Date: Mon, 29 Jul 2002 14:51:38 +0400 (MSD) From: romanp@unshadow.net To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/41114: ipfw2 + dummynet + bridge = kernel panic Message-ID: <200207291051.g6TApcIq092992@room101.wuppy.net.ru>
next in thread | raw e-mail | index | archive | help
>Number: 41114
>Category: kern
>Synopsis: ipfw2 + dummynet + bridge = kernel panic
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Jul 29 04:00:07 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Roman V. Palagin
>Release: FreeBSD 4.6-20020725-STABLE i386
>Organization:
>Environment:
FreeBSD shaper.wuppy.net.ru 4.6-20020725-STABLE FreeBSD 4.6-20020725-STABLE #0: Mon Jul 29 09:39:05 MSD 2002 romanp@builder.unshadow.net:/opt/sys/compile/SHAPER.ipfw2 i386
>Description:
Kernel panic occurs when packet from bridge code
passed to dummynet.
Backtrace:
Script started on Mon Jul 29 10:31:20 2002
builder# gdb -k -c vmcore -se kernel
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
IdlePTD at phsyical address 0x00327000
initial pcb at physical address 0x00291860
panicstr: page fault
panic messages:
---
Fatal trap 18: integer divide fault while in kernel mode
instruction pointer = 0x8:0xc023cd16
stack pointer = 0x10:0xc0272cd4
frame pointer = 0x10:0xc0272d40
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = Idle
interrupt mask = net
trap number = 18
panic: integer divide fault
syncing disks...
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x30
fault code = supervisor read, page not present
instruction pointer = 0x8:0xc01eef14
stack pointer = 0x10:0xc0272b1c
frame pointer = 0x10:0xc0272b24
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = Idle
interrupt mask = net bio cam
trap number = 12
panic: page fault
Uptime: 4m44s
dumping to dev #ad/0x20001, offset 65536
dump ata0: resetting devices .. done
32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
---
#0 dumpsys () at ../../kern/kern_shutdown.c:487
487 if (dumping++) {
(kgdb) bt
#0 dumpsys () at ../../kern/kern_shutdown.c:487
#1 0xc014ecfb in boot (howto=260) at ../../kern/kern_shutdown.c:316
#2 0xc014f120 in poweroff_wait (junk=0xc026c3ec, howto=-1071202545)
at ../../kern/kern_shutdown.c:595
#3 0xc023024e in trap_fatal (frame=0xc0272adc, eva=48)
at ../../i386/i386/trap.c:974
#4 0xc022ff21 in trap_pfault (frame=0xc0272adc, usermode=0, eva=48)
at ../../i386/i386/trap.c:867
#5 0xc022fadf in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16,
tf_edi = -1070945760, tf_esi = 0, tf_ebp = -1071174876, tf_isp = -1071174904,
tf_ebx = -1071094756, tf_edx = 6864896, tf_ecx = 2, tf_eax = 0,
tf_trapno = 12, tf_err = 0, tf_eip = -1071714540, tf_cs = 8,
tf_eflags = 66054, tf_esp = 0, tf_ss = 0}) at ../../i386/i386/trap.c:466
#6 0xc01eef14 in acquire_lock (lk=0xc028641c) at ../../ufs/ffs/ffs_softdep.c:266
#7 0xc01f3536 in softdep_fsync_mountdev (vp=0xc5881cc0)
at ../../ufs/ffs/ffs_softdep.c:4024
#8 0xc01f7766 in ffs_fsync (ap=0xc0272b98) at ../../ufs/ffs/ffs_vnops.c:134
#9 0xc01f63f7 in ffs_sync (mp=0xc1d22600, waitfor=2, cred=0xc04f4580, p=0xc02aaa20)
at vnode_if.h:558
#10 0xc017e463 in sync (p=0xc02aaa20, uap=0x0) at ../../kern/vfs_syscalls.c:576
#11 0xc014ea96 in boot (howto=256) at ../../kern/kern_shutdown.c:235
#12 0xc014f120 in poweroff_wait (junk=0xc026c3ec, howto=-1071202582)
at ../../kern/kern_shutdown.c:595
#13 0xc023024e in trap_fatal (frame=0xc0272c94, eva=0) at ../../i386/i386/trap.c:974
#14 0xc022fc2b in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16,
tf_edi = -1042360200, tf_esi = 0, tf_ebp = -1071174336, tf_isp = -1071174464,
tf_ebx = 6422528, tf_edx = 0, tf_ecx = 0, tf_eax = 1, tf_trapno = 18,
tf_err = 0, tf_eip = -1071395562, tf_cs = 8, tf_eflags = 66118, tf_esp = 0,
tf_ss = -1042685952}) at ../../i386/i386/trap.c:636
#15 0xc023cd16 in __qdivrem (uq=6422528, vq=0, arq=0x0)
at ../../libkern/qdivrem.c:100
#16 0xc023d0f6 in __udivdi3 (a=6422528, b=0) at ../../libkern/udivdi3.c:50
#17 0xc019bb33 in dummynet_io (m=0xc050aa00, pipe_nr=2, dir=3, fwa=0xc0272e04)
at ../../netinet/ip_dummynet.c:1205
---Type <return> to continue, or q <return> to quit---
#18 0xc0187a9d in bdg_forward (m0=0xc050aa00, eh=0xc050d802, dst=0x5)
at ../../net/bridge.c:972
#19 0xc018a455 in ether_input (ifp=0xc1d02000, eh=0xc050d802, m=0xc050aa00)
at ../../net/if_ethersubr.c:589
#20 0xc01e3c2a in xl_rxeof (sc=0xc1d02000) at ../../pci/if_xl.c:1855
#21 0xc01e42bc in xl_intr (arg=0xc1d02000) at ../../pci/if_xl.c:2061
#22 0xc0229a4e in cpu_idle () at ../../i386/i386/machdep.c:1024
(kgdb) fr 18
#18 0xc0187a9d in bdg_forward (m0=0xc050aa00, eh=0xc050d802, dst=0x5)
at ../../net/bridge.c:972
972 ip_dn_io_ptr(m, (i & 0xffff),DN_TO_BDG_FWD, &args);
(kgdb) list
967 return m0 ;
968 bcopy(&save_eh, mtod(m, struct ether_header *), ETHER_HDR_LEN);
969 }
970
971 args.oif = real_dst;
972 ip_dn_io_ptr(m, (i & 0xffff),DN_TO_BDG_FWD, &args);
973 return m0 ;
974 }
975 /*
976 * XXX at some point, add support for divert/forward actions.
(kgdb) fr 17
#17 0xc019bb33 in dummynet_io (m=0xc050aa00, pipe_nr=2, dir=3, fwa=0xc0272e04)
at ../../netinet/ip_dummynet.c:1205
1205 q->F = q->S + ( len<<MY_M )/(u_int64_t) fs->weight;
(kgdb) list
1200 pipe->sum += fs->weight ; /* add weight of new queue */
1201 } else {
1202 heap_extract(&(pipe->idle_heap), q);
1203 q->S = MAX64(q->F, pipe->V ) ;
1204 }
1205 q->F = q->S + ( len<<MY_M )/(u_int64_t) fs->weight;
1206
1207 if (pipe->not_eligible_heap.elements == 0 &&
1208 pipe->scheduler_heap.elements == 0)
1209 pipe->V = MAX64 ( q->S, pipe->V );
(kgdb) p fs->weight
$1 = 0
(kgdb) p fwa
$2 = (struct ip_fw_args *) 0xc0272e04
(kgdb) p *fwa
$3 = {m = 0xc050aa00, oif = 0x5, next_hop = 0x0, rule = 0xc1d96080,
