Date: Fri, 6 Apr 2007 14:42:00 -0400 From: Kris Kennaway <kris@obsecurity.org> To: Tom Judge <tom@tomjudge.com> Cc: freebsd-stable@freebsd.org Subject: Re: Repeatable crash with mkdir causing a divide by zero error Message-ID: <20070406184200.GA62383@xor.obsecurity.org> In-Reply-To: <46161B62.4070505@tomjudge.com> References: <46161B62.4070505@tomjudge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--sm4nu43k4a2Rpi4c
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Apr 06, 2007 at 11:05:22AM +0100, Tom Judge wrote:
> Hi,
>=20
> I have seen some problems with a new file system that I created=20
> yesterday in that I could repeatedly get the system to crash in with a=20
> mkdir.
>=20
> Here is the disk information
> mfid1: <MFI Logical Disk> on mfi1
> mfid1: 5716992MB (11708399616 sectors) RAID volume 'Images' is optimal
>=20
> I created a new file system tuned for 64k blocks, an average file size=20
> of 1Mb, and 2500 files per directory.
>=20
> newfs -b 65535 -g 1048576 -h 2500 /dev/mfid1p1
> mount /dev/mfid1p1 /compere
> mkdir /compere/images
> mkdir /compere/images/1999
>=20
> (Also tested with mkdir test; mkdir test/1998)
>=20
> The system is and amd64 system running 6.2-RELEASE and the pmap.c patch.=
=20
> I have 3 cores cause by 3 different apps (rsync, gmkdir, mkdir) and=20
> can provide any more information if required. I have attached a back=20
> trace, unfortunatly I cannot do any testing as the system is now in=20
> testing (newfs -b 65535 -g 1048576 /dev/mfid1p1 was used and seems not=20
> to cause the bug).
This might be simple to fix, but please file a PR if it does not get
picked up by someone on this list.
Kris
>=20
>=20
> kgdb /usr/obj/usr/src/sys/PE2950/kernel.debug /var/crash/vmcore.2
> [GDB will not be able to debug user-mode threads:=20
> /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
> GNU gdb 6.1.1 [FreeBSD]
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you =
are
> welcome to change it and/or distribute copies of it under certain=20
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for detail=
s.
> This GDB was configured as "amd64-marcel-freebsd".
>=20
> Unread portion of the kernel message buffer:
>=20
>=20
> Fatal trap 18: integer divide fault while in kernel mode
> cpuid =3D 0; apic id =3D 00
> instruction pointer =3D 0x8:0xffffffff80391347
> stack pointer =3D 0x10:0xffffffffa78736f0
> frame pointer =3D 0x10:0xffffff0001d7a600
> code segment =3D base 0x0, limit 0xfffff, type 0x1b
> =3D DPL 0, pres 1, long 1, def32 0, gran 1
> processor eflags =3D interrupt enabled, resume, IOPL =3D 0
> current process =3D 1206 (mkdir)
> trap number =3D 18
> panic: integer divide fault
> cpuid =3D 0
> Uptime: 4m29s
> Dumping 1023 MB (2 chunks)
> chunk 0: 1MB (156 pages) ... ok
> chunk 1: 1023MB (261800 pages) 1007 991 975 959 943 927 911 895 879=20
> 863 847 831 815 799 783 767 751 735 719 703 687 671 655 639 623 607 591=
=20
> 575 559 543 527 511 495 479 463 447 431 415 399 383 367 351 335 319 303=
=20
> 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15
>=20
> #0 doadump () at pcpu.h:172
> 172 pcpu.h: No such file or directory.
> in pcpu.h
> (kgdb) bt
> #0 doadump () at pcpu.h:172
> #1 0x0000000000000004 in ?? ()
> #2 0xffffffff8029a557 in boot (howto=3D260) at=20
> /usr/src/sys/kern/kern_shutdown.c:409
> #3 0xffffffff8029abf1 in panic (fmt=3D0xffffff0029753000 "X?/") at=20
> /usr/src/sys/kern/kern_shutdown.c:565
> #4 0xffffffff803f62ff in trap_fatal (frame=3D0xffffff0029753000,=20
> eva=3D18446742974994109272) at /usr/src/sys/amd64/amd64/trap.c:660
> #5 0xffffffff803f67a2 in trap (frame=3D
> {tf_rdi =3D 0, tf_rsi =3D 0, tf_rdx =3D 0, tf_rcx =3D 1951858688, t=
f_r8 =3D=20
> 2500, tf_r9 =3D 2975, tf_rax =3D 1951858688, tf_rbx =3D -2050457600, tf_r=
bp =3D=20
