Date: Wed, 21 Sep 2016 04:24:46 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 212873] pf kernel abort at boot in pf_purge_expired_fragments Message-ID: <bug-212873-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D212873 Bug ID: 212873 Summary: pf kernel abort at boot in pf_purge_expired_fragments Product: Base System Version: CURRENT Hardware: arm OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: p-fbsd-bugs@ziemba.us My analysis: it looks as if there is a null pointer dereference inside TAILQ_LAST on line 225 of pf_norm.c. Version: I obtained sources 15 Sep 2016 14:38 PDT via svn from https://svn0.us-west.freebsd.org/base/head and built with crochet, resultin= g in FreeBSD-armv6-12.0-RPI2-305849.img. Hardware: Raspberry PI 2 Conditions: 1. There is no pf.conf file 2. pf_enable=3D"YES" in rc.conf 3. pflog_enable=3D"YES" in rc.conf 4. ue1 not attached to USB (i.e., presence/absence made no difference) 5. ue0 is the onboard usb ethernet Here is /etc/rc.conf: ---- start /etc/rc.conf ---- hostname=3D"bogart.ziemba.us" defaultrouter=3D"10.0.0.1" ifconfig_ue0=3D"inet 10.0.0.84/16" ifconfig_ue1=3D"inet 192.168.0.2/24 fib 1" ifconfig_DEFAULT=3D"DHCP" vlans_ue0=3D"101" create_args_ue0_101=3D"fib 1" ifconfig_ue0_101=3D"inet 10.126.0.3/16 fib 1" static_routes=3D"fib1default" route_fib1default=3D"default 10.126.0.2 -fib 1" dhcpd_enable=3D"YES" dhcpd_conf=3D"/usr/local/etc/dhcpd.conf" dhcpd_ifaces=3D"" dhcpd_withumask=3D"022" sshd_enable=3D"YES" inetd_enable=3D"YES" sendmail_enable=3D"NONE" sendmail_submit_enable=3D"NO" sendmail_outbound_enable=3D"NO" sendmail_msp_queue_enable=3D"NO" growfs_enable=3D"YES" fsck_y_enable=3D"YES" saver=3D"blank" ntpd_enable=3D"YES" ntpd_sync_on_start=3D"YES" # NO /etc/pf.conf is present for this test pf_enable=3D"YES" pf_rules=3D"/etc/pf.conf" pf_flags=3D"" # uncommenting the following two lines results in failure at boot #pflog_enable=3D"YES" #pflog_logfile=3D"/tmp/pflog" ---- end /etc/rc.conf ---- At boot, the console displays the following (hand-transcribed, it should be character-for-character correct): ---- begin console transcription ---- Kernel page fault with the following non-sleepable locks held: exclusive sleep mutex pf fragments (pf fragments) r =3D 0 (0xc4e03808) lock= ed 0 /v2/Source/public/freebsd/pi/crochet/src/sys/modules/pf/../../netpfil/pf/pf= _norm.c:224 stack backtrace: Fatal kernel mode data abort: 'Translation Fault (L1)' on read trapframe: 0xeb4c2d40 FSR=3D00000005, FAR=3D00000004, spsr=3D80000013 r0 =3D00000000, r1 =3D00000001, r2 =3Dffffffff, r3 =3Dc087b774 r4 =3D0000000f, r5 =3Dc4df839a, r6 =3Dc4e03800, r7 =3D00000000 r8 =3Dc4e0343c, r9 =3Dc4e03458, r10=3D00000000, r11=3Deb4c2df0 r12=3Dc4e03808, ssp=3Deb4c2dd0, slr=3Dc02a6514, pc =3Dc4deb88c [ thread pid 358 tid 100084 ] Stopped at pf_purge_expired_fragments+0x44: ldr r0, [r0, #0x0= 04] db> ---- end console transcription ---- Note that r0 is NULL. Typing on my USB keyboard does not produce anything at the db> prompt, and I don't have a serial console yet (awaiting special rpi cable in the mail), s= o I haven't been able to interact with the debugger. Here is the output of objdump: ---- from objdump output start ---- 00024848 <pf_purge_expired_fragments>: pf_purge_expired_fragments(): /v2/Source/public/freebsd/pi/crochet/src/sys/modules/pf/../../netpfil/pf/pf= _norm .c:219 return (0); } void pf_purge_expired_fragments(void) { struct pf_fragment *frag; u_int32_t expire =3D time_uptime - 24864: e5904000 ldr r4, [r0] 24868: e5900004 ldr r0, [r0, #4] /v2/Source/public/freebsd/pi/crochet/src/sys/modules/pf/../../netpfil/pf/pf= _norm.c:222 V_pf_default_rule.timeout[PFTM_FRAG]; 2486c: e59f00ac ldr r0, [pc, #172] ; 24920 <pf_purge_expired_fragments+0xd8> 24870: e59072a4 ldr r7, [r0, #676] /v2/Source/public/freebsd/pi/crochet/src/sys/modules/pf/../../netpfil/pf/pf= _norm.c:224 PF_FRAG_LOCK(); 24874: e59f00a8 ldr r0, [pc, #168] ; 24924 <pf_purge_expired_fragments+0xdc> 24878: e2800010 add r0, r0, #16 ; 0x10 2487c: e58d0000 str r0, [sp] 24880: ebff810d bl 4cbc <pf_addr_cmp-0x228> /v2/Source/public/freebsd/pi/crochet/src/sys/modules/pf/../../netpfil/pf/pf= _norm.c:225 while ((frag =3D TAILQ_LAST(&V_pf_fragqueue, pf_fragqueue)) !=3D NU= LL) { 24884: e59f60a0 ldr r6, [pc, #160] ; 2492c <pf_purge_expired_fragments+0xe4> 24888: e5960004 ldr r0, [r6, #4] 2488c: e5900004 ldr r0, [r0, #4] 24890: e5905000 ldr r5, [r0] 24894: e3550000 cmp r5, #0 ; 0x0 24898: 0a000018 beq 24900 <pf_purge_expired_fragments+0= xb8> /v2/Source/public/freebsd/pi/crochet/src/sys/modules/pf/../../netpfil/pf/pf= _norm.c:221 ---- from objdump output end ---- Here is the relevant bit of sys/queue.h: ---- from sys/queue.h start ---- #define TAILQ_LAST(head, headname) \ (*(((struct headname *)((head)->tqh_last))->tqh_last)) ---- from sys/queue.h end ---- 1. The console message indicates stop at pf_purge_expired_fragments+0x44, which is 0x24848 + 0x44 =3D 8x2488c 2. The various LDRs at 24884 - 24890 are the dereferences in the TAILQ_LAST macro. 3. 24894 is the NULL test called out in the C code at line 225, but it's too late by then. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-212873-8>