Hi,
As we are facing a heavy fragments attack (40-60byte packets in a
~ 1000 pkts/sec flow) I see some sporadic panics. Kernel/world is
4.2-STABLE as of 18 Jan 2001 -- it's a production machine and I hadn't yet
the chance for another update; if it's been fixed in the mean time I would
be glad to hear it...
I have attached a gdb trace and a snip of a tcpdump log. When I rebuilt
the kernel with debug options it seemed to crush less often. I remember
that at the time of this panic I had an ipfw rule to deny IP fragments.
If you need further data just ask, I'd be glad to help,
Ady (@warpnet.ro)
Script started on Sun Feb 25 20:00:14 2001
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd".
(kgdb) symbol-file kernel.debug
Reading symbols from kernel.debug...done.
(kgdb) exec-file /var/crash/kernel.0
(kgdb) core-file /var/crash/vmcore.0
IdlePTD 2928640
initial pcb at 24d1a0
panicstr: page fault
panic messages:
---
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x89c0c800
fault code = supervisor read, page not present
instruction pointer = 0x8:0xc014de98
stack pointer = 0x10:0xc0231340
frame pointer = 0x10:0xc023135c
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = Idle
interrupt mask = net
trap number = 12
panic: page fault
syncing disks...
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x30
fault code = supervisor read, page not present
instruction pointer = 0x8:0xc01a9034
stack pointer = 0x10:0xc0231170
frame pointer = 0x10:0xc0231174
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = Idle
interrupt mask = net bio cam
trap number = 12
panic: page fault
Uptime: 5d14h45m42s
dumping to dev #ad/0x20001, offset 525953
dump ata0: resetting devices .. done
126 125 124 123 122 121 120 119 118 117 116 115 114 113 112 111 110 109 108 107 106
105 104 103 102 101 100 99 98 97 96 95 94 93 92 91 90 89 88 87 86 85 84 83 82 81 80 79
78 77 76 75 74 73 72 71 70 69 68 67 66 65 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50
49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21
20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
---
#0 dumpsys () at ../../kern/kern_shutdown.c:469
469 if (dumping++) {
(kgdb) bt
#0 dumpsys () at ../../kern/kern_shutdown.c:469
#1 0xc0132d67 in boot (howto=260) at ../../kern/kern_shutdown.c:309
#2 0xc01330e4 in poweroff_wait (junk=0xc02292af, howto=0)
at ../../kern/kern_shutdown.c:556
#3 0xc01f8e05 in trap_fatal (frame=0xc0231130, eva=48)
at ../../i386/i386/trap.c:951
#4 0xc01f8add in trap_pfault (frame=0xc0231130, usermode=0, eva=48)
at ../../i386/i386/trap.c:844
#5 0xc01f86c3 in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = -1072562160,
tf_edi = 0, tf_esi = -1071245792, tf_ebp = -1071443596,
tf_isp = -1071443620, tf_ebx = -1071385060, tf_edx = 6864960,
tf_ecx = 5, tf_eax = 0, tf_trapno = 12, tf_err = 0,
tf_eip = -1072000972, tf_cs = 8, tf_eflags = 66054, tf_esp = 0,
tf_ss = -1071443568}) at ../../i386/i386/trap.c:443
#6 0xc01a9034 in acquire_lock (lk=0xc023f61c)
at ../../ufs/ffs/ffs_softdep.c:268
#7 0xc01ad2ce in softdep_fsync_mountdev (vp=0xc880fa80)
at ../../ufs/ffs/ffs_softdep.c:3846
#8 0xc01b143a in ffs_fsync (ap=0xc02311e8) at ../../ufs/ffs/ffs_vnops.c:134
#9 0xc01b013a in ffs_sync (mp=0xc0cd4c00, waitfor=2, cred=0xc072c900,
p=0xc0261620) at vnode_if.h:537
#10 0xc016109b in sync (p=0xc0261620, uap=0x0) at ../../kern/vfs_syscalls.c:545
