From owner-freebsd-bugs Mon Jul 29 4: 0:20 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8673D37B400 for ; Mon, 29 Jul 2002 04:00:10 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A5BB643E72 for ; Mon, 29 Jul 2002 04:00:08 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6TB08JU024450 for ; Mon, 29 Jul 2002 04:00:08 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6TB08dY024443; Mon, 29 Jul 2002 04:00:08 -0700 (PDT) Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36F0837B400 for ; Mon, 29 Jul 2002 03:52:05 -0700 (PDT) Received: from room101.wuppy.net.ru (room101.WUPPY.NET.RU [212.30.189.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8764543E65 for ; Mon, 29 Jul 2002 03:51:49 -0700 (PDT) (envelope-from romanp@room101.wuppy.net.ru) Received: from room101.wuppy.net.ru (localhost [127.0.0.1]) by room101.wuppy.net.ru (8.12.5/8.12.5) with ESMTP id g6TApejI092993 for ; Mon, 29 Jul 2002 14:51:40 +0400 (MSD) (envelope-from romanp@room101.wuppy.net.ru) Received: (from romanp@localhost) by room101.wuppy.net.ru (8.12.5/8.12.5/Submit) id g6TApcIq092992; Mon, 29 Jul 2002 14:51:38 +0400 (MSD) Message-Id: <200207291051.g6TApcIq092992@room101.wuppy.net.ru> Date: Mon, 29 Jul 2002 14:51:38 +0400 (MSD) From: romanp@unshadow.net Reply-To: romanp@unshadow.net To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: kern/41114: ipfw2 + dummynet + bridge = kernel panic Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 41114 >Category: kern >Synopsis: ipfw2 + dummynet + bridge = kernel panic >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jul 29 04:00:07 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Roman V. Palagin >Release: FreeBSD 4.6-20020725-STABLE i386 >Organization: >Environment: FreeBSD shaper.wuppy.net.ru 4.6-20020725-STABLE FreeBSD 4.6-20020725-STABLE #0: Mon Jul 29 09:39:05 MSD 2002 romanp@builder.unshadow.net:/opt/sys/compile/SHAPER.ipfw2 i386 >Description: Kernel panic occurs when packet from bridge code passed to dummynet. Backtrace: Script started on Mon Jul 29 10:31:20 2002 builder# gdb -k -c vmcore -se kernel GNU gdb 4.18 (FreeBSD) Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd"... IdlePTD at phsyical address 0x00327000 initial pcb at physical address 0x00291860 panicstr: page fault panic messages: --- Fatal trap 18: integer divide fault while in kernel mode instruction pointer = 0x8:0xc023cd16 stack pointer = 0x10:0xc0272cd4 frame pointer = 0x10:0xc0272d40 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = Idle interrupt mask = net trap number = 18 panic: integer divide fault syncing disks... Fatal trap 12: page fault while in kernel mode fault virtual address = 0x30 fault code = supervisor read, page not present instruction pointer = 0x8:0xc01eef14 stack pointer = 0x10:0xc0272b1c frame pointer = 0x10:0xc0272b24 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = Idle interrupt mask = net bio cam trap number = 12 panic: page fault Uptime: 4m44s dumping to dev #ad/0x20001, offset 65536 dump ata0: resetting devices .. done 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 --- #0 dumpsys () at ../../kern/kern_shutdown.c:487 487 if (dumping++) { (kgdb) bt #0 dumpsys () at ../../kern/kern_shutdown.c:487 #1 0xc014ecfb in boot (howto=260) at ../../kern/kern_shutdown.c:316 #2 0xc014f120 in poweroff_wait (junk=0xc026c3ec, howto=-1071202545) at ../../kern/kern_shutdown.c:595 #3 0xc023024e in trap_fatal (frame=0xc0272adc, eva=48) at ../../i386/i386/trap.c:974 #4 0xc022ff21 in trap_pfault (frame=0xc0272adc, usermode=0, eva=48) at ../../i386/i386/trap.c:867 #5 0xc022fadf in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16, tf_edi = -1070945760, tf_esi = 0, tf_ebp = -1071174876, tf_isp = -1071174904, tf_ebx = -1071094756, tf_edx = 6864896, tf_ecx = 2, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1071714540, tf_cs = 8, tf_eflags = 66054, tf_esp = 0, tf_ss = 0}) at ../../i386/i386/trap.c:466 #6 0xc01eef14 in acquire_lock (lk=0xc028641c) at ../../ufs/ffs/ffs_softdep.c:266 #7 0xc01f3536 in softdep_fsync_mountdev (vp=0xc5881cc0) at ../../ufs/ffs/ffs_softdep.c:4024 #8 0xc01f7766 in ffs_fsync (ap=0xc0272b98) at ../../ufs/ffs/ffs_vnops.c:134 #9 0xc01f63f7 in ffs_sync (mp=0xc1d22600, waitfor=2, cred=0xc04f4580, p=0xc02aaa20) at vnode_if.h:558 #10 0xc017e463 in sync (p=0xc02aaa20, uap=0x0) at ../../kern/vfs_syscalls.c:576 #11 0xc014ea96 in boot (howto=256) at ../../kern/kern_shutdown.c:235 #12 0xc014f120 in poweroff_wait (junk=0xc026c3ec, howto=-1071202582) at ../../kern/kern_shutdown.c:595 #13 0xc023024e in trap_fatal (frame=0xc0272c94, eva=0) at ../../i386/i386/trap.c:974 #14 0xc022fc2b in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16, tf_edi = -1042360200, tf_esi = 0, tf_ebp = -1071174336, tf_isp = -1071174464, tf_ebx = 6422528, tf_edx = 0, tf_ecx = 0, tf_eax = 1, tf_trapno = 18, tf_err = 0, tf_eip = -1071395562, tf_cs = 8, tf_eflags = 66118, tf_esp = 0, tf_ss = -1042685952}) at ../../i386/i386/trap.c:636 #15 0xc023cd16 in __qdivrem (uq=6422528, vq=0, arq=0x0) at ../../libkern/qdivrem.c:100 #16 0xc023d0f6 in __udivdi3 (a=6422528, b=0) at ../../libkern/udivdi3.c:50 #17 0xc019bb33 in dummynet_io (m=0xc050aa00, pipe_nr=2, dir=3, fwa=0xc0272e04) at ../../netinet/ip_dummynet.c:1205 ---Type to continue, or q to quit--- #18 0xc0187a9d in bdg_forward (m0=0xc050aa00, eh=0xc050d802, dst=0x5) at ../../net/bridge.c:972 #19 0xc018a455 in ether_input (ifp=0xc1d02000, eh=0xc050d802, m=0xc050aa00) at ../../net/if_ethersubr.c:589 #20 0xc01e3c2a in xl_rxeof (sc=0xc1d02000) at ../../pci/if_xl.c:1855 #21 0xc01e42bc in xl_intr (arg=0xc1d02000) at ../../pci/if_xl.c:2061 #22 0xc0229a4e in cpu_idle () at ../../i386/i386/machdep.c:1024 (kgdb) fr 18 #18 0xc0187a9d in bdg_forward (m0=0xc050aa00, eh=0xc050d802, dst=0x5) at ../../net/bridge.c:972 972 ip_dn_io_ptr(m, (i & 0xffff),DN_TO_BDG_FWD, &args); (kgdb) list 967 return m0 ; 968 bcopy(&save_eh, mtod(m, struct ether_header *), ETHER_HDR_LEN); 969 } 970 971 args.oif = real_dst; 972 ip_dn_io_ptr(m, (i & 0xffff),DN_TO_BDG_FWD, &args); 973 return m0 ; 974 } 975 /* 976 * XXX at some point, add support for divert/forward actions. (kgdb) fr 17 #17 0xc019bb33 in dummynet_io (m=0xc050aa00, pipe_nr=2, dir=3, fwa=0xc0272e04) at ../../netinet/ip_dummynet.c:1205 1205 q->F = q->S + ( len<weight; (kgdb) list 1200 pipe->sum += fs->weight ; /* add weight of new queue */ 1201 } else { 1202 heap_extract(&(pipe->idle_heap), q); 1203 q->S = MAX64(q->F, pipe->V ) ; 1204 } 1205 q->F = q->S + ( len<weight; 1206 1207 if (pipe->not_eligible_heap.elements == 0 && 1208 pipe->scheduler_heap.elements == 0) 1209 pipe->V = MAX64 ( q->S, pipe->V ); (kgdb) p fs->weight $1 = 0 (kgdb) p fwa $2 = (struct ip_fw_args *) 0xc0272e04 (kgdb) p *fwa $3 = {m = 0xc050aa00, oif = 0x5, next_hop = 0x0, rule = 0xc1d96080, eh = 0xc0272df4, ro = 0xc050d802, dst = 0xc1d53970, flags = -1072138838, f_id = { dst_ip = 3232236010, src_ip = 3232236020, dst_port = 0, src_port = 0, proto = 1 '\001', flags = 8 '\b'}, divert_rule = 0, retval = 3251642368} (kgdb) p/x *fwa $4 = {m = 0xc050aa00, oif = 0x5, next_hop = 0x0, rule = 0xc1d96080, eh = 0xc0272df4, ro = 0xc050d802, dst = 0xc1d53970, flags = 0xc01875aa, f_id = { dst_ip = 0xc0a801ea, src_ip = 0xc0a801f4, dst_port = 0x0, src_port = 0x0, proto = 0x1, flags = 0x8}, divert_rule = 0x0, retval = 0xc1d02000} (kgdb) p/x *fwa->rule $5 = {next = {le_next = 0xc1d99540, le_prev = 0x0}, fw_flg = 0x60004, fw_pcnt = 0x100000064, fw_bcnt = 0x5400000000, fw_src = {s_addr = 0x0}, fw_dst = { s_addr = 0x3d44dfaf}, fw_smsk = {s_addr = 0x201}, fw_dmsk = { s_addr = 0xf401a8c0}, fw_number = 0x205, fw_prot = 0x0, fw_nports = 0x0, fw_uar = {fw_pts = {0xa8c0, 0xea01, 0x231, 0x2, 0x0, 0x0, 0xb2, 0x0, 0x0, 0x0}, fw_icmptypes = {0xea01a8c0, 0x20231, 0x0, 0xb2}}, fw_ipflg = 0xc1d08168, fw_iplen = 0x6100, fw_ipid = 0xc1d9, fw_ipopt = 0x48, fw_ipnopt = 0xa0, fw_iptos = 0xd3, fw_ipntos = 0xc1, fw_ipttl = 0x40, fw_ipver = 0x0, fw_tcpopt = 0xd9, fw_tcpnopt = 0xc1, fw_tcpf = 0x10, fw_tcpnf = 0x61, fw_tcpwin = 0xc1d9, fw_tcpseq = 0xc587f2c0, fw_tcpack = 0x0, timestamp = 0x642e0800, fw_in_if = {fu_via_ip = {s_addr = 0x696f6365}, fu_via_if = {name = {0x65, 0x63, 0x6f, 0x69, 0x6e, 0x69, 0x0, 0x0, 0x0, 0x0}, unit = 0x0}}, fw_out_if = {fu_via_ip = {s_addr = 0x0}, fu_via_if = {name = { 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80, 0xea}, unit = 0xc1cf}}, fw_un = {fu_divert_port = 0xc2, fu_pipe_nr = 0xc2, fu_skipto_rule = 0xc2, fu_reject_code = 0xc2, fu_fwd_ip = {sin_len = 0xc2, sin_family = 0x0, sin_port = 0x0, sin_addr = {s_addr = 0x0}, sin_zero = {0xec, 0x86, 0xd0, 0xc1, 0xc0, 0xa9, 0xd8, 0xc1}}}, pipe_ptr = 0xc1ded878, next_rule_ptr = 0xc1d960c0, fw_uid = 0xc1d8a9d0, fw_gid = 0xc587f2c0, fw_logamount = 0x0, fw_loghighest = 0x636d7265742e0800, dont_match_prob = 0x7061, dyn_type = 0x0, limit_mask = 0x0, conn_limit = 0x0} (kgdb) p/x fwa->rule->fw_flg $6 = 0x60004 (kgdb) quit Script done on Mon Jul 29 10:42:10 2002 ipfw sh: 00100 0 0 pipe 2 ip from 192.168.1.244 to 192.168.1.234 00200 0 0 pipe 1 ip from 192.168.1.234 to 192.168.1.244 65535 21 2783 allow ip from any to any ipfw pipe sh: 00001: 256.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 00002: 256.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 192.168.1.234 and 192.168.1.244 besides on different interfaces of bridge machine. Bridge itself doesn't have IP address at all. >How-To-Repeat: Enable IPFW2, bridge, configure pipes for machines from different ethernet interfaces, ping one from another - oops :) >Fix: >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message