216554 – LACP integer divide fault

Bug 216554 - LACP integer divide fault

Summary: LACP integer divide fault

Status:	New

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	11.0-STABLE
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	freebsd-net (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-01-28 19:36 UTC by slw
Modified:	2017-01-30 09:24 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description slw 2017-01-28 19:36:31 UTC

Fatal trap 18: integer divide fault while in kernel mode
cpuid = 3; apic id = 06
instruction pointer     = 0x20:0xffffffff81453230
stack pointer           = 0x28:0xfffffe3e56f46480
frame pointer           = 0x28:0xfffffe3e56f464a0
code segment            = base rx0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 12 (swi4: clock (3))
trap number             = 18
panic: integer divide fault
cpuid = 3
KDB: stack backtrace:
db_trace_self_wrapper() at 0xffffffff8032b3eb = db_trace_self_wrapper+0x2b/frame 0xfffffe3e56f460c0
vpanic() at 0xffffffff804e33a6 = vpanic+0x186/frame 0xfffffe3e56f46140
panic() at 0xffffffff804e3213 = panic+0x43/frame 0xfffffe3e56f461a0
trap_fatal() at 0xffffffff807b07c2 = trap_fatal+0x322/frame 0xfffffe3e56f461f0
trap() at 0xffffffff807b0475 = trap+0x6b5/frame 0xfffffe3e56f463b0
calltrap() at 0xffffffff807946b1 = calltrap+0x8/frame 0xfffffe3e56f463b0
--- trap 0x12, rip = 0xffffffff81453230, rsp = 0xfffffe3e56f46480, rbp = 0xfffffe3e56f464a0 ---
lacp_select_tx_port() at 0xffffffff81453230 = lacp_select_tx_port+0x70/frame 0xfffffe3e56f464a0
lagg_lacp_start() at 0xffffffff814504ae = lagg_lacp_start+0xe/frame 0xfffffe3e56f464c0
lagg_transmit() at 0xffffffff8144e73f = lagg_transmit+0xbf/frame 0xfffffe3e56f46530
ether_output() at 0xffffffff805f30bc = ether_output+0x71c/frame 0xfffffe3e56f465d0
ip_output() at 0xffffffff80629935 = ip_output+0x1585/frame 0xfffffe3e56f46720
tcp_output() at 0xffffffff806b9e16 = tcp_output+0x1876/frame 0xfffffe3e56f468c0
tcp_timer_rexmt() at 0xffffffff806c572f = tcp_timer_rexmt+0x4df/frame 0xfffffe3e56f46900
softclock_call_cc() at 0xffffffff804fd1b6 = softclock_call_cc+0x156/frame 0xfffffe3e56f469b0
softclock() at 0xffffffff804fd754 = softclock+0x94/frame 0xfffffe3e56f469e0
intr_event_execute_handlers() at 0xffffffff8049d15f = intr_event_execute_handlers+0x20f/frame 0xfffffe3e56f46a20
ithread_loop() at 0xffffffff8049d766 = ithread_loop+0xc6/frame 0xfffffe3e56f46a70
fork_exit() at 0xffffffff80499e25 = fork_exit+0x85/frame 0xfffffe3e56f46ab0
fork_trampoline() at 0xffffffff80794bee = fork_trampoline+0xe/frame 0xfffffe3e56f46ab0
--- trap 0, rip = 0, rsp = 0, rbp = 0 ---

(kgdb) info line *0xffffffff81453230
Line 848 of "/usr/src/sys/modules/if_lagg/../../net/ieee8023ad_lacp.c" starts at address 0xffffffff8145322e <lacp_select_tx_port+110> and ends at 0xffffffff81453233 <lacp_select_tx_port+115>.

===

Lacp configuration:
cc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=ec07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:07:43:39:8c:00
        nd6 options=9<PERFORMNUD,IFDISABLED>
        media: Ethernet 40Gbase-SR4 <full-duplex>
        status: active
cc1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=ec07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:07:43:39:8c:00
        nd6 options=9<PERFORMNUD,IFDISABLED>
        media: Ethernet 40Gbase-SR4 <full-duplex>
        status: no carrier
lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=ec07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:07:43:39:8c:00
        inet 37.220.36.136 netmask 0xffffff00 broadcast 37.220.36.255 
        nd6 options=9<PERFORMNUD,IFDISABLED>
        media: Ethernet autoselect
        status: active
        groups: lagg 
        laggproto lacp lagghash l2,l3,l4
        laggport: cc0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
        laggport: cc1 flags=0<>


======

I mean last member of lagg0 gone between lines 838 and 848 (race condition at access pm->pm_count).

Comment 1 slw 2017-01-30 09:24:50 UTC

Additional panic:

Fatal trap 12: page fault while in kernel mode
cpuid = 5; apic id = 0a
fault virtual address   = 0x28
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff8145323e
stack pointer           = 0x28:0xfffffe3e56f50480
frame pointer           = 0x28:0xfffffe3e56f504a0
code segment            = base rx0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 12 (swi4: clock (5))
trap number             = 12
panic: page fault
cpuid = 5
KDB: stack backtrace:
db_trace_self_wrapper() at 0xffffffff8032b3eb = db_trace_self_wrapper+0x2b/frame 0xfffffe3e56f50060
vpanic() at 0xffffffff804e33a6 = vpanic+0x186/frame 0xfffffe3e56f500e0
panic() at 0xffffffff804e3213 = panic+0x43/frame 0xfffffe3e56f50140
trap_fatal() at 0xffffffff807b07c2 = trap_fatal+0x322/frame 0xfffffe3e56f50190
trap_pfault() at 0xffffffff807b098c = trap_pfault+0x1bc/frame 0xfffffe3e56f501f0
trap() at 0xffffffff807b0040 = trap+0x280/frame 0xfffffe3e56f503b0
calltrap() at 0xffffffff807946b1 = calltrap+0x8/frame 0xfffffe3e56f503b0
--- trap 0xc, rip = 0xffffffff8145323e, rsp = 0xfffffe3e56f50480, rbp = 0xfffffe3e56f504a0 ---
lacp_select_tx_port() at 0xffffffff8145323e = lacp_select_tx_port+0x7e/frame 0xfffffe3e56f504a0
lagg_lacp_start() at 0xffffffff814504ae = lagg_lacp_start+0xe/frame 0xfffffe3e56f504c0
lagg_transmit() at 0xffffffff8144e73f = lagg_transmit+0xbf/frame 0xfffffe3e56f50530
ether_output() at 0xffffffff805f30bc = ether_output+0x71c/frame 0xfffffe3e56f505d0
ip_output() at 0xffffffff80629935 = ip_output+0x1585/frame 0xfffffe3e56f50720
tcp_output() at 0xffffffff806b9e16 = tcp_output+0x1876/frame 0xfffffe3e56f508c0
tcp_timer_rexmt() at 0xffffffff806c572f = tcp_timer_rexmt+0x4df/frame 0xfffffe3e56f50900
softclock_call_cc() at 0xffffffff804fd1b6 = softclock_call_cc+0x156/frame 0xfffffe3e56f509b0
softclock() at 0xffffffff804fd754 = softclock+0x94/frame 0xfffffe3e56f509e0
intr_event_execute_handlers() at 0xffffffff8049d15f = intr_event_execute_handlers+0x20f/frame 0xfffffe3e56f50a20
ithread_loop() at 0xffffffff8049d766 = ithread_loop+0xc6/frame 0xfffffe3e56f50a70
fork_exit() at 0xffffffff80499e25 = fork_exit+0x85/frame 0xfffffe3e56f50ab0
fork_trampoline() at 0xffffffff80794bee = fork_trampoline+0xe/frame 0xfffffe3e56f50ab0

#1  0xffffffff804e2e0e in kern_reboot (howto=260)
    at /usr/src/sys/kern/kern_shutdown.c:366
#2  0xffffffff804e33e0 in vpanic (fmt=<value optimized out>, 
    ap=<value optimized out>) at /usr/src/sys/kern/kern_shutdown.c:759
#3  0xffffffff804e3213 in panic (fmt=<value optimized out>)
    at /usr/src/sys/kern/kern_shutdown.c:690
#4  0xffffffff807b07c2 in trap_fatal (frame=0xfffffe3e56f503c0, eva=40)
    at /usr/src/sys/amd64/amd64/trap.c:801
#5  0xffffffff807b098c in trap_pfault (frame=0xfffffe3e56f503c0, usermode=0)
    at /usr/src/sys/amd64/amd64/trap.c:658
#6  0xffffffff807b0040 in trap (frame=0xfffffe3e56f503c0)
    at /usr/src/sys/amd64/amd64/trap.c:421
#7  0xffffffff807946b1 in calltrap ()
    at /usr/src/sys/amd64/amd64/exception.S:236
#8  0xffffffff8145323e in lacp_select_tx_port (sc=<value optimized out>, 
    m=<value optimized out>)
    at /usr/src/sys/modules/if_lagg/../../net/ieee8023ad_lacp.c:849
#9  0xffffffff814504ae in lagg_lacp_start (sc=<value optimized out>, 
    m=0xfffff8148b268a00)
    at /usr/src/sys/modules/if_lagg/../../net/if_lagg.c:2201
#10 0xffffffff8144e73f in lagg_transmit (ifp=0xfffff80125091000, 
    m=0xfffff8148b268a00)
    at /usr/src/sys/modules/if_lagg/../../net/if_lagg.c:345
#11 0xffffffff805f30bc in ether_output (ifp=<value optimized out>, 
    m=<value optimized out>, dst=0xfffff801710c1a90, ro=<value optimized out>)
    at /usr/src/sys/net/if_ethersubr.c:459
#12 0xffffffff80629935 in ip_output (m=<value optimized out>, 
    opt=<value optimized out>, ro=<value optimized out>, flags=0, 
    imo=<value optimized out>, inp=<value optimized out>)
    at /usr/src/sys/netinet/ip_output.c:661
#13 0xffffffff806b9e16 in tcp_output (tp=<value optimized out>)
    at /usr/src/sys/netinet/tcp_output.c:1424
#14 0xffffffff806c572f in tcp_timer_rexmt (xtp=<value optimized out>)
    at /usr/src/sys/netinet/tcp_timer.c:812
#15 0xffffffff804fd1b6 in softclock_call_cc (c=<value optimized out>, 
    cc=<value optimized out>, direct=<value optimized out>)
    at /usr/src/sys/kern/kern_timeout.c:729
#16 0xffffffff804fd754 in softclock (arg=<value optimized out>)
    at /usr/src/sys/kern/kern_timeout.c:867
#17 0xffffffff8049d15f in intr_event_execute_handlers (
    p=<value optimized out>, ie=<value optimized out>)
    at /usr/src/sys/kern/kern_intr.c:1262
#18 0xffffffff8049d766 in ithread_loop (arg=<value optimized out>)
    at /usr/src/sys/kern/kern_intr.c:1275
#19 0xffffffff80499e25 in fork_exit (
    callout=0xffffffff8049d6a0 <ithread_loop>, arg=0xfffff80120ff3560, 
    frame=0xfffffe3e56f50ac0) at /usr/src/sys/kern/kern_fork.c:1040
#20 0xffffffff80794bee in fork_trampoline ()
    at /usr/src/sys/amd64/amd64/exception.S:611
#21 0x0000000000000000 in ?? ()