#11 0xc0132b3a in boot (howto=256) at ../../kern/kern_shutdown.c:233
#12 0xc01330e4 in poweroff_wait (junk=0xc02292af, howto=0)
at ../../kern/kern_shutdown.c:556
#13 0xc01f8e05 in trap_fatal (frame=0xc0231300, eva=2311112704)
at ../../i386/i386/trap.c:951
#14 0xc01f8add in trap_pfault (frame=0xc0231300, usermode=0, eva=2311112704)
at ../../i386/i386/trap.c:844
#15 0xc01f86c3 in trap (frame={tf_fs = -1072234480, tf_es = 6422544,
tf_ds = 16, tf_edi = -1071443112, tf_esi = 6422528,
tf_ebp = -1071443108, tf_isp = -1071443156, tf_ebx = 1,
tf_edx = -1983854592, tf_ecx = 1, tf_eax = 6422528, tf_trapno = 12,
tf_err = 0, tf_eip = -1072374120, tf_cs = 8, tf_eflags = 66182,
tf_esp = -1060023040, tf_ss = -1071323916}) at ../../i386/i386/trap.c:443
#16 0xc014de98 in m_copym (m=0xc07e7c00, off0=0, len=40, wait=1)
at ../../kern/uipc_mbuf.c:621
#17 0xc017d83f in ip_forward (m=0xc07e7c00, srcrt=0)
at ../../netinet/ip_input.c:1508
#18 0xc017caca in ip_input (m=0xc07e7c00) at ../../netinet/ip_input.c:563
---Type <return> to continue, or q <return> to quit---
#19 0xc017cd17 in ipintr () at ../../netinet/ip_input.c:759
(kgdb) up 16
#16 0xc014de98 in m_copym (m=0xc07e7c00, off0=0, len=40, wait=1)
at ../../kern/uipc_mbuf.c:621
621 n->m_pkthdr.len -= off0;
(kgdb) list
616 if (n == 0)
617 goto nospace;
618 if (copyhdr) {
619 M_COPY_PKTHDR(n, m);
620 if (len == M_COPYALL)
621 n->m_pkthdr.len -= off0;
622 else
623 n->m_pkthdr.len = len;
624 copyhdr = 0;
625 }
(kgdb) print n
$1 = (struct mbuf *) 0x661c20
(kgdb) print *n
cannot read proc at 0
(kgdb) print m
$2 = (struct mbuf *) 0xc07e7c00
(kgdb) print *m
$3 = {m_hdr = {mh_next = 0x0, mh_nextpkt = 0x0, mh_data = 0xc085c820 "E",
mh_len = 40, mh_type = 1, mh_flags = 3}, M_dat = {MH = {MH_pkthdr = {
rcvif = 0xc0c76c00, len = 40, header = 0x0, csum_flags = 0,
csum_data = 6, aux = 0x0}, MH_dat = {MH_ext = {
ext_buf = 0xc085c800 "", ext_free = 0, ext_size = 2048,
ext_ref = 0},
MH_databuf =
"\000È\205À\000\000\000\000\000\b\000\000\000\000\000\000E\000\000,V\212@\000@\006ÕkÂ\231ó\001Ï.\212\f\004\035\0005ÃêÎ*\000\000\000\000`\002@\000²è\000\000\002\004\005´\000\001\000\001\000\000\006\220\000\004͵pL\005ZDNET\003com\000\000\002\000\001\000\000êÜ\000\027\bDNSAUTH1\003SYS\004GTEI\003\000\000!Eß{\000\220'\233yä\b\000E\000\000\000\fuÒu\000ÀÊ\020ßq\b\000E\000\000Bbÿ\000\000@\021ñüÂ\231ó\001Ïñ \"\004\035\0005\000.\212&«·\001\000\000\001\000\000\000\000\000\000\bultraman\004ze\000\000!E"...}},
M_databuf = "\000lÇÀ(", '\000' <repeats 11 times>,
"\006\000\000\000\000\000\000\000\000È\205À\000\000\000\000\000\b\000\000\000\000\000\000E\000\000,V\212@\000@\006ÕkÂ\231ó\001Ï.\212\f\004\035\0005ÃêÎ*\000\000\000\000`\002@\000²è\000\000\002\004\005´\000\001\000\001\000\000\006\220\000\004͵pL\005ZDNET\003com\000\000\002\000\001\000\000êÜ\000\027\bDNSAUTH1\003SYS\004GTEI\003\000\000!Eß{\000\220'\233yä\b\000E\000\000\000\fuÒu\000ÀÊ\020ßq\b\000E\000\000Bbÿ\000\000@\021ñüÂ\231ó\001Ïñ \"\004\035\0005\000.\212&«·\001\000\000"...}}
(kgdb) print 0ff0� �� �� �� �off0
$4 = 0
(kgdb) print len
$5 = 40
(kgdb) up
#17 0xc017d83f in ip_forward (m=0xc07e7c00, srcrt=0)
at ../../netinet/ip_input.c:1508
1508 mcopy = m_copy(m, 0, imin((int)ip->ip_len, 64));
(kgdb) list
1503
1504 /*
1505 * Save at most 64 bytes of the packet in case
1506 * we need to generate an ICMP message to the src.
