From nobody@FreeBSD.org  Fri Aug 16 14:57:23 2002
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B779B37B400
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 16 Aug 2002 14:57:23 -0700 (PDT)
Received: from www.freebsd.org (www.FreeBSD.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7771A43E70
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 16 Aug 2002 14:57:23 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.4/8.12.4) with ESMTP id g7GLvNOT068132
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 16 Aug 2002 14:57:23 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.4/8.12.4/Submit) id g7GLvMmf068131;
	Fri, 16 Aug 2002 14:57:22 -0700 (PDT)
Message-Id: <200208162157.g7GLvMmf068131@www.freebsd.org>
Date: Fri, 16 Aug 2002 14:57:22 -0700 (PDT)
From: Kyrre Aalerud <kreature@c2i.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Copying files to filesystem causes "integer divide fault" and panic.
X-Send-Pr-Version: www-1.0

>Number:         41723
>Category:       kern
>Synopsis:       [2TB] on 1TB fs, copying files to filesystem causes "integer divide fault" and panic.
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 16 15:00:11 PDT 2002
>Closed-Date:    Mon Mar 26 20:27:02 GMT 2007
>Last-Modified:  Mon Mar 26 20:27:02 GMT 2007
>Originator:     Kyrre Aalerud
>Release:        FreeBSD 4.3 CVS'ed to 4.6-Stable
>Organization:
>Environment:
FreeBSD timmy 4.6-STABLE FreeBSD 4.6-STABLE #1: Fri Aug 16 22:36:52 CEST 2002     root@timmy:/usr/obj/usr/src/sys/timmy  i386

Running a custom kernel.  Nothing fancy added, just trimmed out device support not needed.
>Description:
Running a large Vinum raid-5 array (name: raid).
(5x 80 GB Maxtor IDE-disks.)
(Disks are master on own cable, each with their own IDE-port.)

Using complete vinum-volume as single ufs.  Parameters used were "newfs -v -U -b 65536 -f 8192 -g 256000000 -m 1% /dev/vinum/raid".
The -b and -f were ignored and a block/frag size of 8/1MB were somehow used. ???

When copying files to volume, system traps a integer divide fault.
(Happens regardless of soft updates-status.)
Happens when copying from network to disk via samba.
Error screen shows current process to be smbd.

Address c02193c7 where fault occurs reveals:
----------------
timmy# nm -n /kernel | grep c0219
c0219080 T ffs_valloc
c021923c t ffs_dirpref
c0219518 T ffs_blkpref
c021968c t ffs_hashalloc
c0219738 t ffs_fragextend
c0219968 t ffs_alloccg
c0219c2c t ffs_alloccgblk
----------------

>How-To-Repeat:
Running a large fs possibly on vinum raid-5 array.
Copying large ammounts of data to the samba-share via network.

>Fix:
      none known...
>Release-Note:
>Audit-Trail:

From: "Tha KreAture" <Tha_KreAture@hotmail.com>
To: <freebsd-gnats-submit@FreeBSD.org>, <kreature@c2i.net>
Cc:  
Subject: Re: i386/41723: Copying files to filesystem causes "integer divide fault" and panic.
Date: Sat, 17 Aug 2002 14:15:46 +0200

 OK.  I did a recompile of my kernel and added dumping...
 
 Here's the output of the backtrace:
 ---------------------------
 (kgdb) bt
 #0  dumpsys () at /usr/src/sys/kern/kern_shutdown.c:487
 #1  0xc0165adc in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:316
 #2  0xc0165f10 in poweroff_wait (junk=0xc029980c, howto=-1071017206)
     at /usr/src/sys/kern/kern_shutdown.c:595
 #3  0xc0261e27 in trap_fatal (frame=0xd0936c4c, eva=0)
     at /usr/src/sys/i386/i386/trap.c:974
 #4  0xc0261803 in trap (frame={tf_fs = 16, tf_es = -795672560,
       tf_ds = -1051328496, tf_edi = -795644108, tf_esi = 0,
       tf_ebp = -795644740, tf_isp = -795644808, tf_ebx = -1051308032,
       tf_edx = -1, tf_ecx = -1310720000, tf_eax = -1310720000, tf_trapno =
 18,
       tf_err = 0, tf_eip = -1071541209, tf_cs = 8, tf_eflags = 66182,
       tf_esp = -1050202880, tf_ss = -1051308032})
     at /usr/src/sys/i386/i386/trap.c:636
 #5  0xc0219427 in ffs_dirpref (pip=0xc1672d00)
     at /usr/src/sys/ufs/ffs/ffs_alloc.c:710
 #6  0xc021911d in ffs_valloc (pvp=0xd094f540, mode=16877, cred=0xc167de80,
     vpp=0xd0936d10) at /usr/src/sys/ufs/ffs/ffs_alloc.c:590
 #7  0xc022b50d in ufs_mkdir (ap=0xd0936e78)
     at /usr/src/sys/ufs/ufs/ufs_vnops.c:1321
 #8  0xc022c6a1 in ufs_vnoperate (ap=0xd0936e78)
     at /usr/src/sys/ufs/ufs/ufs_vnops.c:2422
 #9  0xc01995ce in mkdir (p=0xcf2590c0, uap=0xd0936f80) at vnode_if.h:674
 #10 0xc026208d in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47,
 --------------------
 
 #5 is interesting...
 
 The funky stuff is happening at line 710 in sourcefile ffs_alloc.c wich, if
 I have read correctly, is trying to find/select a inode for a directory or
 file or something...
 So, this line is causing me all theese problems:        "maxcontigdirs =
 min(cgsize / dirsize, 255);"
 
 It appears the crash happens when a directory is made or a file is being
 placed...
 
 Hoping someone experienced with the code could check this?  I am certain I
 traced this right :-)
 
     Kyrre
 
 
 
 

From: "Tha KreAture" <Tha_KreAture@hotmail.com>
To: <freebsd-gnats-submit@FreeBSD.org>, <kreature@c2i.net>
Cc:  
Subject: Re: i386/41723: Copying files to filesystem causes "integer divide fault" and panic.
Date: Sat, 17 Aug 2002 16:11:53 +0200

 OK, the problem seems to be that one of the variables in the calculation has
 overflowed.
 When used in the calculation it causes the "integer divide fault".
 
 Possible solution:
 
 I'm testing if a change of the variables involved to long will fix this.
 It is definately caused by the avgfilesize setting.  If it's high it will
 wrap when multiplied with the fs_avgfpdir value.
 If we asume the average files per directory is 64, we see that a setting of
 67108864 or higher for average file size, will overflow the int.  I was
 using 256000000 wich is 188891136 too much.
 
 I think ALL variables in this section (and the rest of the filesystem
 source) shoulr all be long or similar.
 
     Kyrre

From: "Tha KreAture" <Tha_KreAture@hotmail.com>
To: <freebsd-gnats-submit@FreeBSD.org>, <kreature@c2i.net>
Cc:  
Subject: Re: i386/41723: Copying files to filesystem causes "integer divide fault" and panic.
Date: Sun, 18 Aug 2002 02:57:51 +0200

 Well.  It looks like a change from int to long was enough.  Now the system
 is acting fine.
 
 I understand this is one of the things already fixed in 5.0 ?
 
 It turned out the 8/1 MB block thing was windows lying on the samba share.
 The blocksize specified was used.
 
     Kyrre

From: Bruce Evans <bde@zeta.org.au>
To: Tha KreAture <Tha_KreAture@hotmail.com>
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: i386/41723: Copying files to filesystem causes "integer divide
 fault" and panic.
Date: Mon, 19 Aug 2002 05:52:11 +1000 (EST)

 On Sat, 17 Aug 2002, Tha KreAture wrote:
 
 >  Well.  It looks like a change from int to long was enough.  Now the system
 >  is acting fine.
 
 Er, int is the same as long on i386's.
 
 >  I understand this is one of the things already fixed in 5.0 ?
 
 I don't know if this particular bug was fixed.  Some similar bugs were
 probably fixed without really noticing by changing int and long typedefed
 types to int64_t.  int64_t really is longer than int on i386's :-).
 
 Bruce
 

From: "Tha KreAture" <Tha_KreAture@hotmail.com>
To: <freebsd-gnats-submit@FreeBSD.org>, <kreature@c2i.net>
Cc:  
Subject: Re: i386/41723: Copying files to filesystem causes "integer divide fault" and panic.
Date: Sun, 18 Aug 2002 23:40:46 +0200

 Ahh I see.
 
