From rizzo@iguana.icir.org  Fri Jul 12 15:38:36 2002
Return-Path: <rizzo@iguana.icir.org>
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5675337B401
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 12 Jul 2002 15:38:36 -0700 (PDT)
Received: from iguana.icir.org (iguana.icir.org [192.150.187.36])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 657B64497C
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 12 Jul 2002 15:34:41 -0700 (PDT)
	(envelope-from rizzo@iguana.icir.org)
Received: (from rizzo@localhost)
	by iguana.icir.org (8.11.6/8.11.3) id g6CMWrf56608;
	Fri, 12 Jul 2002 15:32:53 -0700 (PDT)
	(envelope-from rizzo)
Message-Id: <20020712153253.B56366@iguana.icir.org>
Date: Fri, 12 Jul 2002 15:32:53 -0700
From: Luigi Rizzo <luigi@freebsd.org>
To: Dmitry Morozovsky <marck@rinet.ru>
Cc: FreeBSD-gnats-submit@freebsd.org, noc@rinet.ru
In-Reply-To: <200207122214.g6CME7X95209@woozle.rinet.ru>; from marck@rinet.ru on Sat, Jul 13, 2002 at 02:14:07AM +0400
Subject: Re: RELENG_4 after 09.07.2002 luigi's commit to ipfw and companion kernel crashes
References: <200207122214.g6CME7X95209@woozle.rinet.ru>

>Number:         40509
>Category:       kern
>Synopsis:       Re: RELENG_4 after 09.07.2002 luigi's commit to ipfw and companion kernel crashes
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gnats-admin
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jul 12 15:40:27 PDT 2002
>Closed-Date:    Sat Jul 13 14:52:40 PDT 2002
>Last-Modified:  Sat Jul 13 14:52:40 PDT 2002
>Originator:     
>Release:        
>Organization:
>Environment:
>Description:
 thanks for the report, just committed a fix -- both on RELENG_4
 (which was ok before the 09.07.2002 commit) and HEAD (which
 has always been broken).
 
 	cheers
 	luigi
 
 On Sat, Jul 13, 2002 at 02:14:07AM +0400, Dmitry Morozovsky wrote:
 > 
 > >Submitter-Id:	current-users
 > >Originator:	Dmitry Morozovsky 
 > >Organization:	Cronyx Plus LLC (RiNet ISP)
 > >Confidential:	no
 > >Synopsis:	RELENG_4 after 09.07.2002 luigi's commit to ipfw and companion kernel crashes
 > >Severity:	critical 
 > >Priority:	high 
 > >Category:	kern
 > >Class:		sw-bug 
 > >Release:	FreeBSD 4-STABLE i386
 > >Environment:
 > System: FreeBSD donkey.rinet.ru 4.6-STABLE FreeBSD 4.6-STABLE #1: Fri Jul 12 23:29:37 MSD 2002     root@:/var/obj/lh/src/sys/gwfn  i386
 > 
 > 
 > >Description:
 > 	After luigi's commit at 09.07.2002 to src/sys/net{,inet} (RELENG_4)
 > kernel now crashes if dummynet shaping is configured, at least by
 > virtually any multicast packet.
