From owner-freebsd-pf@freebsd.org Mon Aug 29 12:21:09 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 33ADEB776E9 for ; Mon, 29 Aug 2016 12:21:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 22B6FA52 for ; Mon, 29 Aug 2016 12:21:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7TCL8T6058583 for ; Mon, 29 Aug 2016 12:21:08 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 185633] [pf] scrubbing bug in transparent mode bug with bigger than MTU UDP packet Date: Mon, 29 Aug 2016 12:21:09 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: olivier@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Aug 2016 12:21:09 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D185633 --- Comment #6 from Olivier Cochard --- I've generated a core dump and start kgdb on it: There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-marcel-freebsd"... Unread portion of the kernel message buffer: Fatal trap 12: page fault while in kernel mode cpuid =3D 0; apic id =3D 00 fault virtual address =3D 0x1c fault code =3D supervisor read data, page not present instruction pointer =3D 0x20:0xffffffff8221c218 stack pointer =3D 0x28:0xfffffe000dff36c0 frame pointer =3D 0x28:0xfffffe000dff3730 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 11 (irq267: virtio_pci1) trap number =3D 12 panic: page fault cpuid =3D 0 KDB: stack backtrace: #0 0xffffffff809590b7 at kdb_backtrace+0x67 #1 0xffffffff80911f32 at vpanic+0x182 #2 0xffffffff80911da3 at panic+0x43 #3 0xffffffff80d36c11 at trap_fatal+0x351 #4 0xffffffff80d36e03 at trap_pfault+0x1e3 #5 0xffffffff80d3638c at trap+0x26c #6 0xffffffff80d19e71 at calltrap+0x8 #7 0xffffffff8221dd74 at bridge_forward+0x304 #8 0xffffffff8221d0ce at bridge_input+0x5de #9 0xffffffff80a1a290 at ether_nh_input+0x2a0 #10 0xffffffff80a30c05 at netisr_dispatch_src+0xa5 #11 0xffffffff80a19936 at ether_input+0x26 #12 0xffffffff807f0c6c at vtnet_rxq_eof+0x84c #13 0xffffffff807f1be3 at vtnet_rx_vq_intr+0x93 #14 0xffffffff808d68ef at intr_event_execute_handlers+0x20f #15 0xffffffff808d6b56 at ithread_loop+0xc6 #16 0xffffffff808d3535 at fork_exit+0x85 #17 0xffffffff80d1a3ae at fork_trampoline+0xe Uptime: 2m55s Dumping 113 out of 224 MB:..15%..29%..43%..57%..71%..85%..99% Reading symbols from /data/debug/boot/kernel/if_bridge.ko.debug...done. Loaded symbols for /data/debug/boot/kernel/if_bridge.ko.debug Reading symbols from /boot/kernel/bridgestp.ko...done. Loaded symbols for /boot/kernel/bridgestp.ko Reading symbols from /boot/kernel/pf.ko...done. Loaded symbols for /boot/kernel/pf.ko #0 doadump (textdump=3D) at pcpu.h:221 221 pcpu.h: No such file or directory. in pcpu.h (kgdb) bt #0 doadump (textdump=3D) at pcpu.h:221 #1 0xffffffff809119b9 in kern_reboot (howto=3D260) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_shutdown.c:366 #2 0xffffffff80911f6b in vpanic (fmt=3D, ap=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_shutdown.c:759 #3 0xffffffff80911da3 in panic (fmt=3D0x0) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_shutdown.c:690 #4 0xffffffff80d36c11 in trap_fatal (frame=3D0xfffffe000dff3610, eva=3D28) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/trap.c:841 #5 0xffffffff80d36e03 in trap_pfault (frame=3D0xfffffe000dff3610, usermode= =3D0) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/trap.c:691 #6 0xffffffff80d3638c in trap (frame=3D0xfffffe000dff3610) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/trap.c:442 #7 0xffffffff80d19e71 in calltrap () at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/exception.S:236 #8 0xffffffff8221c218 in bridge_pfil (mp=3D, bifp=3D, ifp=3D0xfffff8000329f000, dir=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri= dge.c:3511 #9 0xffffffff8221dd74 in bridge_forward (sc=3D, sbif=3D, m=3D0x0) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri= dge.c:2265 #10 0xffffffff8221d0ce in bridge_input (ifp=3D, m=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri= dge.c:2475 #11 0xffffffff80a1a290 in ether_nh_input (m=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/net/if_ethersubr.c:602 #12 0xffffffff80a30c05 in netisr_dispatch_src (proto=3D5, source=3D, m=3D0x0) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/net/netisr.c:1120 #13 0xffffffff80a19936 in ether_input (ifp=3D, m=3D0x0) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/net/if_ethersubr.c:757 #14 0xffffffff807f0c6c in vtnet_rxq_eof (rxq=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/dev/virtio/network/if_vtnet.c:1745 #15 0xffffffff807f1be3 in vtnet_rx_vq_intr (xrxq=3D0xfffff800032b8c00) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/dev/virtio/network/if_vtnet.c:1876 #16 0xffffffff808d68ef in intr_event_execute_handlers ( p=3D, ie=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_intr.c:1262 #17 0xffffffff808d6b56 in ithread_loop (arg=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_intr.c:1275 #18 0xffffffff808d3535 in fork_exit ( callout=3D0xffffffff808d6a90 , arg=3D0xfffff800032b2f80, frame=3D0xfffffe000dff3ac0) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_fork.c:1038 #19 0xffffffff80d1a3ae in fork_trampoline () at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/exception.S:611 #20 0x0000000000000000 in ?? () Current language: auto; currently minimal =3D> Displaying code at instruction pointer creating the problem: (kgdb) list *0xffffffff8221c218 0xffffffff8221c218 is in bridge_pfil (/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_br= idge.c:3511). 3506=20=20=20 /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri= dge.c: No such file or directory. in /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri= dge.c (kgdb) frame 8 #8 0xffffffff8221c218 in bridge_pfil (mp=3D, bifp=3D, ifp=3D0xfffff8000329f000, dir=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri= dge.c:3511 3511 in /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri= dge.c =3D=3D=3D=3D=3D I didn't have source code (just debug symbol) on this machi= n, then looking in if_bridge.c at line 3511: It's bridge_fragment() function (calle= d by bridge_pfil): 3481 static int 3482 bridge_fragment(struct ifnet *ifp, struct mbuf *m, struct ether_header *eh, 3483 int snap, struct llc *llc) 3484 { 3485 struct mbuf *m0; 3486 struct ip *ip; 3487 int error =3D -1; 3488 3489 if (m->m_len < sizeof(struct ip) && 3490 (m =3D m_pullup(m, sizeof(struct ip))) =3D=3D NULL) 3491 goto out; 3492 ip =3D mtod(m, struct ip *); 3493 3494 m->m_pkthdr.csum_flags |=3D CSUM_IP; 3495 error =3D ip_fragment(ip, &m, ifp->if_mtu, ifp->if_hwassist); 3496 if (error) 3497 goto out; 3498 3499 /* walk the chain and re-add the Ethernet header */ 3500 for (m0 =3D m; m0; m0 =3D m0->m_nextpkt) { 3501 if (error =3D=3D 0) { 3502 if (snap) { 3503 M_PREPEND(m0, sizeof(struct llc), M_NOWAIT); 3504 if (m0 =3D=3D NULL) { 3505 error =3D ENOBUFS; 3506 continue; 3507 } 3508 bcopy(llc, mtod(m0, caddr_t), 3509 sizeof(struct llc)); 3510 } 3511 M_PREPEND(m0, ETHER_HDR_LEN, M_NOWAIT); 3512 if (m0 =3D=3D NULL) { 3513 error =3D ENOBUFS; 3514 continue; 3515 } 3516 bcopy(eh, mtod(m0, caddr_t), ETHER_HDR_LEN); 3517 } else 3518 m_freem(m); 3519 } 3520 3521 if (error =3D=3D 0) 3522 KMOD_IPSTAT_INC(ips_fragmented); 3523 3524 return (error); 3525 3526 out: 3527 if (m !=3D NULL) 3528 m_freem(m); 3529 return (error); 3530 } =3D> The line that create problem should be: M_PREPEND(m0, ETHER_HDR_LEN, M_NOWAIT); Right ? But how to display m0 variable ? It seems I can only see "ifp" variable: (kgdb) p *ifp $3 =3D {if_link =3D {tqe_next =3D 0xfffff80003385800, tqe_prev =3D 0xfffff8000329f800}, if_clones =3D {le_next =3D 0x0, le_prev =3D 0x0}, if_groups =3D {tqh_first =3D 0xfffff800032b2420, tqh_last =3D 0xfffff800032b2428}, if_alloctype =3D 6 '\006', if_softc =3D 0xfffff800031e7000, if_llsoftc =3D 0x0, if_l2com =3D 0x0, if_dname =3D 0xfffff80003176a58 "vtnet", if_dunit =3D 1, if_index =3D 2, if_index_reserved =3D 0, if_xname =3D 0xfffff8000329f060 "vtnet1", if_description =3D 0x0, if_flags =3D 35075, if_drv_flags =3D 64, if_capabilities =3D 1572904, if_capenable =3D 524328, if_linkmib =3D 0x0, if_linkmiblen =3D 0, if_refcount =3D 1, if_type =3D 6 '\006', if_addrlen =3D 6 '\006', if_hdrlen =3D 18 '\022', if_link_state =3D 2 '\0= 02', if_mtu =3D 1500, if_metric =3D 0, if_baudrate =3D 10000000000, if_hwassis= t =3D 0, if_epoch =3D 1, if_lastchange =3D {tv_sec =3D 1472470495, tv_usec =3D 912= 458}, if_snd =3D {ifq_head =3D 0x0, ifq_tail =3D 0x0, ifq_len =3D 0, ifq_maxlen= =3D 10240, ifq_mtx =3D {lock_object =3D {lo_name =3D 0xfffff8000329f060 "vtnet1", lo_flags =3D 16973824, lo_data =3D 0, lo_witness =3D 0x0}, mtx_lock= =3D 4}, ifq_drv_head =3D 0x0, ifq_drv_tail =3D 0x0, ifq_drv_len =3D 0, ifq_drv_maxlen =3D 0, altq_type =3D 0, altq_flags =3D 0, altq_disc =3D = 0x0, altq_ifp =3D 0xfffff8000329f000, altq_enqueue =3D 0, altq_dequeue =3D 0, altq_request =3D 0, altq_clfier =3D 0x0, altq_classify =3D 0, altq_tbr = =3D 0x0, altq_cdnr =3D 0x0}, if_linktask =3D {ta_link =3D {stqe_next =3D 0x0}, ta_pending =3D 0, ta_priority =3D 0, ta_func =3D 0xffffffff80a0d610 , ta_context =3D 0xfffff8000329f000}, if_addr_lock =3D {lock_object =3D { lo_name =3D 0xffffffff81232f6f "if_addr_lock", lo_flags =3D 86179840, lo_data =3D 0, lo_witness =3D 0x0}, rw_lock =3D 1}, if_addrhead =3D { tqh_first =3D 0xfffff800032b7900, tqh_last =3D 0xfffff8000368c028}, if_multiaddrs =3D {tqh_first =3D 0xfffff800033c6b80, tqh_last =3D 0xfffff800033c6e80}, if_amcount =3D 0, if_addr =3D 0xfffff800032b7900, if_broadcastaddr =3D 0xffffffff81233490 "=E2=96=92=E2=96=92=E2=96=92=E2= =96=92=E2=96=92=E2=96=92", if_afdata_lock =3D { lock_object =3D {lo_name =3D 0xffffffff81232f7c "if_afdata", lo_flags =3D 86179840, lo_data =3D 0, lo_witness =3D 0x0}, rw_lock = =3D 1}, if_afdata =3D 0xfffff8000329f208, if_afdata_initialized =3D 2, if_fib =3D= 0, if_vnet =3D 0x0, if_home_vnet =3D 0x0, if_vlantrunk =3D 0x0, if_bpf =3D 0xfffff800032c6a80, if_pcount =3D 1, if_bridge =3D 0xfffff8000= 368de00, if_lagg =3D 0x0, if_pf_kif =3D 0xfffff8000341fd00, if_carp =3D 0x0, if_label =3D 0x0, if_netmap =3D 0xfffff800032f7400, if_output =3D 0xffffffff80a18d60 , if_input =3D 0xffffffff80a19910 , if_start =3D 0, if_ioctl =3D 0xffffffff807f20e0 , if_init =3D 0xffffffff807f1f90 , if_resolvemulti =3D 0xffffffff80a19950 , if_qflush =3D 0xffffffff807f2900 , if_transmit =3D 0xffffffff807f27f0 , if_reassign =3D = 0, if_get_counter =3D 0xffffffff807f2780 , if_requestencap =3D 0xffffffff80a19a70 , if_counters =3D 0xfffff8000329f410, if_hw_tsomax =3D 65518, if_hw_tsomaxsegcount =3D 35, if_hw_tsomaxsegsize =3D 2048, if_pspare =3D 0xfffff8000329f480, if_ispare =3D 0xfffff8000329f4a0} (kgdb) Regards, --=20 You are receiving this mail because: You are the assignee for the bug.=