kern/88803: if_bridge + vlan + ipfw (or PF) panic
Csaba Urban
ucsaba at freemail.hu
Thu Nov 10 10:20:17 PST 2005
>Number: 88803
>Category: kern
>Synopsis: if_bridge + vlan + ipfw (or PF) panic
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Nov 10 18:20:16 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Csaba Urban
>Release: 6.0-RELEASE
>Organization:
>Environment:
FreeBSD richfield 6.0-RELEASE FreeBSD 6.0-RELEASE #3: Sat Nov 5 19:22:54 CET 2005 csabi at richfield:/usr/obj/usr/src/sys/RICHFIELD i386
>Description:
if_bridge interface with vlan members panic if kernel is built with ipfw or pf. For a few minutes it is forwarding packets but suddenly crash.
Without ipfw and PF it seems to work fine.
ifconfig:
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_MTU>
inet xxx.xxx.48.131 netmask 0xffffff80 broadcast xxx.xxx.48.255
ether 00:30:48:82:78:02
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_MTU>
ether 00:30:48:82:78:03
media: Ethernet autoselect
status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
vlan1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
ether 00:30:48:82:78:03
media: Ethernet autoselect
status: no carrier
vlan: 101 parent interface: em1
vlan2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
ether 00:30:48:82:78:03
media: Ethernet autoselect
status: no carrier
vlan: 102 parent interface: em1
vlan3: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
ether 00:30:48:82:78:03
media: Ethernet autoselect
status: no carrier
vlan: 103 parent interface: em1
bridge0: flags=8041<UP,RUNNING,MULTICAST> mtu 1500
inet xxx.xxx.49.65 netmask 0xffffffe0
ether ac:de:48:9f:9a:b5
priority 32768 hellotime 2 fwddelay 15 maxage 20
member: vlan3 flags=3<LEARNING,DISCOVER>
member: vlan2 flags=3<LEARNING,DISCOVER>
member: vlan1 flags=3<LEARNING,DISCOVER>
ipfw:
65535 1330 197783 allow ip from any to any
here are 2 backtraces:
richfield# cd /usr/obj/usr/src/sys/RICHFIELD
richfield# kgdb kernel.debug /var/crash/vmcore.13
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".
Unread portion of the kernel message buffer:
em0: discard frame w/o packet header
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0xbfc06478
fault code = supervisor read, page not present
instruction pointer = 0x20:0xc05ea5e5
stack pointer = 0x28:0xd4235c00
frame pointer = 0x28:0xd4235c50
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 22 (irq11: em0)
trap number = 12
panic: page fault
Uptime: 5m48s
Dumping 510 MB (2 chunks)
chunk 0: 1MB (159 pages) ... ok
chunk 1: 510MB (130528 pages) 494 478 462 446 430 414 398 382 366 350 334 318 302 286 270 254 238 222 206 190 174 158 142 126 110 94 78 62 46 30 14
#0 doadump () at pcpu.h:165
165 __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) bt
#0 doadump () at pcpu.h:165
#1 0xc04c6326 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:399
#2 0xc04c65bc in panic (fmt=0xc0618cbc "%s") at /usr/src/sys/kern/kern_shutdown.c:555
#3 0xc05fa1f8 in trap_fatal (frame=0xd4235bc0, eva=3217056888) at /usr/src/sys/i386/i386/trap.c:831
#4 0xc05f9f63 in trap_pfault (frame=0xd4235bc0, usermode=0, eva=3217056888) at /usr/src/sys/i386/i386/trap.c:742
#5 0xc05f9bc1 in trap (frame=
{tf_fs = -1061027832, tf_es = -735903704, tf_ds = -1050935256, tf_edi = -1050531712, tf_esi = -1049086912, tf_ebp = -735880112, tf_isp = -735880212, tf_ebx = -1047088896, tf_edx = 0, tf_ecx = 26337282, tf_eax = 6430, tf_trapno = 12, tf_err = 0, tf_eip = -1067538971, tf_cs = 32, tf_eflags = 590342, tf_esp = 4, tf_ss = -1051155712})
at /usr/src/sys/i386/i386/trap.c:432
#6 0xc05ecbda in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#7 0xc05ea5e5 in bus_dmamap_load (dmat=0xc17d8280, map=0x191e, buf=0x191e002, buflen=2046,
callback=0xc0454ca0 <em_dmamap_cb>, callback_arg=0xd4235c74, flags=0) at pmap.h:200
#8 0xc045558a in em_get_buf (i=136, adapter=0xc165c800, nmp=0x0) at /usr/src/sys/dev/em/if_em.c:2474
#9 0xc0455d5b in em_process_receive_interrupts (adapter=0xc165c800, count=-2) at /usr/src/sys/dev/em/if_em.c:2797
#10 0xc0452fb5 in em_intr (arg=0xc165c800) at /usr/src/sys/dev/em/if_em.c:992
#11 0xc04b1f1d in ithread_loop (arg=0xc1581700) at /usr/src/sys/kern/kern_intr.c:547
#12 0xc04b11a4 in fork_exit (callout=0xc04b1dc4 <ithread_loop>, arg=0xc1581700, frame=0xd4235d38)
at /usr/src/sys/kern/kern_fork.c:789
#13 0xc05ecc3c in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:208
(kgdb)quit
richfield# kgdb kernel.debug /var/crash/vmcore.14
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".