 > 
 > 
 > kernel traceback follows:
 > 
 > Fatal trap 12: page fault while in kernel mode
 > fault virtual address   = 0x40
 > fault code              = supervisor read, page not present
 > instruction pointer     = 0x8:0xc019304c
 > stack pointer           = 0x10:0xc9fdfe50
 > frame pointer           = 0x10:0xc9fdfef0
 > code segment            = base 0x0, limit 0xfffff, type 0x1b
 >                         = DPL 0, pres 1, def32 1, gran 1
 > processor eflags        = interrupt enabled, resume, IOPL = 0
 > current process         = 423 (tcsh)
 > interrupt mask          = net 
 > trap number             = 12
 > panic: page fault
 > 
 > syncing disks... 9 2 1 1 
 > done
 > Uptime: 2h29m59s
 > 
 > dumping to dev #ad/0x20001, offset 917504
 > dump ata0: resetting devices .. ata0: mask=03 ostat0=50 ostat2=00
 > ad0: ATAPI 00 00
 > ata0-slave: ATAPI 00 00
 > ata0: mask=03 stat0=50 stat1=00
 > ad0: ATA 01 a5
 > ata0: devices=01
 > ad0: success setting PIO4 on generic chip
 > done
 > 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 
 > ---
 > #0  dumpsys () at /lh/src/sys/kern/kern_shutdown.c:487
 > 487             if (dumping++) {
 > (kgdb) bt
 > #0  dumpsys () at /lh/src/sys/kern/kern_shutdown.c:487
 > #1  0xc0143e71 in boot (howto=256) at /lh/src/sys/kern/kern_shutdown.c:316
 > #2  0xc0144298 in poweroff_wait (junk=0xc021538c, howto=-1071558993) at /lh/src/sys/kern/kern_shutdown.c:595
 > #3  0xc01ebff2 in trap_fatal (frame=0xc9fdfe10, eva=64) at /lh/src/sys/i386/i386/trap.c:974
 > #4  0xc01ebcd1 in trap_pfault (frame=0xc9fdfe10, usermode=0, eva=64) at /lh/src/sys/i386/i386/trap.c:867
 > #5  0xc01eb8c3 in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16, tf_edi = 0, tf_esi = -1067717632, tf_ebp = -906101008, 
 >       tf_isp = -906101188, tf_ebx = 0, tf_edx = -1067717408, tf_ecx = -1014144340, tf_eax = 0, tf_trapno = 12, tf_err = 0, 
 >       tf_eip = -1072091060, tf_cs = 8, tf_eflags = 66070, tf_esp = -1014144384, tf_ss = 0}) at /lh/src/sys/i386/i386/trap.c:466
 > #6  0xc019304c in ip_output (m0=0xc05bec00, opt=0x0, ro=0xc38d62ac, flags=34, imo=0x0) at /lh/src/sys/netinet/ip_output.c:189
 > #7  0xc0189b16 in transmit_event (pipe=0xc37a4f00) at /lh/src/sys/netinet/ip_dummynet.c:425
 > #8  0xc0189dc3 in ready_event (q=0xc372ea80) at /lh/src/sys/netinet/ip_dummynet.c:577
 > #9  0xc018a234 in dummynet (unused=0x0) at /lh/src/sys/netinet/ip_dummynet.c:730
 > #10 0xc0149c72 in softclock () at /lh/src/sys/kern/kern_timeout.c:131
 > #11 0xc01e17b3 in doreti_swi ()
 > #12 0x8072359 in ?? ()
 > #13 0x805bf4d in ?? ()
 > #14 0x805bb81 in ?? ()
 > #15 0x8059156 in ?? ()
 > #16 0x804a645 in ?? ()
 > #17 0x8049a6a in ?? ()
 > #18 0x8048137 in ?? ()
 > 
 > #6  0xc019304c in ip_output (m0=0xc05bec00, opt=0x0, ro=0xc38d62ac, flags=34, imo=0x0) at /lh/src/sys/netinet/ip_output.c:189
 > 189                     ia = ifatoia(ro->ro_rt->rt_ifa);
 > (kgdb) l
 > 184             (void)ipsec_setsocket(m, NULL);
 > 185     #endif
 > 186             if (args.rule != NULL) {        /* dummynet already saw us */
 > 187                     ip = mtod(m, struct ip *);
 > 188                     hlen = IP_VHL_HL(ip->ip_vhl) << 2 ;
 > 189                     ia = ifatoia(ro->ro_rt->rt_ifa);
 > 190                     goto sendit;
 > 191             }
 > 192
 > 193             if (opt) {
 > 
 > (kgdb) up
 > #7  0xc0189b16 in transmit_event (pipe=0xc37a4f00) at /lh/src/sys/netinet/ip_dummynet.c:425
 > 425                 (void)ip_output((struct mbuf *)pkt, NULL, NULL, 0, NULL);
 > (kgdb) l
 > 420              * The block IS FREED HERE because it contains parameters passed
 > 421              * to the called routine.