> -1099480717824, tf_r10 =3D 246016, tf_r11 =3D 184512, tf_r12 =3D=20
> -1098707543808, tf_r13 =3D 246015, tf_r14 =3D -2050457600, tf_r15 =3D 255=
,=20
> tf_trapno =3D 18, tf_addr =3D 0, tf_flags =3D 2147483648012, tf_err =3D 0=
,=20
> tf_rip =3D -2143743161, tf_cs =3D 8, tf_rflags =3D 66182, tf_rsp =3D=20
> -1484310784, tf_ss =3D 16}) at /usr/src/sys/amd64/amd64/trap.c:469
> #6 0xffffffff803e1a6b in calltrap () at=20
> /usr/src/sys/amd64/amd64/exception.S:168
> #7 0xffffffff80391347 in ffs_valloc (pvp=3D0xffffff002f24d7c0,=20
> mode=3D16877, cred=3D0x0, vpp=3D0xffffffffa7873798) at libkern.h:56
> #8 0xffffffff803b8a5e in ufs_mkdir (ap=3D0xffffffffa78739a0) at=20
> /usr/src/sys/ufs/ufs/ufs_vnops.c:1386
> #9 0xffffffff8043b355 in VOP_MKDIR_APV (vop=3D0x74570000,=20
> a=3D0xffffffffa78739a0) at vnode_if.c:1251
> #10 0xffffffff80310e19 in kern_mkdir (td=3D0xffffff002f24d7c0,=20
> path=3D0xffffff003dabe400 "", segflg=3D4, mode=3D511) at vnode_if.h:653
> #11 0xffffffff803f7151 in syscall (frame=3D
> {tf_rdi =3D 140737488348678, tf_rsi =3D 511, tf_rdx =3D 4294967295,=
=20
> tf_rcx =3D 1, tf_r8 =3D 0, tf_r9 =3D 140737488347272, tf_rax =3D 136, tf_=
rbx =3D=20
> 2, tf_rbp =3D 140737488348024, tf_r10 =3D 4294967295, tf_r11 =3D 582, tf_=
r12 =3D=20
> 140737488348678, tf_r13 =3D 140737488348008, tf_r14 =3D 0, tf_r15 =3D 0,=
=20
> tf_trapno =3D 12, tf_addr =3D 34367037072, tf_flags =3D 0, tf_err =3D 2, =
tf_rip=20
> =3D 34367037084, tf_cs =3D 43, tf_rflags =3D 518, tf_rsp =3D 140737488347=
720,=20
> tf_ss =3D 35})
> at /usr/src/sys/amd64/amd64/trap.c:792
> #12 0xffffffff803e1c08 in Xfast_syscall () at=20
> /usr/src/sys/amd64/amd64/exception.S:270
> #13 0x00000008006f5e9c in ?? ()
> Previous frame inner to this frame (corrupt stack?)
> (kgdb) frame 7
> #7 0xffffffff80391347 in ffs_valloc (pvp=3D0xffffff002f24d7c0,=20
> mode=3D16877, cred=3D0x0, vpp=3D0xffffffffa7873798) at libkern.h:56
> 56 static __inline u_int min(u_int a, u_int b) { return (a < b ? a=
=20
> : b); }
> (kgdb) list
> 51 static __inline int imax(int a, int b) { return (a > b ? a : b); }
> 52 static __inline int imin(int a, int b) { return (a < b ? a : b); }
> 53 static __inline long lmax(long a, long b) { return (a > b ? a :=
=20
> b); }
> 54 static __inline long lmin(long a, long b) { return (a < b ? a :=
=20
> b); }
> 55 static __inline u_int max(u_int a, u_int b) { return (a > b ? a=
=20
> : b); }
> 56 static __inline u_int min(u_int a, u_int b) { return (a < b ? a=
=20
> : b); }
> 57 static __inline quad_t qmax(quad_t a, quad_t b) { return (a > b=
=20
> ? a : b); }
> 58 static __inline quad_t qmin(quad_t a, quad_t b) { return (a < b=
=20
> ? a : b); }
> 59 static __inline u_long ulmax(u_long a, u_long b) { return (a > b=
=20
> ? a : b); }
> 60 static __inline u_long ulmin(u_long a, u_long b) { return (a < b=
=20
> ? a : b); }
> (kgdb) frame 8
> #8 0xffffffff803b8a5e in ufs_mkdir (ap=3D0xffffffffa78739a0) at=20
> /usr/src/sys/ufs/ufs/ufs_vnops.c:1386
> 1386 error =3D UFS_VALLOC(dvp, dmode, cnp->cn_cred, &tvp);
> (kgdb) list
> 1381 /*
> 1382 * Must simulate part of ufs_makeinode here to acquire=20
> the inode,
> 1383 * but not have it entered in the parent directory. The=
=20
> entry is
> 1384 * made later after writing "." and ".." entries.
> 1385 */
> 1386 error =3D UFS_VALLOC(dvp, dmode, cnp->cn_cred, &tvp);
> 1387 if (error)
> 1388 goto out;
> 1389 ip =3D VTOI(tvp);
> 1390 ip->i_gid =3D dp->i_gid;
> (kgdb)
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
>=20
--sm4nu43k4a2Rpi4c
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)
iD8DBQFGFpR4Wry0BWjoQKURAv4mAKCJbuC3VqgYrJ0BZ4YvPEcDOD5wOgCg2yCw
jk0LOG7L1QmSu3GjO8L0hds=
=KD4L
-----END PGP SIGNATURE-----
--sm4nu43k4a2Rpi4c--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070406184200.GA62383>