Date: 27 Oct 2004 16:52:29 -0000 From: Dmitry Miloserdov <dmitry@bis.ru> To: <FreeBSD-gnats-submit@FreeBSD.org> Subject: kern/73208: panic by duplicating UDP NFS v2 packets Message-ID: <20041027165229.94209.qmail@bis.ru> Resent-Message-ID: <200410271700.i9RH0kV2082326@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 73208 >Category: kern >Synopsis: panic by duplicating UDP NFS v2 packets >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Oct 27 17:00:46 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Dmitry Miloserdov >Release: FreeBSD 5.3-RC1 i386 >Organization: >Environment: System: FreeBSD dhcp.bis.local 5.3-RC1 FreeBSD 5.3-RC1 #0: Wed Oct 27 15:48:02 MSD 2004 dmitry@dhcp.bis.local:/usr/obj/u/src5/sys/DHCP i386 >Description: System creshes when NFS server receive two same packets in a short period of time and command in them must be rejected by access control. In my opinion access control itself is not the reason of crash - it just helps exploit a race somethere. // Feel free to ignore my opinion BTW sending duplicate for most control NFS packets is default behavior of UnixWare NFS client. /etc/exports: /u -alldirs -mapall=www --- ls -ld /u/db drwxr-xr-x 2 www www 3072 25 Oct 21:54 /u/db --- On client trying create file /u/db/fil (which is allowed) and then client's creat() syscall trying to change group of /u/db/fil to primary group of client's user (which is denied). tethereal -td: 1 0.021505 192.168.1.4 -> 10.1.1.1 NFS V2 LOOKUP Call, DH:0x3273bcaa/db 2 0.000016 192.168.1.4 -> 10.1.1.1 NFS [RPC retransmission of #1]V2 LOOKUP Call, DH:0x3273bcaa/db 3 0.010767 192.168.1.4 -> 10.1.1.1 NFS V2 LOOKUP Call, DH:0x9d5440aa/fil 4 0.000015 192.168.1.4 -> 10.1.1.1 NFS [RPC retransmission of #3]V2 LOOKUP Call, DH:0x9d5440aa/fil 5 0.011850 192.168.1.4 -> 10.1.1.1 NFS V2 CREATE Call, DH:0x9d5440aa/fil 6 0.000016 192.168.1.4 -> 10.1.1.1 NFS [RPC retransmission of #5]V2 CREATE Call, DH:0x9d5440aa/fil 7 0.000534 192.168.1.4 -> 10.1.1.1 NFS V2 SETATTR Call, FH:0x7233c0b2 8 0.000012 192.168.1.4 -> 10.1.1.1 NFS [RPC retransmission of #7]V2 SETATTR Call, FH:0x7233c0b2 9 0.863791 192.168.1.4 -> 10.1.1.1 NFS [RPC retransmission of #7]V2 SETATTR Call, FH:0x7233c0b2 --- On 8th packet system creshes. Problem not in content of packet but in packet's frequency as blocking half of nfs packets with ipfw allowes system fullfill request without panic. --- kernel trap 12 with interrupts disabled Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x24 fault code = supervisor read, page not present instruction pointer = 0x8:0xc0511337 stack pointer = 0x10:0xe4b45b50 frame pointer = 0x10:0xe4b45b64 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = resume, IOPL = 0 current process = 86 (swi1: net) trap number = 12 panic: page fault cpuid = 0 boot() called on cpu#0 Uptime: 6m50s --- (kgdb) bt #0 doadump () at pcpu.h:159 #1 0xc04f2293 in boot (howto=260) at /u/src5/sys/kern/kern_shutdown.c:397 #2 0xc04f25b9 in panic (fmt=0xc064bd2f "%s") at /u/src5/sys/kern/kern_shutdown.c:553 #3 0xc0629690 in trap_fatal (frame=0xe4b45b10, eva=36) at /u/src5/sys/i386/i386/trap.c:809 #4 0xc0628e4d in trap (frame= {tf_fs = -65512, tf_es = -457965552, tf_ds = -1068498928, tf_edi = -1041038560, tf_esi = -1066696864, tf_ebp = -457942172, tf_isp = -457942212, tf_ebx = -1041117680, tf_edx = -1041463000, tf_ecx = -1041462912, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1068428489, tf_cs = 8, tf_eflags = 65683, tf_esp = 40, tf_ss = 0}) at /u/src5/sys/i386/i386/trap.c:247 #5 0xc0617c3a in calltrap () at /u/src5/sys/i386/i386/exception.s:140 #6 0xffff0018 in ?? () #7 0xe4b40010 in ?? () #8 0xc0500010 in osethostid (td=0xc1f1ce10, uap=0x0) at /u/src5/sys/kern/kern_xxx.c:145 #9 0xc0511af1 in turnstile_wait (ts=0xc1ec8980, lock=0xc06b7f60, owner=0xc1f30320) at /u/src5/sys/kern/subr_turnstile.c:556 #10 0xc04e9899 in _mtx_lock_sleep (m=0xc06b7f60, td=0xc1f1ce10, opts=0, file=0x0, line=0) at /u/src5/sys/kern/kern_mutex.c:560 #11 0xc05b05ae in nfsrv_rcv (so=0xc234b144, arg=0xc22aa280, waitflag=1) at /u/src5/sys/nfsserver/nfs_srvsock.c:443 #12 0xc052ba6d in sowakeup (so=0xc234b144, sb=0xc234b194) at /u/src5/sys/kern/uipc_socket2.c:413 #13 0xc0580e90 in udp_append (last=0xc234b144, ip=0xc27b4810, n=0xc278b300, off=28) at /u/src5/sys/netinet/udp_usrreq.c:509 #14 0xc0580c93 in udp_input (m=0xc278b300, off=20) at /u/src5/sys/netinet/udp_usrreq.c:402 #15 0xc056fd1d in ip_input (m=0xc278b300) at /u/src5/sys/netinet/ip_input.c:739 #16 0xc055c38b in netisr_processqueue (ni=0xc06b03d8) at /u/src5/sys/net/netisr.c:233 #17 0xc055c7b6 in swi_net (dummy=0x0) at /u/src5/sys/net/netisr.c:346 #18 0xc04de181 in ithread_loop (arg=0xc1f34200) at /u/src5/sys/kern/kern_intr.c:547 #19 0xc04dd231 in fork_exit (callout=0xc04de028 <ithread_loop>, arg=0xc1f34200, frame=0xe4b45d48) at /u/src5/sys/kern/kern_fork.c:811 #20 0xc0617c9c in fork_trampoline () at /u/src5/sys/i386/i386/exception.s:209 --- As GENERIC kernel panics too, kernel config skipped. >How-To-Repeat: May be `ipfw tee natd` can emulate my situation but I didn't tried myself. >Fix: Disable UDP transport on NFS. But problem seems to be deeper. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041027165229.94209.qmail>