Date: Sun, 18 Apr 1999 05:41:59 -0700 (PDT) From: atamaniuk@nacamar.de To: freebsd-gnats-submit@freebsd.org Subject: kern/11199: 3.1-RELEASE kernel page fault (trap 12) using IPDIVERT natd due ping route record packet Message-ID: <19990418124159.E6CC015363@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 11199 >Category: kern >Synopsis: 3.1-RELEASE kernel page fault (trap 12) using IPDIVERT natd due ping route record packet >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Apr 18 05:40:00 PDT 1999 >Closed-Date: >Last-Modified: >Originator: Patrick Atamaniuk >Release: 3.1-RELEASE >Organization: >Environment: FreeBSD argl.atabersk.de 3.1-RELEASE FreeBSD 3.1-RELEASE #0: Sun Apr 18 09:21:08 GMT 1999 root@argl.atabersk.de:/usr/src/sys/compile/ARGL_db i386 >Description: FreeBSD3.1-RELEASE panics with trap 12 page fault when running with IPDIVERT and natd Triggered by outgoing ping with record route option set. Panics on incoming ping with record route set, too, though there may be required some higher amount of incoming packets/restarted pings. See: http://www.nacamar.de/~patrick/ for complete kgdb sessions/kernel cfg brief kgdb output for crash on outgoing ping: IdlePTD 2871296 initial pcb at 255fec panicstr: page fault panic messages: --- Fatal trap 12: page fault while in kernel mode fault virtual address = 0x1f1e1d3e fault code = supervisor read, page not present instruction pointer = 0x8:0xf018a512 stack pointer = 0x10:0xf654fddc frame pointer = 0x10:0xf654fde4 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 336 (ping) interrupt mask = trap number = 12 panic: page fault #0 boot (howto=256) at ../../kern/kern_shutdown.c:285 285 dumppcb.pcb_cr3 = rcr3(); (kgdb) where #0 boot (howto=256) at ../../kern/kern_shutdown.c:285 #1 0xf01488f4 in at_shutdown ( function=0xf0238097 <__set_sysinit_set_sym_memdev_sys_init+1115>, arg=0xf64d5ec0, queue=-162202208) at ../../kern/kern_shutdown.c:446 #2 0xf02087c9 in trap_fatal (frame=0xf654fda0, eva=522067262) at ../../i386/i386/trap.c:942 #3 0xf02084a7 in trap_pfault (frame=0xf654fda0, usermode=0, eva=522067262) at ../../i386/i386/trap.c:835 #4 0xf020814a in trap (frame={tf_es = 16, tf_ds = -256835568, tf_edi = -260735744, tf_esi = -260685440, tf_ebp = -162202140, tf_isp = -162202168, tf_ebx = 0, tf_edx = 522067228, tf_ecx = 0, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -266820334, tf_cs = 8, tf_eflags = 66050, tf_esp = -162926800, tf_ss = 0}) at ../../i386/i386/trap.c:437 #5 0xf018a512 in div_input (m=0xf0764180, hlen=0) at ../../netinet/ip_divert.c:220 #6 0xf018eeab in ip_output (m0=0xf0764100, opt=0xf0754b00, ro=0xf649ef2c, flags=32, imo=0x0) at ../../netinet/ip_output.c:478 #7 0xf0190794 in rip_output (m=0xf0764100, so=0xf6357320, dst=2190032835) at ../../netinet/raw_ip.c:224 #8 0xf0190c13 in rip_send (so=0xf6357320, flags=0, m=0xf0764100, nam=0xf0b15450, control=0x0, p=0xf64d5ec0) at ../../netinet/raw_ip.c:563 #9 0xf016043e in sosend (so=0xf6357320, addr=0xf0b15450, uio=0xf654fef4, top=0xf0764100, control=0x0, flags=0, p=0xf64d5ec0) at ../../kern/uipc_socket.c:522 #10 0xf0162c39 in sendit (p=0xf64d5ec0, s=3, mp=0xf654ff34, flags=0) at ../../kern/uipc_syscalls.c:513 #11 0xf0162d19 in sendto (p=0xf64d5ec0, uap=0xf654ff84) at ../../kern/uipc_syscalls.c:563 #12 0xf0208a0b in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 124, tf_esi = 134687264, tf_ebp = -272639792, tf_isp = -162201644, tf_ebx = 64, tf_edx = 61302, tf_ecx = 0, tf_eax = 133, tf_trapno = 7, tf_err = 2, tf_eip = 134522868, tf_cs = 31, tf_eflags = 514, tf_esp = -272639844, tf_ss = 39}) at ../../i386/i386/trap.c:1100 #13 0xf01fcabc in Xint0x80_syscall () #14 0x8048e64 in ?? () #15 0x80480e9 in ?? () >How-To-Repeat: natd version: (3.1 source distribution) * $Id: natd.c,v 1.8 1997/12/27 19:31:11 alex Exp $ ipfw -f flush ipfw add 1 divert 32000 ip from any to any via de0 ipfw add 2 allow ip from any to any // start natd using natd.test in /usr/src/usr.sbin/natd/samples # ps PID TT STAT TIME COMMAND 325 v0 IN 0:00.01 /usr/sbin/natd -port 32000 -interface de0 -verbose # ping -R 192.168.0.130 ^^^^^^^^^^^^^^ use some host nearby (same hub in this case) -> panic at about 2nd sent packet or panic at incoming packet (after several retries) >Fix: workaround: use ipfw first rules to block rr packets # ipfw add 1 deny log ip from any to any ipoptions rr then insert divert rule with higher chain numbers >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990418124159.E6CC015363>