kern/111352: Mkdir causes integer divide fault while in kernel mode

Tom Judge tom at tomjudge.com
Sat Apr 7 11:30:06 UTC 2007 

>Number:         111352
>Category:       kern
>Synopsis:       Mkdir causes integer divide fault while in kernel mode
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Apr 07 11:30:05 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Tom Judge
>Release:        6.2-RELEASE + pmap.c patch (From RELENG_6 1.516.2.9)
>Organization:
>Environment:
FreeBSD bfg.mintel.co.uk 6.2-RELEASE FreeBSD 6.2-RELEASE #10: Thu Apr  5 10:53:39 BST 2007     root at roley.mintel.co.uk:/usr/obj/usr/src/sys/PE2950 amd64 amd64 Intel(R) Xeon(R) CPU            5110  @ 1.60GHz FreeBSD

FreeBSD happy.mintel.co.uk 6.2-RELEASE FreeBSD 6.2-RELEASE #10: Thu Apr  5 10:53:39 BST 2007     root at roley.mintel.co.uk:/usr/obj/usr/src/sys/PE2950  amd64



>Description:
When createing directories in a file system that has been created with the average number of files per directory tuned ( to 2500 in this case ) the system panics with an "integer divide fault while in kernel mode".

I have tested this on 2 different size file systems (6TB, 200GB) on 2 different machines both cause the same crash.

The following tunings do no cause the crash:

newfs -h 2500 /dev/mfid0s1g
newfs -h 2500 -b 65536 /dev/mfid0s1g

Only the following combination causes the crash:

newfs -h 2500 -b 65536 -g 1048576 /dev/mfid0s1g

I have several core files avaliable if furthur information is required, here is a back trace from one:

kgdb /usr/obj/usr/src/sys/PE2950/kernel.debug /var/crash/vmcore.2
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd".

Unread portion of the kernel message buffer:


Fatal trap 18: integer divide fault while in kernel mode
cpuid = 0; apic id = 00
instruction pointer     = 0x8:0xffffffff80391347
stack pointer           = 0x10:0xffffffffa78736f0
frame pointer           = 0x10:0xffffff0001d7a600
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 1206 (mkdir)
trap number             = 18
panic: integer divide fault
cpuid = 0
Uptime: 4m29s
Dumping 1023 MB (2 chunks)
  chunk 0: 1MB (156 pages) ... ok
  chunk 1: 1023MB (261800 pages) 1007 991 975 959 943 927 911 895 879 863 847 831 815 799 783 767 751 735 719 703 687 671 655 639 623 607 591 575 559 543 527 511 495 479 463 447 431 415 399 383 367 351 335 319 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15

