Subject: kern/29546: 2_STABLE: crash in bpf_mtap w/ bridge(4)
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <hubert@feyrer.de>
List: netbsd-bugs
Date: 02/27/2005 14:55:01
>Number: 29546
>Category: kern
>Synopsis: 2_STABLE: crash in bpf_mtap w/ bridge(4)
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Feb 27 14:55:00 +0000 2005
>Originator: Hubert Feyrer
>Release: NetBSD 2.0_STABLE
>Organization:
bla!
>Environment:
miyu% pi -e qemu
qemu-0.6.1nb2
miyu% pi -e netbsd-tap
netbsd-tap-20050220
System: NetBSD miyu 2.0_STABLE NetBSD 2.0_STABLE (MIYU) #50: Sat Feb 5 04:37:36 MET 2005 feyrer@miyu:/usr/src/sys/arch/i386/compile/MIYU i386
Architecture: i386
Machine: i386
>Description:
I'm running two qemu (0.6.1nb2) instances, each connected to a
tap(4) device from the netbsd-tap-20050220 package on NetBSD
2.0_STABLE. The tap devices and the internal interface of this
machine (rtk) are connected to a bridge(4).
When shoving some moderate traffic from one qemu instance to
the other one, the following crash occurs quite reliably:
kernel: page fault trap, code=0
Stoped in pid 17911.1 (qemu) at netbsd:bpf_mtap+0x20: cmpl 0x10(%eax),%esi
db> bt
bpf_mtap
rtk_start
bridge_enqueue
bridge_broadcast
bridge_forward
bridge_input
ether_input
usb_all_tasks
spec_write
ufsspec_write
VOP_WRITE
vn_write
dofilewrite
sys_write
syscall_plain
--- syscall (number 4) ---
0x48281df3:
db>
db>
db>
db> dmesg
...
uvm_fault(0xcbd752a8, 0, 0, 1) -> 0xe
db>
I have no idea what the usb_all_tasks in there does, but the
crash seems related to bridge(4).
I cannot make a crash dump as I have more RAM than swap
after a recent memory upgrade. :/
>How-To-Repeat:
* install NetBSD 2.0_STABLE
* install qemu-0.6.1nb2
* install netbsd-tap-20050220 and load it
* have two NetBSD installations as disk images in
harddisk.netbsd1 and harddisk.netbsd2 (default install),
each configured to use serial console
* Put the following into a Makefile:
bridge:
ifconfig bridge0 create || echo bridge0: already there
brconfig bridge0 add rtk0 || echo bridge0: rtk already there
brconfig bridge0 -learn rtk0 # real hub mode, step 1c
netbsd1: bridge
ifconfig tap1 create up || echo tap1: already there
brconfig bridge0 add tap1 up || echo tap1: already on bridge0
brconfig bridge0 -learn tap1 # real hub mode, step 1a
brconfig bridge0 flush # real hub more, step 2
qemu \
-m 32 \
${NETBSD_NOGFX} \
-boot c \
-tun-fd 3 3<>/dev/tap1 \
-macaddr de:ad:be:ef:00:01 \
harddisk.netbsd1
brconfig bridge0 delete tap1
ifconfig tap1 destroy
netbsd2: bridge
ifconfig tap2 create up || echo tap2: already there
brconfig bridge0 add tap2 up || echo tap2: already on bridge0
brconfig bridge0 -learn tap2 # real hub mode, step 1b
brconfig bridge0 flush # real hub mode, step 2
qemu \
-m 32 \
${NETBSD_NOGFX} \
-boot c \
-tun-fd 3 3<>/dev/tap2 \
-macaddr de:ad:be:ef:00:02 \
harddisk.netbsd2
brconfig bridge0 delete tap2
ifconfig tap2 destroy
* As root, run "make netbsd1"
* As root, run "make netbsd2"
* sysctl -w ddb.onpanic=1
* Login, install iperf on both qemu instances
* Run "iperf -s" on one qemu instance
* Run "iperf -c <other> -t 300" on the other qemu instance
* Switch host to console (Ctl-Alt-Esc)
* Wait a few seconds and see it panic
>Fix:
Please!
>Unformatted: