logamount 0 tcp from any to me 80 setup in add 1010 pipe 1 log logamount 0 tcp from any to me 25 setup in so that I can log and slow down incoming Nimda/open-relay probes. After new ipfw code came into the tree, my machine started to panic occasionally after thirty minutes or so connected to the Internet. After a few panics, I managed to get the backtrace. Unfortunately the line number seems to be screwed, but it's still enough to spot where it panicked (attached). In the frame 15 in dummynet_io(), fs->weight was holding zero at line 1182, which leads to a zero-division. Suprisingly, 'action' was O_LOG rather than O_PIPE or O_QUEUE, even though the function is assuming only one of them. I'm running current as of 2002-06-29(UTC) with the following files updated to more recent revisions: /sys/netinet/ip_fw.h 1.70 /sys/netinet/ip_fw2.c 1.3 /usr/src/sbin/ipfw/ipfw2.c 1.3 Any idea to fix this? --OgqxwSJOaUobr8KG Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="screenlog.0" GNU gdb 4.18 (FreeBSD) Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd"... IdlePTD at physical address 0x004cc000 initial pcb at physical address 0x0034fe40 panicstr: bwrite: buffer is not busy??? panic messages: --- Fatal trap 18: integer divide fault while in kernel mode instruction pointer = 0x8:0xc02d198b stack pointer = 0x10:0xc6251b08 frame pointer = 0x10:0xc6251b8c code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 12 (swi1: net) trap number = 18 panic: integer divide fault syncing disks... panic: bwrite: buffer is not busy??? Uptime: 1h4m54s Dumping 63 MB ata0: resetting devices .. ata0: mask=03 ostat0=50 ostat2=00 ad0: ATAPI 00 00 ata0-slave: ATAPI 00 00 ata0: mask=03 stat0=50 stat1=00 ad0: ATA 01 a5 ata0: devices=01 ad0: success setting PIO4 on generic chip done 16 32 48 --- b#0 0xc018b4c1 in doadump () at /usr/src/sys/kern/kern_shutdown.c:353 353 } (kgdb) bt #0 0xc018b4c1 in doadump () at /usr/src/sys/kern/kern_shutdown.c:353 #1 0xc018b94b in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:353 #2 0xc018bb2d in panic (fmt=0xc02eb9cb "bwrite: buffer is not busy???") at /usr/src/sys/kern/kern_shutdown.c:353 #3 0xc01c4ea2 in bwrite (bp=0xc2523120) at /usr/src/sys/kern/vfs_bio.c:1368 #4 0xc01c642e in vfs_bio_awrite (bp=0xc2523120) at /usr/src/sys/kern/vfs_bio.c:1368 #5 0xc0160b4b in spec_fsync (ap=0xc6251950) at /usr/src/sys/fs/specfs/spec_vnops.c:837 #6 0xc016068c in spec_vnoperate (ap=0xc6251950) at /usr/src/sys/fs/specfs/spec_vnops.c:837 #7 0xc026e743 in ffs_sync (mp=0xc1275000, waitfor=2, cred=0xc09dcd80, td=0xc031eb20) at /usr/src/sys/ufs/ffs/ffs_vfsops.c:813 #8 0xc01d65bb in sync (td=0xc031eb20, uap=0x0) at /usr/src/sys/kern/vfs_syscalls.c:584 #9 0xc018b5bc in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:353 #10 0xc018bb2d in panic (fmt=0xc030ccde "%s") at /usr/src/sys/kern/kern_shutdown.c:353 #11 0xc02c0683 in trap_fatal (frame=0xc6251ac8, eva=0) at /usr/src/sys/i386/i386/trap.c:655 #12 0xc02c00c2 in trap (frame={tf_fs = 24, tf_es = -1070727152, tf_ds = 16, tf_edi = 1, tf_esi = 0, tf_ebp = -970646644, tf_isp = -970646796, tf_ebx = 3145728, tf_edx = 0, tf_ecx = 0, tf_eax = 1, tf_trapno = 18, tf_err = 0, tf_eip = -1070786165, tf_cs = 8, tf_eflags = 66118, tf_esp = 0, tf_ss = 0}) at /usr/src/sys/i386/i386/trap.c:655 #13 0xc02d198b in __qdivrem (uq=3145728, vq=0, arq=0x0) at /usr/src/sys/libkern/qdivrem.c:277 #14 0xc02d1e2e in __udivdi3 (a=3145728, b=0) at /usr/src/sys/libkern/udivdi3.c:51 #15 0xc01f9c69 in dummynet_io (m=0xc0a10d00, pipe_nr=1, dir=2, fwa=0xc6251c44) at /usr/src/sys/netinet/ip_dummynet.c:1227 #16 0xc01ffcf2 in ip_input (m=0xc0a10d00) at /usr/src/sys/netinet/ip_input.c:843 #17 0xc0200452 in ipintr () at /usr/src/sys/netinet/ip_input.c:843 #18 0xc0178ed7 in swi_net (dummy=0x0) at /usr/src/sys/kern/kern_intr.c:561 #19 0xc0178bf6 in ithread_loop (arg=0xc09f8100) at /usr/src/sys/kern/kern_intr.c:561 #20 0xc0177ec6 in fork_exit (callout=0xc0178a34 , arg=0xc09f8100, frame=0xc6251d48) at /usr/src/sys/kern/kern_fork.c:734 (kgdb) frame 15 #15 0xc01f9c69 in dummynet_io (m=0xc0a10d00, pipe_nr=1, dir=2, fwa=0xc6251c44) at /usr/src/sys/netinet/ip_dummynet.c:1227 1227 } (kgdb) list 1222 splx(s); 1223 if (q) 1224 q->drops++ ; 1225 m_freem(m); 1226 return ENOBUFS ; 1227 } 1228 1229 /* 1230 * Below, the rt_unref is only needed when (pkt->dn_dir == DN_TO_IP_OUT) 1231 * Doing this would probably save us the initial bzero of dn_pkt (kgdb) # hmm... (kgdb) print fs->weight $1 = 0 (kgdb) print action $2 = 42 (kgdb) print fwa->rule->cmd[fwa->rule->act_ofs].opcode $3 = O_LOG (kgdb) print *fs $4 = {next = 0x0, fs_nr = 0, flags_fs = 0, pipe = 0xc13cf100, parent_nr = 0, weight = 0, qsize = 50, plr = 0, flow_mask = {dst_ip = 0, src_ip = 0, dst_port = 0, src_port = 0, proto = 0 '\000', flags = 0 '\000'}, rq_size = 1, rq_elements = 1, rq = 0xc121c650, last_expired = 0, backlogged = 0, w_q = 0, max_th = 0, min_th = 0, max_p = 0, c_1 = 0, c_2 = 0, c_3 = 0, c_4 = 0, w_q_lookup = 0x0, lookup_depth = 0, lookup_step = 0, lookup_weight = 0, avg_pkt_size = 0, max_pkt_size = 0} (kgdb) qhwt@gzl$ exit --OgqxwSJOaUobr8KG-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message