 Well, then something is afoot.  It may be some emulator or compiler option I
 am using then, that allowed 'long' to deal with the numbers 'int' didn't.
 ???
 
 Anyway:  int was 32 bit and the sum of the calculations could well be too
 large.
 I agree that int64_t is a safer and more precise solution because it is not
 subject to platform differences.
 
 I still believe a check chould be added in the system to make sure it won't
 allow values of avg file size and files pr dir to result in overflows when
 multiplied.  There are other similar calculations all through ffs that
 really need to be addressed.
 
 It's also ridiculus that newfs will segfault if you give it a blocksize
 larger than 65536, but that is a different matter.
 (and probably is already, or will be fixed.)
 
     Kyrre
 
 
 

From: Aaron Smith <aaron@mutex.org>
To: freebsd-gnats-submit@FreeBSD.org, kreature@c2i.net,
	freebsd-misuser@dcf77-zeit.netscum.dyndns.dk, bright@mu.org
Cc:  
Subject: Re: i386/41723: Copying files to filesystem causes "integer divide fault" and panic.
Date: Tue, 27 May 2003 20:13:54 -0700

 [apologies for the long URL]
 
 http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&threadm=200205261326.g4QDQrC00472%40beerswilling.netscum.dyndns.dk&rnum=1&prev=/groups%3Fq%3Dffs_dirpref%2Bdivide%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26safe%3Doff%26selm%3D200205261326.g4QDQrC00472%2540beerswilling.netscum.dyndns.dk%26rnum%3D1
 
 As indicated in this thread, there is an overflow problem in ffs_dirpref
 for large filesystems. The symptom is an integer divide-by-zero exception
 at ffs_dirpref+0x1e8 (at least on a recent -CURRENT). This bug has been
 around for a year plus. Who else has seen this, and is anyone working on it
 before I do? It looks like it would reliably happen on any large FS for
 which you increase the average file size.
 
 I'm going to go through and change some types to int64_t and see if I can
 get this to stop panicking on my 1TB filesystem. Any advice that would lead
 to less hassle would be much appreciated.
 
 --Aaron
State-Changed-From-To: open->feedback 
State-Changed-By: linimon 
State-Changed-When: Sun Sep 12 21:55:15 GMT 2004 
State-Changed-Why:  
Is this still a problem on recent versions of FreeBSD? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=41723 
State-Changed-From-To: feedback->open 
State-Changed-By: linimon 
State-Changed-When: Wed Mar 9 20:42:05 GMT 2005 
State-Changed-Why:  
Submitter states that this is still a problem. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=41723 

From: dpk <dpk@dpk.net>
To: freebsd-gnats-submit@freebsd.org, kreature@c2i.net
Cc:  
Subject: Re: kern/41723: [2TB] on 1TB fs, copying files to filesystem causes
 "integer divide fault" and panic.
Date: Wed, 9 Mar 2005 13:08:51 -0800 (PST)

 In answer to the above question: This bug still affects the latest version
 of FreeBSD, 5.3-RELEASE. Unfortunately I cannot obtain a core dump due to
 a separate bug involving a miscalculation of the dumpdev size. However,
 the backtrace is pretty similar -- the bug is still in ffs_dirpref:
 
         maxcontigdirs = min((avgbfree * fs->fs_bsize) / dirsize, 255);
 
 The above are still 32-bit ints, so I expect that it is probably still
 where the bug comes up.

From: Harrison Grundy <astrodog@gmail.com>
To: bug-followup@FreeBSD.org,  kreature@c2i.net
Cc:  
Subject: Re: kern/41723: [2TB] on 1TB fs, copying files to filesystem causes
 "integer divide fault" and panic.
Date: Wed, 21 Mar 2007 23:09:17 -0500

 Does this still occur?
 
 I have been unable to reproduce it, thus far.
State-Changed-From-To: open->closed 
State-Changed-By: remko 
State-Changed-When: Mon Mar 26 20:26:59 UTC 2007 
State-Changed-Why:  
feedback timeout, please poke me when you have feedback please. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=41723 
>Unformatted:
