From owner-freebsd-net@FreeBSD.ORG  Fri Oct 22 02:02:10 2010
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5DB6C106564A
	for <freebsd-net@freebsd.org>; Fri, 22 Oct 2010 02:02:10 +0000 (UTC)
	(envelope-from RCharlet@adaranet.com)
Received: from barracuda.adaranet.com (smtp.adaranet.com [72.5.229.2])
	by mx1.freebsd.org (Postfix) with ESMTP id 3942C8FC16
	for <freebsd-net@freebsd.org>; Fri, 22 Oct 2010 02:02:09 +0000 (UTC)
X-ASG-Debug-ID: 1287708243-0d0fb0d30001-QdxwpM
Received: from SJ-EXCH-1.adaranet.com ([10.10.1.29]) by barracuda.adaranet.com
	with ESMTP id AnMHSw2u7YmugA7P for <freebsd-net@freebsd.org>;
	Thu, 21 Oct 2010 17:44:03 -0700 (PDT)
X-Barracuda-Envelope-From: RCharlet@adaranet.com
Received: from SJ-EXCH-1.adaranet.com ([fe80::7042:d8c2:5973:c523]) by
	SJ-EXCH-1.adaranet.com ([fe80::7042:d8c2:5973:c523%14]) with mapi;
	Thu, 21 Oct 2010 17:44:03 -0700
From: "Ricky  Charlet" <RCharlet@adaranet.com>
X-Barracuda-BBL-IP: fe80::7042:d8c2:5973:c523
X-Barracuda-RBL-IP: fe80::7042:d8c2:5973:c523
To: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Date: Thu, 21 Oct 2010 17:43:56 -0700
X-ASG-Orig-Subj: crashing problem I cant figure related to IF_ADDR_LOCK,
	BSD 8.0
Thread-Topic: crashing problem I cant figure related to IF_ADDR_LOCK, BSD 8.0
Thread-Index: ActxgjWBo5rfso0KSKCUpWP0Q92utQ==
Message-ID: <32AB5C9615CC494997D9ABB1DB12783C024C9C16CC@SJ-EXCH-1.adaranet.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: en-US
MIME-Version: 1.0
X-Barracuda-Connect: UNKNOWN[10.10.1.29]
X-Barracuda-Start-Time: 1287708243
X-Barracuda-URL: http://172.16.10.203:8000/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at adaranet.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: crashing problem I cant figure related to IF_ADDR_LOCK, BSD 8.0
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Oct 2010 02:02:10 -0000

Howdy,

                FreeBSD 8.0-RELEASE  running on an 8 core amd64

                I'm writing a packet filter hook. It is an outbound hook at=
tached with :
                pfil_add_hook(chkoutput, NULL, PFIL_OUT | PFIL_WAITOK, pfh_=
inet);

                Inside the hook (chkoutput) I have the following code snipi=
t (where I happen to know that ifp already points to an interface I specifi=
cally don't want to process packets for):

                IF_ADDR_LOCK(ifp);
                                TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_l=
ink) {
                                if (ifa->ifa_addr->sa_family =3D=3D AF_INET=
) {
                                                struct sockaddr_in *sa =3D =
(struct sockaddr_in*)ifa->ifa_addr;
                                                if(sa->sin_addr.s_addr =3D=
=3D ip->ip_src.s_addr) {
                                                                /* nevermin=
d */
                                                                IF_ADDR_UNL=
OCK(ifp);
                                                                return 0;
                                                }
                                }
                }
                IF_ADDR_UNLOCK(ifp);


                Well, it runs fine / logically sound / does exactly what I =
want. However, in later processing, on packets I am receiving (*not* traver=
sing the output hook) I crash with various stack traces but all culminating=
 in sbdrop_internal. In that function, I have  a pointer to an mbuf which i=
s garbage (unreferencable)  memory.


-          If I take the above code snipit out of my output hook, the syste=
m remains stable. (though, of course, the hook is not doing all I want)

-          If I remove the LOCK and UNLOCK macros, the same crash happens.

-          If I take IFNET_RLOCK_NOSLEEP or IFNET_RLOCK, same crash happens=
.


I'm fairly convinced that my output hook at the IP layer is somehow corrupt=
ing the receive socket layer. But I see no relationship. Even if I were run=
ning beyond loop bounds here, I'm not really writing any memory. On the oth=
er hand, I don't truly know my way around dealing with kernel locks and I'm=
 just mimicking code I saw in ip_input  (the "Check for broadcast addresses=
" bits).  Any Ideas?

Thanks in advance
---
Ricky Charlet
Adara Networks<http://www.adaranet.com/welcome.html>
USA 408-433-4942


PS Some kgdb output here:


#10 0xffffffff80860183 in calltrap () at /usr/src/sys/amd64/amd64/exception=
.S:224
#11 0xffffffff805ec873 in sbdrop_internal (sb=3D0xffffff0001b976d0, len=3D0=
)
    at /usr/src/sys/kern/uipc_sockbuf.c:891
#12 0xffffffff806ff187 in tcp_do_segment (m=3D0xffffff000185f200,
    th=3D0xffffff00018f0024, so=3D0xffffff0001b97550, tp=3D0xffffff0001b24a=
50,
    drop_hdrlen=3D40, tlen=3D0, iptos=3D0 '\0', ti_locked=3D2)
    at /usr/src/sys/netinet/tcp_input.c:2357
#13 0xffffffff80700f72 in tcp_input (m=3D0xffffff000185f200, off0=3DVariabl=
e "off0" is not available.
)
    at /usr/src/sys/netinet/tcp_input.c:1020
#14 0xffffffff806984ba in ip_input (m=3D0xffffff000185f200)
---Type <return> to continue, or q <return> to quit---
    at /usr/src/sys/netinet/ip_input.c:775
#15 0xffffffff806423ee in netisr_dispatch_src (proto=3D1, source=3DVariable=
 "source" is not available.
)
    at /usr/src/sys/net/netisr.c:917
#16 0xffffffff8063ab2d in ether_demux (ifp=3D0xffffff0001579000, m=3D0xffff=
ff000185f200)
    at /usr/src/sys/net/if_ethersubr.c:895

(kgdb) frame 11
#11 0xffffffff805ec873 in sbdrop_internal (sb=3D0xffffff0001b976d0, len=3D0=
)
    at /usr/src/sys/kern/uipc_sockbuf.c:891
891             if (m =3D=3D NULL) {
(kgdb) print *sb
$1 =3D {sb_sel =3D {si_tdlist =3D {tqh_first =3D 0x0, tqh_last =3D 0x0}, si=
_note =3D {kl_list =3D {
        slh_first =3D 0x0}, kl_lock =3D 0xffffffff8055bf00 <knlist_mtx_lock=
>,
      kl_unlock =3D 0xffffffff8055bed0 <knlist_mtx_unlock>,
      kl_assert_locked =3D 0xffffffff80559220 <knlist_mtx_assert_locked>,
      kl_assert_unlocked =3D 0xffffffff80559230 <knlist_mtx_assert_unlocked=
>,
      kl_lockarg =3D 0xffffff0001b97718}, si_mtx =3D 0x0}, sb_mtx =3D {lock=
_object =3D {
      lo_name =3D 0xffffffff8096f9d5 "so_snd", lo_flags =3D 16973824, lo_da=
ta =3D 0,
      lo_witness =3D 0x0}, mtx_lock =3D 18446742974221313824}, sb_sx =3D {l=
ock_object =3D {
      lo_name =3D 0xffffffff8096ff95 "so_snd_sx", lo_flags =3D 36896768, lo=
_data =3D 0,
      lo_witness =3D 0x0}, sx_lock =3D 1}, sb_state =3D 0, sb_mb =3D 0x8c46=
00000000,
  sb_mbtail =3D 0xffffff0001901900, sb_lastrecord =3D 0xffffff0001901900,
  sb_sndptr =3D 0x0, sb_sndptroff =3D 0, sb_cc =3D 0, sb_hiwat =3D 33580, s=
b_mbcnt =3D 0,
  sb_mcnt =3D 0, sb_ccnt =3D 0, sb_mbmax =3D 262144, sb_ctl =3D 0, sb_lowat=
 =3D 2048,
  sb_timeo =3D 0, sb_flags =3D 2048, sb_upcall =3D 0, sb_upcallarg =3D 0x0}
(kgdb) print *sb->sb_mb
Cannot access memory at address 0x8c4600000000
(kgdb)