#0  doadump () at pcpu.h:172
172     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) bt
#0  doadump () at pcpu.h:172
#1  0x0000000000000004 in ?? ()
#2  0xffffffff8029a557 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
#3  0xffffffff8029abf1 in panic (fmt=0xffffff0029753000 "X?/") at /usr/src/sys/kern/kern_shutdown.c:565
#4  0xffffffff803f62ff in trap_fatal (frame=0xffffff0029753000, eva=18446742974994109272) at /usr/src/sys/amd64/amd64/trap.c:660
#5  0xffffffff803f67a2 in trap (frame=
      {tf_rdi = 0, tf_rsi = 0, tf_rdx = 0, tf_rcx = 1951858688, tf_r8 = 2500, tf_r9 = 2975, tf_rax = 1951858688, tf_rbx = -2050457600, tf_rbp = -1099480717824, tf_r10 = 246016, tf_r11 = 184512, tf_r12 = -1098707543808, tf_r13 = 246015, tf_r14 = -2050457600, tf_r15 = 255, tf_trapno = 18, tf_addr = 0, tf_flags = 2147483648012, tf_err = 0, tf_rip = -2143743161, tf_cs = 8, tf_rflags = 66182, tf_rsp = -1484310784, tf_ss = 16}) at /usr/src/sys/amd64/amd64/trap.c:469
#6  0xffffffff803e1a6b in calltrap () at /usr/src/sys/amd64/amd64/exception.S:168
#7  0xffffffff80391347 in ffs_valloc (pvp=0xffffff002f24d7c0, mode=16877, cred=0x0, vpp=0xffffffffa7873798) at libkern.h:56
#8  0xffffffff803b8a5e in ufs_mkdir (ap=0xffffffffa78739a0) at /usr/src/sys/ufs/ufs/ufs_vnops.c:1386
#9  0xffffffff8043b355 in VOP_MKDIR_APV (vop=0x74570000, a=0xffffffffa78739a0) at vnode_if.c:1251
#10 0xffffffff80310e19 in kern_mkdir (td=0xffffff002f24d7c0, path=0xffffff003dabe400 "", segflg=4, mode=511) at vnode_if.h:653
#11 0xffffffff803f7151 in syscall (frame=
      {tf_rdi = 140737488348678, tf_rsi = 511, tf_rdx = 4294967295, tf_rcx = 1, tf_r8 = 0, tf_r9 = 140737488347272, tf_rax = 136, tf_rbx = 2, tf_rbp = 140737488348024, tf_r10 = 4294967295, tf_r11 = 582, tf_r12 = 140737488348678, tf_r13 = 140737488348008, tf_r14 = 0, tf_r15 = 0, tf_trapno = 12, tf_addr = 34367037072, tf_flags = 0, tf_err = 2, tf_rip = 34367037084, tf_cs = 43, tf_rflags = 518, tf_rsp = 140737488347720, tf_ss = 35})
    at /usr/src/sys/amd64/amd64/trap.c:792
#12 0xffffffff803e1c08 in Xfast_syscall () at /usr/src/sys/amd64/amd64/exception.S:270
#13 0x00000008006f5e9c in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) frame 7
#7  0xffffffff80391347 in ffs_valloc (pvp=0xffffff002f24d7c0, mode=16877, cred=0x0, vpp=0xffffffffa7873798) at libkern.h:56
56      static __inline u_int min(u_int a, u_int b) { return (a < b ? a : b); }
(kgdb) list
51      static __inline int imax(int a, int b) { return (a > b ? a : b); }
52      static __inline int imin(int a, int b) { return (a < b ? a : b); }
53      static __inline long lmax(long a, long b) { return (a > b ? a : b); }
54      static __inline long lmin(long a, long b) { return (a < b ? a : b); }
55      static __inline u_int max(u_int a, u_int b) { return (a > b ? a : b); }
56      static __inline u_int min(u_int a, u_int b) { return (a < b ? a : b); }
57      static __inline quad_t qmax(quad_t a, quad_t b) { return (a > b ? a : b); }
58      static __inline quad_t qmin(quad_t a, quad_t b) { return (a < b ? a : b); }
59      static __inline u_long ulmax(u_long a, u_long b) { return (a > b ? a : b); }
60      static __inline u_long ulmin(u_long a, u_long b) { return (a < b ? a : b); }
(kgdb) frame 8
#8  0xffffffff803b8a5e in ufs_mkdir (ap=0xffffffffa78739a0) at /usr/src/sys/ufs/ufs/ufs_vnops.c:1386
1386            error = UFS_VALLOC(dvp, dmode, cnp->cn_cred, &tvp);
(kgdb) list
1381            /*
1382             * Must simulate part of ufs_makeinode here to acquire the inode,
1383             * but not have it entered in the parent directory. The entry is
1384             * made later after writing "." and ".." entries.
1385             */
1386            error = UFS_VALLOC(dvp, dmode, cnp->cn_cred, &tvp);
1387            if (error)
1388                    goto out;
1389            ip = VTOI(tvp);
1390            ip->i_gid = dp->i_gid;
(kgdb) 
>How-To-Repeat:
Create a new file system on the disk with the following newfs:

newfs -h 2500 -b 65536 -g 1048576 /dev/mfid0s1g

Mount the file system on /data.

mkdir /data/test
mkdir /data/test/test (Crashes here)

>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list