 > 422              */
 > 423             switch (pkt->dn_dir) {
 > 424             case DN_TO_IP_OUT:
 > 425                 (void)ip_output((struct mbuf *)pkt, NULL, NULL, 0, NULL);
 > 426                 rt_unref (pkt->ro.ro_rt) ;
 > 427                 break ;
 > 428
 > 429             case DN_TO_IP_IN :
 > (kgdb) p *pkt
 > $1 = {hdr = {mh_next = 0xc05bec00, mh_nextpkt = 0x0, mh_data = 0x0, mh_len = 0, mh_type = 13, mh_flags = 15}, rule = 0xc3878d00, 
 >   dn_dir = 1, output_time = 8994965, ifp = 0xc35c2c00, dn_dst = 0xc38d62b0, ro = {ro_rt = 0x0, ro_dst = {sa_len = 16 '\020', 
 >       sa_family = 2 '\002', sa_data = "\000\000\000\000\004\000\000\000\000\000\000\000"}}, flags = 34}
 > (kgdb) up
 > #8  0xc0189dc3 in ready_event (q=0xc372ea80) at /lh/src/sys/netinet/ip_dummynet.c:577
 > 577             transmit_event(p);
 > (kgdb) l
 > 572         /*
 > 573          * If the delay line was empty call transmit_event(p) now.
 > 574          * Otherwise, the scheduler will take care of it.
 > 575          */
 > 576         if (p_was_empty)
 > 577             transmit_event(p);
 > 578     }
 > 579
 > 580     /*
 > 581      * Called when we can transmit packets on WF2Q queues. Take pkts out of
 > (kgdb) p *p
 > $2 = {next = 0x0, pipe_nr = 1, bandwidth = 64000, delay = 0, head = 0x0, tail = 0xc38d6280, scheduler_heap = {size = 0, elements = 0, 
 >     offset = 0, p = 0x0}, not_eligible_heap = {size = 0, elements = 0, offset = 0, p = 0x0}, idle_heap = {size = 0, elements = 0, 
 >     offset = 84, p = 0x0}, V = 0, sum = 0, numbytes = 0, sched_time = 0, if_name = '\000' <repeats 15 times>, ifp = 0x0, ready = 0, 
 >   fs = {next = 0x0, fs_nr = 0, flags_fs = 9, pipe = 0xc37a4f00, parent_nr = 0, weight = 0, qsize = 8192, plr = 0, flow_mask = {
 >       dst_ip = 0, src_ip = 4294967295, dst_port = 0, src_port = 0, proto = 0 '\000', flags = 0 '\000'}, rq_size = 64, rq_elements = 5, 
 >     rq = 0xc362d600, last_expired = 0, backlogged = 0, w_q = 0, max_th = 0, min_th = 0, max_p = 0, c_1 = 0, c_2 = 0, c_3 = 0, c_4 = 0, 
 >     w_q_lookup = 0x0, lookup_depth = 0, lookup_step = 0, lookup_weight = 0, avg_pkt_size = 0, max_pkt_size = 0}}
 > 
 > 
 > 
 > >How-To-Repeat:
 > 
 > build and run kernel with IPFIREWALL & DUMMYNET & MROUTING
 > 
 > add pipe rule:
 > 
 > ipfw pipe 1 config bw  64Kbit/s queue   8Kbytes mask src-ip 0xffffffff
 > ipfw add 10 pipe 1 ip from any to any via ed0
 > 
 > run mrouted
 > 
 > 
 > >Fix:
 > 
 > Don't know yet. Hopefully Luigi knows ;-P
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: keramida 
State-Changed-When: Sat Jul 13 14:52:00 PDT 2002 
State-Changed-Why:  
Followup to (closed PR) kern/40508 misfiled as a new PR. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=40509 
>Unformatted:
