From owner-freebsd-pf@FreeBSD.ORG  Sat Mar 12 05:07:46 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 96FAB16A4CE
	for <pf@freebsd.org>; Sat, 12 Mar 2005 05:07:46 +0000 (GMT)
Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DFC8243D2D
	for <pf@freebsd.org>; Sat, 12 Mar 2005 05:07:45 +0000 (GMT)
	(envelope-from pyunyh@gmail.com)
Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193])
	(authenticated bits=128)
	by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id j2C56eAh083984
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL);
	Sat, 12 Mar 2005 14:06:41 +0900 (KST)
Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1])
	by michelle.kt-is.co.kr (8.13.1/8.13.1) with ESMTP id j2C57TYN061578
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Sat, 12 Mar 2005 14:07:29 +0900 (KST)
	(envelope-from pyunyh@gmail.com)
Received: (from yongari@localhost)
	by michelle.kt-is.co.kr (8.13.1/8.13.1/Submit) id j2C57MnM061577;
	Sat, 12 Mar 2005 14:07:22 +0900 (KST)
	(envelope-from pyunyh@gmail.com)
Date: Sat, 12 Mar 2005 14:07:22 +0900
From: Pyun YongHyeon <yongari@kt-is.co.kr>
To: Emanuel Strobl <emanuel.strobl@gmx.net>
Message-ID: <20050312050722.GC60892@kt-is.co.kr>
References: <20050212061756.GF4769@kt-is.co.kr>
	<20050311135212.GA30653@insomnia.benzedrine.cx> <200503111619.34188@harrymail>
	<200503111712.36310@harrymail>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="T4sUOijqQbZv57TR"
Content-Disposition: inline
In-Reply-To: <200503111712.36310@harrymail>
User-Agent: Mutt/1.4.2.1i
X-Filter-Version: 1.11a (ns.kt-is.co.kr)
cc: pf@freebsd.org
Subject: Re: pf panic trace [Was: Re: Return-icmp doesn't work]
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: pyunyh@gmail.com
List-Id: Technical discussion and general questions about packet filter (pf)
	<freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Mar 2005 05:07:46 -0000


--T4sUOijqQbZv57TR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Fri, Mar 11, 2005 at 05:12:31PM +0100, Emanuel Strobl wrote:
 > Am Freitag, 11. M?rz 2005 16:19 schrieb Emanuel Strobl:
 > > Am Freitag, 11. M?rz 2005 14:52 schrieb Daniel Hartmeier:
 > > >   block return-rst in on wi0 reply-to (wi0 10.1.1.1) inet proto tcp all
 > > >
 > > > This is valid syntax and pfctl loads the rule, but the functionality is
 > > > not implemented in kernel yet, i.e. the reply-to option is simply
 > > > ignored.
 > >
 > > Thanks, I tried a very similar rule and after that the box vanished.
 > > I went on location (the box paniced but didn't reboot) and installed a
 > > console-server so I can access the box from here and currently I'm baking a
 > > debug kernel.
 > > I'll notify you if I have a trace!
 > 
 > Here's the original panic message (the non debug kernel) with 5.4-PRE one week 
 > old:
 > Fatal trap 12: page fault while in kernel mode
 > fault virtual address   = 0xc
 > fault code              = supervisor read, page not pre
 > instruction pointer     = 0x8:0xc05ac722
 > stack pointer           = 0x10:0xcc6919ac
 > frame pointer           = 0x10:0xcc6919e0
 > code segment            = base 0x0, limit 0xfffff, type
 >                         = DPL 0, pres 1, def32 1, gran
 > processor eflags        = interrupt enabled, resume, IO
 > current process         = 34 (swi1: net)
 > trap number             = 12
 > panic: page fault
 > Uptime: 1d1h20m33s
 > GEOM_MIRROR: Device web: provider mirror/web destroyed.
 > GEOM_MIRROR: Device web destroyed.
 > ...
 > The machine didn't reboot!
 > 
 > 
 > The following rule panickes the machine:
 > block return-icmp(13) in on $SDSL route-to ($SDSL $sdsl_gw) from any to 
 > $sdsl_net
 > 
 > Here's the trace from 5.4-PRE today:
 > panic: m_copym, offset > size of mbuf chain
 > KDB: stack backtrace:
 > panic(c076ab9a,c174d500,100,cc694a30,0) at panic+0x13c
 > m_copym(c1621b00,5dc,5c8,1,14) at m_copym+0x1c7
 > ip_fragment(c1642010,cc694a74,5dc,6,f01) at ip_fragment+0x168
 > pf_route(cc694bf0,c1a10d20,1,c1585000,0) at pf_route+0x767
 > pf_test(1,c1585000,cc694bf0,0,c17554e0) at pf_test+0x7b1
 > pf_check_in(0,cc694bf0,c1585000,1,0) at pf_check_in+0x48
 > pfil_run_hooks(c07f3e60,cc694c9c,c1585000,1,0) at pfil_run_hooks+0x15b
 > ip_input(c1621b00,0,c076e621,e6,c07f3f20) at ip_input+0x20f
 > netisr_processqueue(cc694cd8,246,c07c8ee0,2,c1508d40) at 
 > netisr_processqueue+0x15
 > swi_net(0,0,c0762ddc,269,0) at swi_net+0x8d
 > ithread_loop(c1526300,cc694d48,c0762bbd,30e,0) at ithread_loop+0x1ff
 > fork_exit(c0560640,c1526300,cc694d48) at fork_exit+0xa9
 > fork_trampoline() at fork_trampoline+0x8
 > --- trap 0x1, eip = 0, esp = 0xcc694d7c, ebp = 0 ---
 > 
 > If you need more info, on http://www.schmalzbauer.de/statics/phobos you can 
 > find dmesg and the whole pf.conf
 > 

Hmm, Max and I had seen these kind of traces when pf porting
was in progress. But now I believe we fixed all possible
cases.

I can't sure but your trace indicates there is a bug in
ip_fragment(). If a packet already set IP_MF flag in ip header,
we would get invalid ip_off in fragmented packet.
And it seems that there is another bug in pf. Since ip_fragment()
can change passed mbuf, we should not use saved copy of it.
Untested patch for CURRENT attached.

-- 
Regards,
Pyun YongHyeon
http://www.kr.freebsd.org/~yongari	|	yongari@freebsd.org

--T4sUOijqQbZv57TR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="ip_output.patch"

--- sys/netinet/ip_output.c.orig	Tue Mar  1 20:57:14 2005
+++ sys/netinet/ip_output.c	Sat Mar 12 13:50:54 2005
@@ -959,7 +959,7 @@
 		}
 		m->m_len = mhlen;
 		/* XXX do we need to add ip->ip_off below ? */
-		mhip->ip_off = ((off - hlen) >> 3) + ip->ip_off;
+		mhip->ip_off = ((off - hlen) >> 3) + (ip->ip_off & ~IP_MF);
 		if (off + len >= ip->ip_len) {	/* last fragment */
 			len = ip->ip_len - off;
 			m->m_flags |= M_LASTFRAG;

--T4sUOijqQbZv57TR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="pf.route.patch"

--- sys/contrib/pf/net/pf.c.orig	Tue Feb 22 10:30:53 2005
+++ sys/contrib/pf/net/pf.c	Sat Mar 12 12:42:37 2005
@@ -5421,7 +5421,6 @@
 			goto bad;
 	}
 
-	m1 = m0;
 #ifdef __FreeBSD__
 	/*
 	 * XXX: is cheaper + less error prone than own function
@@ -5430,6 +5429,7 @@
 	NTOHS(ip->ip_off);
 	error = ip_fragment(ip, &m0, ifp->if_mtu, ifp->if_hwassist, sw_csum);
 #else
+	m1 = m0;
 	error = ip_fragment(m0, ifp, ifp->if_mtu);
 #endif
 	if (error) {
@@ -5439,10 +5439,14 @@
 		goto bad;
 	}
 
+#ifdef __FreeBSD__
+	for (; m0; m0 = m1) {
+#else
 	for (m0 = m1; m0; m0 = m1) {
+#endif
 		m1 = m0->m_nextpkt;
-		m0->m_nextpkt = 0;
 #ifdef __FreeBSD__
+		m0->m_nextpkt = NULL;
 		if (error == 0) {
 			PF_UNLOCK();
 			error = (*ifp->if_output)(ifp, m0, sintosa(dst),
@@ -5450,6 +5454,7 @@
 			PF_LOCK();
 		} else
 #else
+		m0->m_nextpkt = 0;
 		if (error == 0)
 			error = (*ifp->if_output)(ifp, m0, sintosa(dst),
 			    NULL);

--T4sUOijqQbZv57TR--