eh = 0xc0272df4, ro = 0xc050d802, dst = 0xc1d53970, flags = -1072138838, f_id = {
dst_ip = 3232236010, src_ip = 3232236020, dst_port = 0, src_port = 0,
proto = 1 '\001', flags = 8 '\b'}, divert_rule = 0, retval = 3251642368}
(kgdb) p/x *fwa
$4 = {m = 0xc050aa00, oif = 0x5, next_hop = 0x0, rule = 0xc1d96080,
eh = 0xc0272df4, ro = 0xc050d802, dst = 0xc1d53970, flags = 0xc01875aa, f_id = {
dst_ip = 0xc0a801ea, src_ip = 0xc0a801f4, dst_port = 0x0, src_port = 0x0,
proto = 0x1, flags = 0x8}, divert_rule = 0x0, retval = 0xc1d02000}
(kgdb) p/x *fwa->rule
$5 = {next = {le_next = 0xc1d99540, le_prev = 0x0}, fw_flg = 0x60004,
fw_pcnt = 0x100000064, fw_bcnt = 0x5400000000, fw_src = {s_addr = 0x0}, fw_dst = {
s_addr = 0x3d44dfaf}, fw_smsk = {s_addr = 0x201}, fw_dmsk = {
s_addr = 0xf401a8c0}, fw_number = 0x205, fw_prot = 0x0, fw_nports = 0x0,
fw_uar = {fw_pts = {0xa8c0, 0xea01, 0x231, 0x2, 0x0, 0x0, 0xb2, 0x0, 0x0, 0x0},
fw_icmptypes = {0xea01a8c0, 0x20231, 0x0, 0xb2}}, fw_ipflg = 0xc1d08168,
fw_iplen = 0x6100, fw_ipid = 0xc1d9, fw_ipopt = 0x48, fw_ipnopt = 0xa0,
fw_iptos = 0xd3, fw_ipntos = 0xc1, fw_ipttl = 0x40, fw_ipver = 0x0,
fw_tcpopt = 0xd9, fw_tcpnopt = 0xc1, fw_tcpf = 0x10, fw_tcpnf = 0x61,
fw_tcpwin = 0xc1d9, fw_tcpseq = 0xc587f2c0, fw_tcpack = 0x0,
timestamp = 0x642e0800, fw_in_if = {fu_via_ip = {s_addr = 0x696f6365},
fu_via_if = {name = {0x65, 0x63, 0x6f, 0x69, 0x6e, 0x69, 0x0, 0x0, 0x0, 0x0},
unit = 0x0}}, fw_out_if = {fu_via_ip = {s_addr = 0x0}, fu_via_if = {name = {
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80, 0xea}, unit = 0xc1cf}},
fw_un = {fu_divert_port = 0xc2, fu_pipe_nr = 0xc2, fu_skipto_rule = 0xc2,
fu_reject_code = 0xc2, fu_fwd_ip = {sin_len = 0xc2, sin_family = 0x0,
sin_port = 0x0, sin_addr = {s_addr = 0x0}, sin_zero = {0xec, 0x86, 0xd0,
0xc1, 0xc0, 0xa9, 0xd8, 0xc1}}}, pipe_ptr = 0xc1ded878,
next_rule_ptr = 0xc1d960c0, fw_uid = 0xc1d8a9d0, fw_gid = 0xc587f2c0,
fw_logamount = 0x0, fw_loghighest = 0x636d7265742e0800, dont_match_prob = 0x7061,
dyn_type = 0x0, limit_mask = 0x0, conn_limit = 0x0}
(kgdb) p/x fwa->rule->fw_flg
$6 = 0x60004
(kgdb) quit
Script done on Mon Jul 29 10:42:10 2002
ipfw sh:
00100 0 0 pipe 2 ip from 192.168.1.244 to 192.168.1.234
00200 0 0 pipe 1 ip from 192.168.1.234 to 192.168.1.244
65535 21 2783 allow ip from any to any
ipfw pipe sh:
00001: 256.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
00002: 256.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
192.168.1.234 and 192.168.1.244 besides on different interfaces of
bridge machine. Bridge itself doesn't have IP address at all.
>How-To-Repeat:
Enable IPFW2, bridge, configure pipes for machines from
different ethernet interfaces, ping one from another
- oops :)
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207291051.g6TApcIq092992>