Date: Sun, 26 Jul 2015 14:15:50 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 201879] panic: boot time panic with a scrub rule on "exclusive sleep mutex pf fragments"... Message-ID: <bug-201879-17777-MJEw8mfcUq@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-201879-17777@https.bugs.freebsd.org/bugzilla/> References: <bug-201879-17777@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201879 --- Comment #3 from Jason Unovitch <jason.unovitch@gmail.com> --- Created attachment 159240 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=159240&action=edit r285884M panic on routing network traffic (also with extra debug statements in pf_purge_expired_fragments) (In reply to Kristof Provost from comment #1) I also managed to find a second reproduction case as well and this is attached. For this one I did not start the service on the router like I did in the previous comment. I had the router up for a couple minutes while I was doing basic ICMP via ping and TCP and UDP connects via netcat out the WAN interface. As soon as I opened Firefox to go to a web site the router paniced. What is interesting here is that pf_purge_expired_fragments() appears to have completed. My debug statements show the entry to the function, getting the mutex, purging, and releasing the mutex. This time the "pf fragments" mutex is mentioned as being on line 1275 vice the 237 from earlier (keep in mind the couple extra lines of debug printf's). DEBUG: Entry of pf_purge_expired_fragments() DEBUG: Trying to PR_FRAG_LOCK()() DEBUG: Finished PF_FRAG_LOCK() DEBUG: Start fragment purge() DEBUG: Finished fragment purge() DEBUG: Trying to PR_FRAG_UNLOCK()() DEBUG: Finished PF_FRAG_UNLOCK() Kernel page fault with the following non-sleepable locks held: exclusive sleep mutex pf fragments (pf fragments) r = 0 (0xc9fcc458) locked @ /usr/src/head/sys/modules/pf/../../netpfil/pf/pf_norm.c:1275 shared rw pf rulesets (pf rulesets) r = 0 (0xc9fcc090) locked @ /usr/src/head/sys/modules/pf/../../netpfil/pf/pf.c:5732 shared rm PFil shared rmlock (PFil shared rmlock) r = 0 (0xc1a2bd88) locked @ /usr/src/head/sys/net/pfil.c:78 KDB: stack backtrace: db_trace_self_wrapper(c1538c45,702f6670,3a632e66,32333735,3732000a,...) at db_trace_self_wrapper+0x2a/frame 0xeb63b4a0 kdb_backtrace(c153cfd1,0,c1a2bd88,c154d234,4e,...) at kdb_backtrace+0x2d/frame 0xeb63b508 witness_warn(5,0,c16ffc72,eb63b5c0,c0c6604f,...) at witness_warn+0x40f/frame 0xeb63b558 trap_pfault(deadc0fe,c,246,c199ff58,c719fd00,...) at trap_pfault+0x58/frame 0xeb63b5d0 trap(eb63b71c) at trap+0x6c1/frame 0xeb63b710 calltrap() at calltrap+0x6/frame 0xeb63b710 --- trap 0xc, eip = 0xc9fb9ca3, esp = 0xeb63b75c, ebp = 0xeb63b778 --- pf_frag_tree_RB_FIND(c9fcc46c,eb63b808,c9fc9c3d,153,cbcb180e,...) at pf_frag_tree_RB_FIND+0x23/frame 0xeb63b778 pf_find_fragment(c9fcc468,0,c9fc9c3d,4fb,c0c655c6,...) at pf_find_fragment+0x3c/frame 0xeb63b798 pf_normalize_ip(eb63b9fc,1,c7ec0a00,eb63b960,eb63b908,...) at pf_normalize_ip+0xa19/frame 0xeb63b878 pf_test(1,c7880400,eb63b9fc,0,c1a2c0b8,...) at pf_test+0x216/frame 0xeb63b9b0 pf_check_in(0,eb63b9fc,c7880400,1,0,...) at pf_check_in+0x29/frame 0xeb63b9d0 pfil_run_hooks(c1a2c0b8,eb63ba7c,c7880400,1,0,...) at pfil_run_hooks+0x9f/frame 0xeb63ba30 ip_input(cbc8a600,c788b058,0,c154a713,cbc8a600,...) at ip_input+0x6e1/frame 0xeb63ba9c netisr_dispatch_src(1,0,cbc8a600) at netisr_dispatch_src+0xab/frame 0xeb63bae0 netisr_dispatch(1,cbc8a600,0,0,c14dd2c4,cbc8a600) at netisr_dispatch+0x20/frame 0xeb63baf4 ether_demux(c7880400,cbc8a600,6,0,8,...) at ether_demux+0x18d/frame 0xeb63bb20 ether_nh_input(cbc8a600,801,246,eb63bbac,cbdbae00,...) at ether_nh_input+0x377/frame 0xeb63bb4c netisr_dispatch_src(5,0,cbc8a600) at netisr_dispatch_src+0xab/frame 0xeb63bb90 netisr_dispatch(5,cbc8a600,c786e120,1,c786e100,...) at netisr_dispatch+0x20/frame 0xeb63bba4 ether_input(c7880400,cbc8a600,eb63bc2c,c06f484c,c7880400,...) at ether_input+0x4f/frame 0xeb63bbc0 if_input(c7880400,cbc8a600,c1250d45,123c,c78e0000,...) at if_input+0x19/frame 0xeb63bbd0 em_rxeof(c7880400,c1960310,0,c769f700,c76c4280,...) at em_rxeof+0x3bc/frame 0xeb63bc2c em_msix_rx(c786e100,c152c9b9,560,5d4afdf8,c76c42c8,...) at em_msix_rx+0x2f/frame 0xeb63bc48 intr_event_execute_handlers(c1960310,c76c4280,c152c9b9,560,c1960300,...) at intr_event_execute_handlers+0xde/frame 0xeb63bc70 ithread_loop(c7643250,eb63bce8,c152c72d,3e6,0,...) at ithread_loop+0x90/frame 0xeb63bcac fork_exit(c0bd1ff0,c7643250,eb63bce8) at fork_exit+0x7e/frame 0xeb63bcd4 fork_trampoline() at fork_trampoline+0x8/frame 0xeb63bcd4 --- trap 0, eip = 0, esp = 0xeb63bd20, ebp = 0 --- Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0xdeadc0fe fault code = supervisor read, page not present instruction pointer = 0x20:0xc9fb9ca3 stack pointer = 0x28:0xeb63b75c frame pointer = 0x28:0xeb63b778 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 12 (irq268: em3:rx0) [ thread pid 12 tid 100079 ] Stopped at pf_frag_tree_RB_FIND+0x23: subl 0x20(%edi),%eax db> -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-201879-17777-MJEw8mfcUq>