From owner-freebsd-bugs@freebsd.org Wed Sep 21 04:24:46 2016 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E46ACBE16E4 for ; Wed, 21 Sep 2016 04:24:46 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BCD311F8 for ; Wed, 21 Sep 2016 04:24:46 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u8L4Okom049469 for ; Wed, 21 Sep 2016 04:24:46 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 212873] pf kernel abort at boot in pf_purge_expired_fragments Date: Wed, 21 Sep 2016 04:24:46 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: p-fbsd-bugs@ziemba.us X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Sep 2016 04:24:47 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D212873 Bug ID: 212873 Summary: pf kernel abort at boot in pf_purge_expired_fragments Product: Base System Version: CURRENT Hardware: arm OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: p-fbsd-bugs@ziemba.us My analysis: it looks as if there is a null pointer dereference inside TAILQ_LAST on line 225 of pf_norm.c. Version: I obtained sources 15 Sep 2016 14:38 PDT via svn from https://svn0.us-west.freebsd.org/base/head and built with crochet, resultin= g in FreeBSD-armv6-12.0-RPI2-305849.img. Hardware: Raspberry PI 2 Conditions: 1. There is no pf.conf file 2. pf_enable=3D"YES" in rc.conf 3. pflog_enable=3D"YES" in rc.conf 4. ue1 not attached to USB (i.e., presence/absence made no difference) 5. ue0 is the onboard usb ethernet Here is /etc/rc.conf: ---- start /etc/rc.conf ---- hostname=3D"bogart.ziemba.us" defaultrouter=3D"10.0.0.1" ifconfig_ue0=3D"inet 10.0.0.84/16" ifconfig_ue1=3D"inet 192.168.0.2/24 fib 1" ifconfig_DEFAULT=3D"DHCP" vlans_ue0=3D"101" create_args_ue0_101=3D"fib 1" ifconfig_ue0_101=3D"inet 10.126.0.3/16 fib 1" static_routes=3D"fib1default" route_fib1default=3D"default 10.126.0.2 -fib 1" dhcpd_enable=3D"YES" dhcpd_conf=3D"/usr/local/etc/dhcpd.conf" dhcpd_ifaces=3D"" dhcpd_withumask=3D"022" sshd_enable=3D"YES" inetd_enable=3D"YES" sendmail_enable=3D"NONE" sendmail_submit_enable=3D"NO" sendmail_outbound_enable=3D"NO" sendmail_msp_queue_enable=3D"NO" growfs_enable=3D"YES" fsck_y_enable=3D"YES" saver=3D"blank" ntpd_enable=3D"YES" ntpd_sync_on_start=3D"YES" # NO /etc/pf.conf is present for this test pf_enable=3D"YES" pf_rules=3D"/etc/pf.conf" pf_flags=3D"" # uncommenting the following two lines results in failure at boot #pflog_enable=3D"YES" #pflog_logfile=3D"/tmp/pflog" ---- end /etc/rc.conf ---- At boot, the console displays the following (hand-transcribed, it should be character-for-character correct): ---- begin console transcription ---- Kernel page fault with the following non-sleepable locks held: exclusive sleep mutex pf fragments (pf fragments) r =3D 0 (0xc4e03808) lock= ed 0 /v2/Source/public/freebsd/pi/crochet/src/sys/modules/pf/../../netpfil/pf/pf= _norm.c:224 stack backtrace: Fatal kernel mode data abort: 'Translation Fault (L1)' on read trapframe: 0xeb4c2d40 FSR=3D00000005, FAR=3D00000004, spsr=3D80000013 r0 =3D00000000, r1 =3D00000001, r2 =3Dffffffff, r3 =3Dc087b774 r4 =3D0000000f, r5 =3Dc4df839a, r6 =3Dc4e03800, r7 =3D00000000 r8 =3Dc4e0343c, r9 =3Dc4e03458, r10=3D00000000, r11=3Deb4c2df0 r12=3Dc4e03808, ssp=3Deb4c2dd0, slr=3Dc02a6514, pc =3Dc4deb88c [ thread pid 358 tid 100084 ] Stopped at pf_purge_expired_fragments+0x44: ldr r0, [r0, #0x0= 04] db> ---- end console transcription ---- Note that r0 is NULL. Typing on my USB keyboard does not produce anything at the db> prompt, and I don't have a serial console yet (awaiting special rpi cable in the mail), s= o I haven't been able to interact with the debugger. Here is the output of objdump: ---- from objdump output start ---- 00024848 : pf_purge_expired_fragments(): /v2/Source/public/freebsd/pi/crochet/src/sys/modules/pf/../../netpfil/pf/pf= _norm .c:219 return (0); } void pf_purge_expired_fragments(void) { struct pf_fragment *frag; u_int32_t expire =3D time_uptime - 24864: e5904000 ldr r4, [r0] 24868: e5900004 ldr r0, [r0, #4] /v2/Source/public/freebsd/pi/crochet/src/sys/modules/pf/../../netpfil/pf/pf= _norm.c:222 V_pf_default_rule.timeout[PFTM_FRAG]; 2486c: e59f00ac ldr r0, [pc, #172] ; 24920 24870: e59072a4 ldr r7, [r0, #676] /v2/Source/public/freebsd/pi/crochet/src/sys/modules/pf/../../netpfil/pf/pf= _norm.c:224 PF_FRAG_LOCK(); 24874: e59f00a8 ldr r0, [pc, #168] ; 24924 24878: e2800010 add r0, r0, #16 ; 0x10 2487c: e58d0000 str r0, [sp] 24880: ebff810d bl 4cbc /v2/Source/public/freebsd/pi/crochet/src/sys/modules/pf/../../netpfil/pf/pf= _norm.c:225 while ((frag =3D TAILQ_LAST(&V_pf_fragqueue, pf_fragqueue)) !=3D NU= LL) { 24884: e59f60a0 ldr r6, [pc, #160] ; 2492c 24888: e5960004 ldr r0, [r6, #4] 2488c: e5900004 ldr r0, [r0, #4] 24890: e5905000 ldr r5, [r0] 24894: e3550000 cmp r5, #0 ; 0x0 24898: 0a000018 beq 24900 /v2/Source/public/freebsd/pi/crochet/src/sys/modules/pf/../../netpfil/pf/pf= _norm.c:221 ---- from objdump output end ---- Here is the relevant bit of sys/queue.h: ---- from sys/queue.h start ---- #define TAILQ_LAST(head, headname) \ (*(((struct headname *)((head)->tqh_last))->tqh_last)) ---- from sys/queue.h end ---- 1. The console message indicates stop at pf_purge_expired_fragments+0x44, which is 0x24848 + 0x44 =3D 8x2488c 2. The various LDRs at 24884 - 24890 are the dereferences in the TAILQ_LAST macro. 3. 24894 is the NULL test called out in the C code at line 225, but it's too late by then. --=20 You are receiving this mail because: You are the assignee for the bug.=