Date: Mon, 21 May 2012 15:06:46 GMT From: Hugo Silva <hugo@barafranca.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/168200: pf crashes when receiving packets from an address in a table Message-ID: <201205211506.q4LF6kJM013878@red.freebsd.org> Resent-Message-ID: <201205211510.q4LFA2eU085743@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 168200
>Category: misc
>Synopsis: pf crashes when receiving packets from an address in a table
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon May 21 15:10:02 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Hugo Silva
>Release: 9.0-RELEASE
>Organization:
>Environment:
FreeBSD xxx.ext1.xxx.local 9.0-RELEASE FreeBSD 9.0-RELEASE #1: Wed May 2 11:55:06 UTC 2012 root@xxx.ext1.xxx.local:/usr/obj/usr/src/sys/XXX amd64
>Description:
pf.conf snippet:
table <blacklist> persist
block in quick on $ext_if inet from <blacklist>
When connecting from a host that has been added to the table (and only from such a host), the kernel will crash.
Please note that this is a HVM+PV Xen installation, perhaps it only occurs when running virtualized (seems to obvious to have been missed otherwise)
>How-To-Repeat:
# pfctl -Tadd -tblacklist ${your_source_address}
No ALTQ support in kernel
ALTQ related functions disabled
1/1 addresses added.
At this point the machine is still alive:
# echo yay
yay
Now open a TCP connection:
laptop$ telnet ${fbsd_server} 6667
Trying ${fbsd_server}...
Meanwhile, at the hypervisor console.. [xm console ${domain_name}]
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x108
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff8061bd38
stack pointer = 0x28:0xffffff80002c6510
frame pointer = 0x28:0xffffff80002c65d0
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 12 (irq28: xenpci0)
[ thread pid 12 tid 100025 ]
Stopped at uma_zalloc_arg+0x88: movq 0x8(%rbx),%rdx
db> bt
Tracing pid 12 tid 100025 td 0xfffffe0001281000
uma_zalloc_arg() at uma_zalloc_arg+0x88
pfr_update_stats() at pfr_update_stats+0x1c4
pf_test() at pf_test+0x8bf
pf_check_in() at pf_check_in+0x2b
pfil_run_hooks() at pfil_run_hooks+0x9e
ip_input() at ip_input+0x287
netisr_dispatch_src() at netisr_dispatch_src+0x20b
ether_demux() at ether_demux+0x14d
ether_nh_input() at ether_nh_input+0x1f4
netisr_dispatch_src() at netisr_dispatch_src+0x20b
xn_intr() at xn_intr+0x6b8
evtchn_interrupt() at evtchn_interrupt+0x2ed
intr_event_execute_handlers() at intr_event_execute_handlers+0xfb
ithread_loop() at ithread_loop+0xa6
fork_exit() at fork_exit+0x11f
fork_trampoline() at fork_trampoline+0xe
--- trap 0, rip = 0, rsp = 0xffffff80002c6d00, rbp = 0 ---
db>
>Fix:
Don't use pf tables :)
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201205211506.q4LF6kJM013878>