Date: Tue, 16 Jul 2002 09:33:46 -0700 From: Luigi Rizzo <luigi@freebsd.org> To: current@freebsd.org Subject: Re: integer devide fault in dummynet_io Message-ID: <20020716093346.A1445@iguana.icir.org> In-Reply-To: <20020716154545.GA696.qhwt@myrealbox.com>; from qhwt@myrealbox.com on Wed, Jul 17, 2002 at 12:45:45AM %2B0900 References: <20020716154545.GA696.qhwt@myrealbox.com>
next in thread | previous in thread | raw e-mail | index | archive | help
thanks for the report, i am going to commit a fix for this soon.
It is funny that i remember to have hit exactly this bug myself
some time ago, and i thought i had fixed it already, presumably
the change got lost at some point...
cheers
luigi
> Hello. I have the following rules in my ipfw.rules:
>
> pipe 1 config bw 3kbit/s
> add 1000 pipe 1 log logamount 0 tcp from any to me 80 setup in
> add 1010 pipe 1 log logamount 0 tcp from any to me 25 setup in
>
> so that I can log and slow down incoming Nimda/open-relay probes.
>
> After new ipfw code came into the tree, my machine started to panic
> occasionally after thirty minutes or so connected to the Internet.
> After a few panics, I managed to get the backtrace. Unfortunately the
> line number seems to be screwed, but it's still enough to spot where
> it panicked (attached).
>
> In the frame 15 in dummynet_io(), fs->weight was holding zero at line 1182,
> which leads to a zero-division. Suprisingly, 'action' was O_LOG rather than
> O_PIPE or O_QUEUE, even though the function is assuming only one of them.
>
> I'm running current as of 2002-06-29(UTC) with the following files
> updated to more recent revisions:
> /sys/netinet/ip_fw.h 1.70
> /sys/netinet/ip_fw2.c 1.3
> /usr/src/sbin/ipfw/ipfw2.c 1.3
>
> Any idea to fix this?
> GNU gdb 4.18 (FreeBSD)
> Copyright 1998 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for details.
> This GDB was configured as "i386-unknown-freebsd"...
> IdlePTD at physical address 0x004cc000
> initial pcb at physical address 0x0034fe40
> panicstr: bwrite: buffer is not busy???
> panic messages:
> ---
> Fatal trap 18: integer divide fault while in kernel mode
> instruction pointer = 0x8:0xc02d198b
> stack pointer = 0x10:0xc6251b08
> frame pointer = 0x10:0xc6251b8c
> code segment = base 0x0, limit 0xfffff, type 0x1b
> = DPL 0, pres 1, def32 1, gran 1
> processor eflags = interrupt enabled, resume, IOPL = 0
> current process = 12 (swi1: net)
> trap number = 18
> panic: integer divide fault
>
> syncing disks... panic: bwrite: buffer is not busy???
> Uptime: 1h4m54s
> Dumping 63 MB
> ata0: resetting devices .. ata0: mask=03 ostat0=50 ostat2=00
> ad0: ATAPI 00 00
> ata0-slave: ATAPI 00 00
> ata0: mask=03 stat0=50 stat1=00
> ad0: ATA 01 a5
> ata0: devices=01
> ad0: success setting PIO4 on generic chip
> done
> 16 32 48
> ---
> b#0 0xc018b4c1 in doadump () at /usr/src/sys/kern/kern_shutdown.c:353
> 353 }
> (kgdb) bt
> #0 0xc018b4c1 in doadump () at /usr/src/sys/kern/kern_shutdown.c:353
> #1 0xc018b94b in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:353
> #2 0xc018bb2d in panic (fmt=0xc02eb9cb "bwrite: buffer is not busy???")
> at /usr/src/sys/kern/kern_shutdown.c:353
> #3 0xc01c4ea2 in bwrite (bp=0xc2523120) at /usr/src/sys/kern/vfs_bio.c:1368
> #4 0xc01c642e in vfs_bio_awrite (bp=0xc2523120)
> at /usr/src/sys/kern/vfs_bio.c:1368
> #5 0xc0160b4b in spec_fsync (ap=0xc6251950)
> at /usr/src/sys/fs/specfs/spec_vnops.c:837
> #6 0xc016068c in spec_vnoperate (ap=0xc6251950)
> at /usr/src/sys/fs/specfs/spec_vnops.c:837
> #7 0xc026e743 in ffs_sync (mp=0xc1275000, waitfor=2, cred=0xc09dcd80,
> td=0xc031eb20) at /usr/src/sys/ufs/ffs/ffs_vfsops.c:813
> #8 0xc01d65bb in sync (td=0xc031eb20, uap=0x0)
> at /usr/src/sys/kern/vfs_syscalls.c:584
> #9 0xc018b5bc in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:353
> #10 0xc018bb2d in panic (fmt=0xc030ccde "%s")
> at /usr/src/sys/kern/kern_shutdown.c:353
> #11 0xc02c0683 in trap_fatal (frame=0xc6251ac8, eva=0)
> at /usr/src/sys/i386/i386/trap.c:655
> #12 0xc02c00c2 in trap (frame={tf_fs = 24, tf_es = -1070727152, tf_ds = 16,
> tf_edi = 1, tf_esi = 0, tf_ebp = -970646644, tf_isp = -970646796,
> tf_ebx = 3145728, tf_edx = 0, tf_ecx = 0, tf_eax = 1, tf_trapno = 18,
> tf_err = 0, tf_eip = -1070786165, tf_cs = 8, tf_eflags = 66118,
> tf_esp = 0, tf_ss = 0}) at /usr/src/sys/i386/i386/trap.c:655
> #13 0xc02d198b in __qdivrem (uq=3145728, vq=0, arq=0x0)
> at /usr/src/sys/libkern/qdivrem.c:277
> #14 0xc02d1e2e in __udivdi3 (a=3145728, b=0)
> at /usr/src/sys/libkern/udivdi3.c:51
> #15 0xc01f9c69 in dummynet_io (m=0xc0a10d00, pipe_nr=1, dir=2, fwa=0xc6251c44)
> at /usr/src/sys/netinet/ip_dummynet.c:1227
> #16 0xc01ffcf2 in ip_input (m=0xc0a10d00)
> at /usr/src/sys/netinet/ip_input.c:843
> #17 0xc0200452 in ipintr () at /usr/src/sys/netinet/ip_input.c:843
> #18 0xc0178ed7 in swi_net (dummy=0x0) at /usr/src/sys/kern/kern_intr.c:561
> #19 0xc0178bf6 in ithread_loop (arg=0xc09f8100)
> at /usr/src/sys/kern/kern_intr.c:561
> #20 0xc0177ec6 in fork_exit (callout=0xc0178a34 <ithread_loop>,
> arg=0xc09f8100, frame=0xc6251d48) at /usr/src/sys/kern/kern_fork.c:734
> (kgdb) frame 15
> #15 0xc01f9c69 in dummynet_io (m=0xc0a10d00, pipe_nr=1, dir=2, fwa=0xc6251c44)
> at /usr/src/sys/netinet/ip_dummynet.c:1227
> 1227 }
> (kgdb) list
> 1222 splx(s);
> 1223 if (q)
> 1224 q->drops++ ;
> 1225 m_freem(m);
> 1226 return ENOBUFS ;
> 1227 }
> 1228
> 1229 /*
> 1230 * Below, the rt_unref is only needed when (pkt->dn_dir == DN_TO_IP_OUT)
> 1231 * Doing this would probably save us the initial bzero of dn_pkt
> (kgdb) # hmm...
> (kgdb) print fs->weight
> $1 = 0
> (kgdb) print action
> $2 = 42
> (kgdb) print fwa->rule->cmd[fwa->rule->act_ofs].opcode
> $3 = O_LOG
> (kgdb) print *fs
> $4 = {next = 0x0, fs_nr = 0, flags_fs = 0, pipe = 0xc13cf100, parent_nr = 0,
> weight = 0, qsize = 50, plr = 0, flow_mask = {dst_ip = 0, src_ip = 0,
> dst_port = 0, src_port = 0, proto = 0 '\000', flags = 0 '\000'},
> rq_size = 1, rq_elements = 1, rq = 0xc121c650, last_expired = 0,
> backlogged = 0, w_q = 0, max_th = 0, min_th = 0, max_p = 0, c_1 = 0,
> c_2 = 0, c_3 = 0, c_4 = 0, w_q_lookup = 0x0, lookup_depth = 0,
> lookup_step = 0, lookup_weight = 0, avg_pkt_size = 0, max_pkt_size = 0}
> (kgdb) qhwt@gzl$ exit
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020716093346.A1445>