Site Navigation

Date:      Mon, 29 Aug 2016 12:21:09 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-pf@FreeBSD.org
Subject:   [Bug 185633] [pf] scrubbing bug in transparent mode bug with bigger than MTU UDP packet
Message-ID:  <bug-185633-17777-6SEla016L3@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-185633-17777@https.bugs.freebsd.org/bugzilla/>
References:  <bug-185633-17777@https.bugs.freebsd.org/bugzilla/>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D185633

--- Comment #6 from Olivier Cochard <olivier@freebsd.org> ---
I've generated a core dump and start kgdb on it:

There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...

Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
cpuid =3D 0; apic id =3D 00
fault virtual address   =3D 0x1c
fault code              =3D supervisor read data, page not present
instruction pointer     =3D 0x20:0xffffffff8221c218
stack pointer           =3D 0x28:0xfffffe000dff36c0
frame pointer           =3D 0x28:0xfffffe000dff3730
code segment            =3D base 0x0, limit 0xfffff, type 0x1b
                        =3D DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        =3D interrupt enabled, resume, IOPL =3D 0
current process         =3D 11 (irq267: virtio_pci1)
trap number             =3D 12
panic: page fault
cpuid =3D 0
KDB: stack backtrace:
#0 0xffffffff809590b7 at kdb_backtrace+0x67
#1 0xffffffff80911f32 at vpanic+0x182
#2 0xffffffff80911da3 at panic+0x43
#3 0xffffffff80d36c11 at trap_fatal+0x351
#4 0xffffffff80d36e03 at trap_pfault+0x1e3
#5 0xffffffff80d3638c at trap+0x26c
#6 0xffffffff80d19e71 at calltrap+0x8
#7 0xffffffff8221dd74 at bridge_forward+0x304
#8 0xffffffff8221d0ce at bridge_input+0x5de
#9 0xffffffff80a1a290 at ether_nh_input+0x2a0
#10 0xffffffff80a30c05 at netisr_dispatch_src+0xa5
#11 0xffffffff80a19936 at ether_input+0x26
#12 0xffffffff807f0c6c at vtnet_rxq_eof+0x84c
#13 0xffffffff807f1be3 at vtnet_rx_vq_intr+0x93
#14 0xffffffff808d68ef at intr_event_execute_handlers+0x20f
#15 0xffffffff808d6b56 at ithread_loop+0xc6
#16 0xffffffff808d3535 at fork_exit+0x85
#17 0xffffffff80d1a3ae at fork_trampoline+0xe
Uptime: 2m55s
Dumping 113 out of 224 MB:..15%..29%..43%..57%..71%..85%..99%

Reading symbols from /data/debug/boot/kernel/if_bridge.ko.debug...done.
Loaded symbols for /data/debug/boot/kernel/if_bridge.ko.debug
Reading symbols from /boot/kernel/bridgestp.ko...done.
Loaded symbols for /boot/kernel/bridgestp.ko
Reading symbols from /boot/kernel/pf.ko...done.
Loaded symbols for /boot/kernel/pf.ko
#0  doadump (textdump=3D<value optimized out>) at pcpu.h:221
221     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) bt
#0  doadump (textdump=3D<value optimized out>) at pcpu.h:221
#1  0xffffffff809119b9 in kern_reboot (howto=3D260)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_shutdown.c:366
#2  0xffffffff80911f6b in vpanic (fmt=3D<value optimized out>,
    ap=3D<value optimized out>)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_shutdown.c:759
#3  0xffffffff80911da3 in panic (fmt=3D0x0)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_shutdown.c:690
#4  0xffffffff80d36c11 in trap_fatal (frame=3D0xfffffe000dff3610, eva=3D28)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/trap.c:841
#5  0xffffffff80d36e03 in trap_pfault (frame=3D0xfffffe000dff3610, usermode=
=3D0)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/trap.c:691
#6  0xffffffff80d3638c in trap (frame=3D0xfffffe000dff3610)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/trap.c:442
#7  0xffffffff80d19e71 in calltrap ()
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/exception.S:236
#8  0xffffffff8221c218 in bridge_pfil (mp=3D<value optimized out>,
    bifp=3D<value optimized out>, ifp=3D0xfffff8000329f000,
    dir=3D<value optimized out>)
    at
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri=
dge.c:3511
#9  0xffffffff8221dd74 in bridge_forward (sc=3D<value optimized out>,
    sbif=3D<value optimized out>, m=3D0x0)
    at
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri=
dge.c:2265
#10 0xffffffff8221d0ce in bridge_input (ifp=3D<value optimized out>,
    m=3D<value optimized out>)
    at
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri=
dge.c:2475
#11 0xffffffff80a1a290 in ether_nh_input (m=3D<value optimized out>)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/net/if_ethersubr.c:602
#12 0xffffffff80a30c05 in netisr_dispatch_src (proto=3D5,
    source=3D<value optimized out>, m=3D0x0)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/net/netisr.c:1120
#13 0xffffffff80a19936 in ether_input (ifp=3D<value optimized out>, m=3D0x0)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/net/if_ethersubr.c:757
#14 0xffffffff807f0c6c in vtnet_rxq_eof (rxq=3D<value optimized out>)
    at
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/dev/virtio/network/if_vtnet.c:1745
#15 0xffffffff807f1be3 in vtnet_rx_vq_intr (xrxq=3D0xfffff800032b8c00)
    at
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/dev/virtio/network/if_vtnet.c:1876
#16 0xffffffff808d68ef in intr_event_execute_handlers (
    p=3D<value optimized out>, ie=3D<value optimized out>)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_intr.c:1262
#17 0xffffffff808d6b56 in ithread_loop (arg=3D<value optimized out>)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_intr.c:1275
#18 0xffffffff808d3535 in fork_exit (
    callout=3D0xffffffff808d6a90 <ithread_loop>, arg=3D0xfffff800032b2f80,
    frame=3D0xfffffe000dff3ac0)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_fork.c:1038
#19 0xffffffff80d1a3ae in fork_trampoline ()
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/exception.S:611
#20 0x0000000000000000 in ?? ()
Current language:  auto; currently minimal

=3D> Displaying code at instruction pointer creating the problem:

(kgdb) list *0xffffffff8221c218
0xffffffff8221c218 is in bridge_pfil
(/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_br=
idge.c:3511).
3506=20=20=20
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri=
dge.c:
No such file or directory.
        in
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri=
dge.c

(kgdb) frame 8
#8  0xffffffff8221c218 in bridge_pfil (mp=3D<value optimized out>,
    bifp=3D<value optimized out>, ifp=3D0xfffff8000329f000,
    dir=3D<value optimized out>)
    at
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri=
dge.c:3511
3511    in
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri=
dge.c


=3D=3D=3D=3D=3D I didn't have source code (just debug symbol) on this machi=
n, then
looking in if_bridge.c at line 3511: It's bridge_fragment() function (calle=
d by
bridge_pfil):

3481 static int
3482 bridge_fragment(struct ifnet *ifp, struct mbuf *m, struct ether_header
*eh,
3483     int snap, struct llc *llc)
3484 {
3485     struct mbuf *m0;
3486     struct ip *ip;
3487     int error =3D -1;
3488
3489     if (m->m_len < sizeof(struct ip) &&
3490         (m =3D m_pullup(m, sizeof(struct ip))) =3D=3D NULL)
3491         goto out;
3492     ip =3D mtod(m, struct ip *);
3493
3494     m->m_pkthdr.csum_flags |=3D CSUM_IP;
3495     error =3D ip_fragment(ip, &m, ifp->if_mtu, ifp->if_hwassist);
3496     if (error)
3497         goto out;
3498
3499     /* walk the chain and re-add the Ethernet header */
3500     for (m0 =3D m; m0; m0 =3D m0->m_nextpkt) {
3501         if (error =3D=3D 0) {
3502             if (snap) {
3503                 M_PREPEND(m0, sizeof(struct llc), M_NOWAIT);
3504                 if (m0 =3D=3D NULL) {
3505                     error =3D ENOBUFS;
3506                     continue;
3507                 }
3508                 bcopy(llc, mtod(m0, caddr_t),
3509                     sizeof(struct llc));
3510             }
3511             M_PREPEND(m0, ETHER_HDR_LEN, M_NOWAIT);
3512             if (m0 =3D=3D NULL) {
3513                 error =3D ENOBUFS;
3514                 continue;
3515             }
3516             bcopy(eh, mtod(m0, caddr_t), ETHER_HDR_LEN);
3517         } else
3518             m_freem(m);
3519     }
3520
3521     if (error =3D=3D 0)
3522         KMOD_IPSTAT_INC(ips_fragmented);
3523
3524     return (error);
3525
3526 out:
3527     if (m !=3D NULL)
3528         m_freem(m);
3529     return (error);
3530 }


=3D> The line that create problem should be:
M_PREPEND(m0, ETHER_HDR_LEN, M_NOWAIT);

Right ?

But how to display m0 variable ? It seems I can only see "ifp" variable:

(kgdb) p *ifp
$3 =3D {if_link =3D {tqe_next =3D 0xfffff80003385800,
    tqe_prev =3D 0xfffff8000329f800}, if_clones =3D {le_next =3D 0x0,
    le_prev =3D 0x0}, if_groups =3D {tqh_first =3D 0xfffff800032b2420,
    tqh_last =3D 0xfffff800032b2428}, if_alloctype =3D 6 '\006',
  if_softc =3D 0xfffff800031e7000, if_llsoftc =3D 0x0, if_l2com =3D 0x0,
  if_dname =3D 0xfffff80003176a58 "vtnet", if_dunit =3D 1, if_index =3D 2,
  if_index_reserved =3D 0, if_xname =3D 0xfffff8000329f060 "vtnet1",
  if_description =3D 0x0, if_flags =3D 35075, if_drv_flags =3D 64,
  if_capabilities =3D 1572904, if_capenable =3D 524328, if_linkmib =3D 0x0,
  if_linkmiblen =3D 0, if_refcount =3D 1, if_type =3D 6 '\006',
  if_addrlen =3D 6 '\006', if_hdrlen =3D 18 '\022', if_link_state =3D 2 '\0=
02',
  if_mtu =3D 1500, if_metric =3D 0, if_baudrate =3D 10000000000, if_hwassis=
t =3D 0,
  if_epoch =3D 1, if_lastchange =3D {tv_sec =3D 1472470495, tv_usec =3D 912=
458},
  if_snd =3D {ifq_head =3D 0x0, ifq_tail =3D 0x0, ifq_len =3D 0, ifq_maxlen=
 =3D 10240,
    ifq_mtx =3D {lock_object =3D {lo_name =3D 0xfffff8000329f060 "vtnet1",
        lo_flags =3D 16973824, lo_data =3D 0, lo_witness =3D 0x0}, mtx_lock=
 =3D 4},
    ifq_drv_head =3D 0x0, ifq_drv_tail =3D 0x0, ifq_drv_len =3D 0,
    ifq_drv_maxlen =3D 0, altq_type =3D 0, altq_flags =3D 0, altq_disc =3D =
0x0,
    altq_ifp =3D 0xfffff8000329f000, altq_enqueue =3D 0, altq_dequeue =3D 0,
    altq_request =3D 0, altq_clfier =3D 0x0, altq_classify =3D 0, altq_tbr =
=3D 0x0,
    altq_cdnr =3D 0x0}, if_linktask =3D {ta_link =3D {stqe_next =3D 0x0},
    ta_pending =3D 0, ta_priority =3D 0,
    ta_func =3D 0xffffffff80a0d610 <do_link_state_change>,
    ta_context =3D 0xfffff8000329f000}, if_addr_lock =3D {lock_object =3D {
      lo_name =3D 0xffffffff81232f6f "if_addr_lock", lo_flags =3D 86179840,
      lo_data =3D 0, lo_witness =3D 0x0}, rw_lock =3D 1}, if_addrhead =3D {
    tqh_first =3D 0xfffff800032b7900, tqh_last =3D 0xfffff8000368c028},
  if_multiaddrs =3D {tqh_first =3D 0xfffff800033c6b80,
    tqh_last =3D 0xfffff800033c6e80}, if_amcount =3D 0,
  if_addr =3D 0xfffff800032b7900,
  if_broadcastaddr =3D 0xffffffff81233490 "=E2=96=92=E2=96=92=E2=96=92=E2=
=96=92=E2=96=92=E2=96=92", if_afdata_lock =3D {
    lock_object =3D {lo_name =3D 0xffffffff81232f7c "if_afdata",
      lo_flags =3D 86179840, lo_data =3D 0, lo_witness =3D 0x0}, rw_lock =
=3D 1},
  if_afdata =3D 0xfffff8000329f208, if_afdata_initialized =3D 2, if_fib =3D=
 0,
  if_vnet =3D 0x0, if_home_vnet =3D 0x0, if_vlantrunk =3D 0x0,
  if_bpf =3D 0xfffff800032c6a80, if_pcount =3D 1, if_bridge =3D 0xfffff8000=
368de00,
  if_lagg =3D 0x0, if_pf_kif =3D 0xfffff8000341fd00, if_carp =3D 0x0,
  if_label =3D 0x0, if_netmap =3D 0xfffff800032f7400,
  if_output =3D 0xffffffff80a18d60 <ether_output>,
  if_input =3D 0xffffffff80a19910 <ether_input>, if_start =3D 0,
  if_ioctl =3D 0xffffffff807f20e0 <vtnet_ioctl>,
  if_init =3D 0xffffffff807f1f90 <vtnet_init>,
  if_resolvemulti =3D 0xffffffff80a19950 <ether_resolvemulti>,
  if_qflush =3D 0xffffffff807f2900 <vtnet_qflush>,
  if_transmit =3D 0xffffffff807f27f0 <vtnet_txq_mq_start>, if_reassign =3D =
0,
  if_get_counter =3D 0xffffffff807f2780 <vtnet_get_counter>,
  if_requestencap =3D 0xffffffff80a19a70 <ether_requestencap>,
  if_counters =3D 0xfffff8000329f410, if_hw_tsomax =3D 65518,
  if_hw_tsomaxsegcount =3D 35, if_hw_tsomaxsegsize =3D 2048,
  if_pspare =3D 0xfffff8000329f480, if_ispare =3D 0xfffff8000329f4a0}
(kgdb)

Regards,

--=20
You are receiving this mail because:
You are the assignee for the bug.=

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-185633-17777-6SEla016L3>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact