From owner-freebsd-bugs@FreeBSD.ORG Fri Aug 26 18:40:23 2005 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ADCC116A41F for ; Fri, 26 Aug 2005 18:40:23 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 665D343D45 for ; Fri, 26 Aug 2005 18:40:23 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j7QIeNvn025910 for ; Fri, 26 Aug 2005 18:40:23 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j7QIeMD0025909; Fri, 26 Aug 2005 18:40:22 GMT (envelope-from gnats) Date: Fri, 26 Aug 2005 18:40:22 GMT Message-Id: <200508261840.j7QIeMD0025909@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Pawel Malachowski Cc: Subject: Re: kern/85258: changing promisc mode on nic can lead to kernel panic X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Pawel Malachowski List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Aug 2005 18:40:23 -0000 The following reply was made to PR kern/85258; it has been noted by GNATS. From: Pawel Malachowski To: FreeBSD-gnats-submit@freebsd.org Cc: freebsd-bugs@freebsd.org Subject: Re: kern/85258: changing promisc mode on nic can lead to kernel panic Date: Fri, 26 Aug 2005 20:30:24 +0200 On Wed, Aug 24, 2005 at 12:10:20PM +0000, Pawel Malachowski wrote: > FYI, when polling enable was set to 0, ifconfig promisc and -promisc in loop, > system was running safely during all night (>18h). > > After enabling polling, it crashed within 5 minutes... > With same backtrace. To sum up, factors are: . dummynet configured for outgoing packets seems to be needed; . frequent changes of fxp flags, one can use link0 (setting promisc is not needed at all); . kern.polling.enable=1. I've prepared static kernel for debugging, much better backtrace below. :) Test setup: ipfw pipe 100 config bw 512kbit/s queue 20KB mask src-ip 0xffffffff ipfw add 100 pipe 100 ip from any to any out xmit wan0 (wan0 is renamed fxp0) while [ 1 ] do ifconfig $1 link0 sleep 1 ifconfig $1 -link0 sleep 1 done And ping -f from another box to speed things up. ;) Full reproducable for me within 10-20 minutes. (kgdb) bt #0 doadump () at pcpu.h:159 #1 0xc060c948 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:410 #2 0xc060cbc6 in panic (fmt=0xc081e7fd "m_copym, offset > size of mbuf chain") at /usr/src/sys/kern/kern_shutdown.c:566 #3 0xc063e500 in m_copym (m=0x0, off0=16380, len=5124, wait=1) at /usr/src/sys/kern/uipc_mbuf.c:385 #4 0xc0697780 in ip_fragment (ip=0xc13fa820, m_frag=0xc7aafc44, mtu=-1051870208, if_hwassist_flags=0, sw_csum=1) at /usr/src/sys/netinet/ip_output.c:974 #5 0xc0697405 in ip_output (m=0xc13ef700, opt=0xc13fa820, ro=0xc7aafc10, flags=0, imo=0x0, inp=0x0) at /usr/src/sys/netinet/ip_output.c:798 #6 0xc068b731 in transmit_event (pipe=0xc16e3d00) at /usr/src/sys/netinet/ip_dummynet.c:454 #7 0xc068bab4 in ready_event (q=0xc172e280) at /usr/src/sys/netinet/ip_dummynet.c:624 #8 0xc068c04b in dummynet (unused=0x0) at /usr/src/sys/netinet/ip_dummynet.c:779 #9 0xc0617b12 in softclock (dummy=0x0) at /usr/src/sys/kern/kern_timeout.c:279 #10 0xc05fb4b8 in ithread_loop (arg=0xc12b9500) at /usr/src/sys/kern/kern_intr.c:547 #11 0xc05fa92c in fork_exit (callout=0xc05fb394 , arg=0xc12b9500, frame=0xc7aafd48) at /usr/src/sys/kern/kern_fork.c:791 #12 0xc07a0a4c in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:209 (kgdb) up 3 #3 0xc063e500 in m_copym (m=0x0, off0=16380, len=5124, wait=1) at /usr/src/sys/kern/uipc_mbuf.c:385 385 KASSERT(m != NULL, ("m_copym, offset > size of mbuf chain")); (kgdb) l 380 KASSERT(len >= 0, ("m_copym, negative len %d", len)); 381 MBUF_CHECKSLEEP(wait); 382 if (off == 0 && m->m_flags & M_PKTHDR) 383 copyhdr = 1; 384 while (off > 0) { 385 KASSERT(m != NULL, ("m_copym, offset > size of mbuf chain")); 386 if (off < m->m_len) 387 break; 388 off -= m->m_len; 389 m = m->m_next; (kgdb) up #4 0xc0697780 in ip_fragment (ip=0xc13fa820, m_frag=0xc7aafc44, mtu=-1051870208, if_hwassist_flags=0, sw_csum=1) at /usr/src/sys/netinet/ip_output.c:974 974 m->m_next = m_copy(m0, off, len); (kgdb) l 969 len = ip->ip_len - off; 970 m->m_flags |= M_LASTFRAG; 971 } else 972 mhip->ip_off |= IP_MF; 973 mhip->ip_len = htons((u_short)(len + mhlen)); 974 m->m_next = m_copy(m0, off, len); 975 if (m->m_next == NULL) { /* copy failed */ 976 m_free(m); 977 error = ENOBUFS; /* ??? */ 978 ipstat.ips_odropped++; (kgdb) up #5 0xc0697405 in ip_output (m=0xc13ef700, opt=0xc13fa820, ro=0xc7aafc10, flags=0, imo=0x0, inp=0x0) at /usr/src/sys/netinet/ip_output.c:798 798 error = ip_fragment(ip, &m, ifp->if_mtu, ifp->if_hwassist, sw_csum); (kgdb) l 793 * Too large for interface; fragment if possible. If successful, 794 * on return, m will point to a list of packets to be sent. 795 */ 796 /*if (ifp->if_mtu) { 797 }*/ 798 error = ip_fragment(ip, &m, ifp->if_mtu, ifp->if_hwassist, sw_csum); 799 if (error) 800 goto bad; 801 for (; m; m = m0) { 802 m0 = m->m_nextpkt; (kgdb) p *ifp $3 = {if_softc = 0xc1475000, if_link = {tqe_next = 0xc143b800, tqe_prev = 0xc1461004}, if_xname = "lo0", '\0' , if_dname = 0xc07f45e0 "lo", if_dunit = 0, if_addrhead = { tqh_first = 0xc14d0c00, tqh_last = 0xc1553260}, if_klist = {kl_lock = 0xc08db5a0, kl_list = {slh_first = 0x0}}, if_pcount = 0, if_carp = 0x0, if_bpf = 0x0, if_index = 3, if_timer = 0, if_nvlans = 0, if_flags = 32841, if_capabilities = 0, if_capenable = 0, if_linkmib = 0x0, if_linkmiblen = 0, if_data = {ifi_type = 24 '\030', ifi_physical = 0 '\0', ifi_addrlen = 0 '\0', ifi_hdrlen = 0 '\0', ifi_link_state = 0 '\0', ifi_recvquota = 0 '\0', ifi_xmitquota = 0 '\0', ifi_datalen = 80 'P', ifi_mtu = 16384, ifi_metric = 0, ifi_baudrate = 0, ifi_ipackets = 223, ifi_ierrors = 0, ifi_opackets = 223, ifi_oerrors = 0, ifi_collisions = 0, ifi_ibytes = 38240, ifi_obytes = 38240, ifi_imcasts = 0, ifi_omcasts = 0, ifi_iqdrops = 0, ifi_noproto = 0, ifi_hwassist = 0, ifi_epoch = 1, ifi_lastchange = { tv_sec = 1, tv_usec = 29757}}, if_multiaddrs = {tqh_first = 0xc151b3a0, tqh_last = 0xc151b0a0}, if_amcount = 0, if_output = 0xc0670efc , if_input = 0, if_start = 0, if_ioctl = 0xc0671104 , if_watchdog = 0, if_init = 0, if_resolvemulti = 0, if_spare1 = 0x0, if_spare2 = 0x0, if_spare3 = 0x0, if_spare_flags1 = 0, if_spare_flags2 = 0, if_snd = {ifq_head = 0x0, ifq_tail = 0x0, ifq_len = 0, ifq_maxlen = 50, ifq_drops = 0, ifq_mtx = { mtx_object = {lo_class = 0xc0877e1c, lo_name = 0xc147500c "lo0", lo_type = 0xc082186a "if send queue", lo_flags = 196608, lo_list = {tqe_next = 0xc14d0c7c, tqe_prev = 0xc1475218}, lo_witness = 0xc08e1680}, mtx_lock = 4, mtx_recurse = 0}, ifq_drv_head = 0x0, ifq_drv_tail = 0x0, ifq_drv_len = 0, ifq_drv_maxlen = 0, altq_type = 0, altq_flags = 0, altq_disc = 0x0, altq_ifp = 0xc1475000, altq_enqueue = 0, altq_dequeue = 0, altq_request = 0, altq_clfier = 0x0, altq_classify = 0, altq_tbr = 0x0, altq_cdnr = 0x0}, if_broadcastaddr = 0x0, lltables = 0x0, if_label = 0x0, if_prefixhead = {tqh_first = 0x0, tqh_last = 0xc1475168}, if_afdata = {0x0 , 0xc1470c00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, if_afdata_initialized = 1, if_afdata_mtx = {mtx_object = { lo_class = 0xc0877e1c, lo_name = 0xc082185a "if_afdata", lo_type = 0xc082185a "if_afdata", lo_flags = 196608, lo_list = {tqe_next = 0xc14750fc, tqe_prev = 0xc0880d20}, lo_witness = 0xc08e16a8}, mtx_lock = 4, mtx_recurse = 0}, if_starttask = {ta_link = {stqe_next = 0x0}, ta_pending = 0, ta_priority = 0, ta_func = 0xc066dc04 , ta_context = 0xc1475000}} -- Paweł Małachowski