1507 */
1508 mcopy = m_copy(m, 0, imin((int)ip->ip_len, 64));
1509 if (mcopy && (mcopy->m_flags & M_EXT))
1510 m_copydata(mcopy, 0, sizeof(struct ip), mtod(mcopy, caddr_t));
1511
1512 #ifdef IPSTEALTH
(kgdb) print m
$6 = (struct mbuf *) 0xc07e7c00
(kgdb) print ip->ip_len
$7 = 40
(kgdb) up
#18 0xc017caca in ip_input (m=0xc07e7c00) at ../../netinet/ip_input.c:563
563 ip_forward(m, 0);
(kgdb) up
#19 0xc017cd17 in ipintr () at ../../netinet/ip_input.c:759
759 ip_input(m);
(kgdb) up
Initial frame selected; you cannot go up.
(kgdb) q
Script done on Sun Feb 25 20:02:32 2001
00:07:08.891663 50.202.92.36 > 194.102.224.9: (frag 20158:20@256) [tos 0xe8] (ttl
239)
00:07:08.891911 50.202.92.36 > 194.102.224.103: (frag 20158:20@256) [tos 0xe8] (ttl
239)
00:07:08.892397 50.202.92.36 > 194.102.224.103: (frag 20158:20@256) [tos 0xe8] (ttl
239)
00:07:08.892683 50.202.92.36 > 194.102.224.103: (frag 20158:20@256) [tos 0xe8] (ttl
239)
00:07:08.892919 50.202.92.36 > 194.102.224.103: (frag 20158:20@256) [tos 0xe8] (ttl
239)
00:07:08.893151 50.202.92.36 > 194.102.224.103: (frag 20158:20@256) [tos 0xe8] (ttl
239)
00:07:08.895489 50.202.92.36 > 194.102.224.9: (frag 20158:20@256) [tos 0xe8] (ttl
239)
00:07:08.895948 50.202.92.36 > 194.102.224.9: (frag 20158:20@256) [tos 0xe8] (ttl
239)
00:07:08.896200 50.202.92.36 > 194.102.224.103: (frag 20158:20@256) [tos 0xe8] (ttl
239)
00:07:08.896435 50.202.92.36 > 194.102.224.9: (frag 20158:20@256) [tos 0xe8] (ttl
239)
00:07:08.896703 50.202.92.36 > 194.102.224.103: (frag 20158:20@256) [tos 0xe8] (ttl
239)
00:07:08.899970 50.202.92.36 > 194.102.224.9: (frag 20158:20@256) [tos 0xe8] (ttl
239)
00:07:08.900446 50.202.92.36 > 194.102.224.103: (frag 20158:20@256) [tos 0xe8] (ttl
239)
00:07:08.900736 50.202.92.36 > 194.102.224.9: (frag 20158:20@256) [tos 0xe8] (ttl
239)
00:07:08.900972 50.202.92.36 > 194.102.224.9: (frag 20158:20@256) [tos 0xe8] (ttl
239)
00:07:08.901210 50.202.92.36 > 194.102.224.103: (frag 20158:20@256) [tos 0xe8] (ttl
239)
00:07:08.901506 50.202.92.36 > 194.102.224.103: (frag 20158:20@256) [tos 0xe8] (ttl
239)
00:07:08.904067 50.202.92.36 > 194.102.224.9: (frag 20158:20@256) [tos 0xe8] (ttl
239)
00:07:08.924088 50.202.92.36 > 194.102.224.103: (frag 20158:20@256) [tos 0xe8] (ttl
239)