Unread portion of the kernel message buffer:
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x5dc004b
fault code = supervisor read, page not present
instruction pointer = 0x20:0xc04fd487
stack pointer = 0x28:0xd544099c
frame pointer = 0x28:0xd54409a8
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 27 (swi1: net)
trap number = 12
panic: page fault
Uptime: 2m24s
Dumping 510 MB (2 chunks)
chunk 0: 1MB (159 pages) ... ok
chunk 1: 510MB (130528 pages) 494 478 462 446 430 414 398 382 366 350 334 318 302 286 270 254 238 222 206 190 174 158 142 126 110 94 78 62 46 30 14
#0 doadump () at pcpu.h:165
165 __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) bt
#0 doadump () at pcpu.h:165
#1 0xc04c6326 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:399
#2 0xc04c65bc in panic (fmt=0xc0618cbc "%s") at /usr/src/sys/kern/kern_shutdown.c:555
#3 0xc05fa1f8 in trap_fatal (frame=0xd544095c, eva=98304075) at /usr/src/sys/i386/i386/trap.c:831
#4 0xc05f9f63 in trap_pfault (frame=0xd544095c, usermode=0, eva=98304075) at /usr/src/sys/i386/i386/trap.c:742
#5 0xc05f9bc1 in trap (frame=
{tf_fs = 8, tf_es = -1066860504, tf_ds = -1050410968, tf_edi = -1049449728, tf_esi = 98304069, tf_ebp = -716961368, tf_isp = -716961400, tf_ebx = 98304069, tf_edx = 0, tf_ecx = 0, tf_eax = -1049448448, tf_trapno = 12, tf_err = 0, tf_eip = -1068510073, tf_cs = 32, tf_eflags = 590338, tf_esp = 1, tf_ss = 98304069}) at /usr/src/sys/i386/i386/trap.c:432
#6 0xc05ecbda in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#7 0xc04fd487 in m_tag_copy (t=0x5dc0045, how=1) at /usr/src/sys/kern/uipc_mbuf2.c:405
#8 0xc04fd4f1 in m_tag_copy_chain (to=0xc172ab00, from=0xc172b000, how=1) at /usr/src/sys/kern/uipc_mbuf2.c:442
#9 0xc04fb8c1 in m_dup_pkthdr (to=0xc172ab00, from=0xc172b000, how=1) at /usr/src/sys/kern/uipc_mbuf.c:333
#10 0xc04fbbb4 in m_copypacket (m=0xc172b000, how=1) at /usr/src/sys/kern/uipc_mbuf.c:461
#11 0xc0535150 in bridge_broadcast (sc=0xc17a6200, src_if=0xc1745400, m=0xc172b000, runfilt=0)
at /usr/src/sys/net/if_bridge.c:1871
#12 0xc053459a in bridge_start (ifp=0xc1745400) at /usr/src/sys/net/if_bridge.c:1491
#13 0xc0532967 in if_start (ifp=0x0) at /usr/src/sys/net/if.c:2212
#14 0xc05372e3 in ether_output_frame (ifp=0xc1745400, m=0xc172b000) at /usr/src/sys/net/if_ethersubr.c:408
#15 0xc05370c8 in ether_output (ifp=0xc1745400, m=0xc172b000, dst=0xd5440b18, rt0=0x0)
at /usr/src/sys/net/if_ethersubr.c:361
#16 0xc0543080 in arprequest (ifp=0xc1745400, sip=0xd5440b50, tip=0xd5440bf4, enaddr=0xc157f6af "ŹŢHF@\227")
at /usr/src/sys/netinet/if_ether.c:372
#17 0xc0543462 in arpresolve (ifp=0xc1745400, rt0=0xc17f87bc, m=0xc17fda00, dst=0xd5440bf0, desten=0xd5440b94 "")
at /usr/src/sys/netinet/if_ether.c:499
#18 0xc0536d94 in ether_output (ifp=0xc1745400, m=0xc17fda00, dst=0xd5440bf0, rt0=0xc17f87bc)
at /usr/src/sys/net/if_ethersubr.c:176
#19 0xc0556464 in ip_output (m=0xc17fda00, opt=0xc1745400, ro=0xd5440bec, flags=1, imo=0x0, inp=0x0)
at /usr/src/sys/netinet/ip_output.c:776
#20 0xc05559b8 in ip_forward (m=0xc17fda00, srcrt=0) at /usr/src/sys/netinet/ip_input.c:1840
#21 0xc05545a3 in ip_input (m=0xc17fda00) at /usr/src/sys/netinet/ip_input.c:681
#22 0xc053c817 in netisr_processqueue (ni=0xc0679058) at /usr/src/sys/net/netisr.c:236
#23 0xc053ca12 in swi_net (dummy=0x0) at /usr/src/sys/net/netisr.c:349
#24 0xc04b1f1d in ithread_loop (arg=0xc1581480) at /usr/src/sys/kern/kern_intr.c:547
#25 0xc04b11a4 in fork_exit (callout=0xc04b1dc4 <ithread_loop>, arg=0xc1581480, frame=0xd5440d38)
at /usr/src/sys/kern/kern_fork.c:789
#26 0xc05ecc3c in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:208
>How-To-Repeat:
Set up an environment like this:
-x.x.2.1 [FreeBSD]x.x.1.1/24--tagged--[Cisco 2950]
| |
vlan1 vlan2
| |
x.x.1.2/24 x.x.1.3/24
Send traffic through the bridge from x.x.1.2 and x.x.1.3 at the same time. FreeBSD will crash after a few minutes.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list