From owner-freebsd-arm@freebsd.org Fri Sep 16 19:18:41 2016 Return-Path: Delivered-To: freebsd-arm@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4EBAFBDDE24 for ; Fri, 16 Sep 2016 19:18:41 +0000 (UTC) (envelope-from pz-freebsd-arm@ziemba.us) Received: from osmtp.ziemba.us (osmtp.ziemba.us [208.106.105.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 07BBF8B6 for ; Fri, 16 Sep 2016 19:18:40 +0000 (UTC) (envelope-from pz-freebsd-arm@ziemba.us) Received: from hairball.ziemba.us (localhost.ziemba.us [127.0.0.1]) by hairball.ziemba.us (8.14.9/8.14.9) with ESMTP id u8GJIb0M059870 for ; Fri, 16 Sep 2016 12:18:37 -0700 (PDT) (envelope-from pz-freebsd-arm@ziemba.us) Received: (from mailnull@localhost) by hairball.ziemba.us (8.14.9/8.14.9/Submit) id u8GJIaqg059868 for freebsd-arm@freebsd.org; Fri, 16 Sep 2016 12:18:36 -0700 (PDT) (envelope-from pz-freebsd-arm@ziemba.us) X-Authentication-Warning: hairball.ziemba.us: mailnull set sender to pz-freebsd-arm@ziemba.us using -f Received: (from news@localhost) by usenet.ziemba.us (8.14.5/8.14.5/Submit) id u8GJGOGW096768 for treehouse-mail-freebsd-arm@hairball.ziemba.us; Fri, 16 Sep 2016 12:16:24 -0700 (PDT) (envelope-from news) From: "G. Paul Ziemba" To: freebsd-arm@freebsd.org Subject: Re: RPI2 12.0-CURRENT r305028 bootup crash in pf Date: Fri, 16 Sep 2016 19:16:24 +0000 (UTC) Message-id: References: Reply-to: unp@ziemba.us Errors-to: "G. Paul Ziemba" X-BeenThere: freebsd-arm@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Porting FreeBSD to ARM processors." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Sep 2016 19:18:41 -0000 > Stopped at pf_purge_expired_fragments+0x44: ldr r0, [r0, #0x004] It looks as if this is a null pointer dereference in TAILQ_LAST. 1. The console message indicates stop at pf_purge_expired_fragments+0x44, which is 0x24848 + 0x44 = 8x2488c 2. The various LDRs at 24884 - 24890 are the dereferences in the TAILQ_LAST macro (definition included below). 3. 24894 is the NULL test called out in the C code at line 225, but it's too late by then. So, maybe pf_purge_expired_fragments() is called before V_pf_fragqueue is initialized? I am not familiar enough with the pf code to know how this should be fixed, but I'll have a look around and try to make some guess. ---- from objdump output start ---- 00024848 : pf_purge_expired_fragments(): /v2/Source/public/freebsd/pi/crochet/src/sys/modules/pf/../../netpfil/pf/pf_norm .c:219 return (0); } void pf_purge_expired_fragments(void) { struct pf_fragment *frag; u_int32_t expire = time_uptime - 24864: e5904000 ldr r4, [r0] 24868: e5900004 ldr r0, [r0, #4] /v2/Source/public/freebsd/pi/crochet/src/sys/modules/pf/../../netpfil/pf/pf_norm.c:222 V_pf_default_rule.timeout[PFTM_FRAG]; 2486c: e59f00ac ldr r0, [pc, #172] ; 24920 24870: e59072a4 ldr r7, [r0, #676] /v2/Source/public/freebsd/pi/crochet/src/sys/modules/pf/../../netpfil/pf/pf_norm.c:224 PF_FRAG_LOCK(); 24874: e59f00a8 ldr r0, [pc, #168] ; 24924 24878: e2800010 add r0, r0, #16 ; 0x10 2487c: e58d0000 str r0, [sp] 24880: ebff810d bl 4cbc /v2/Source/public/freebsd/pi/crochet/src/sys/modules/pf/../../netpfil/pf/pf_norm.c:225 while ((frag = TAILQ_LAST(&V_pf_fragqueue, pf_fragqueue)) != NULL) { 24884: e59f60a0 ldr r6, [pc, #160] ; 2492c 24888: e5960004 ldr r0, [r6, #4] 2488c: e5900004 ldr r0, [r0, #4] 24890: e5905000 ldr r5, [r0] 24894: e3550000 cmp r5, #0 ; 0x0 24898: 0a000018 beq 24900 /v2/Source/public/freebsd/pi/crochet/src/sys/modules/pf/../../netpfil/pf/pf_norm.c:221 ---- from objdump output end ---- ---- from sys/queue.h start ---- #define TAILQ_LAST(head, headname) \ (*(((struct headname *)((head)->tqh_last))->tqh_last)) ---- from sys/queue.h end ---- -- G. Paul Ziemba FreeBSD unix: 12:16PM up 26 days, 14:55, 12 users, load averages: 1.51, 1.98, 1.86