From owner-freebsd-pf@FreeBSD.ORG Thu May 24 09:10:04 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A1B3D1065670 for ; Thu, 24 May 2012 09:10:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 89CDD8FC14 for ; Thu, 24 May 2012 09:10:04 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q4O9A4p1044628 for ; Thu, 24 May 2012 09:10:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q4O9A4rt044627; Thu, 24 May 2012 09:10:04 GMT (envelope-from gnats) Date: Thu, 24 May 2012 09:10:04 GMT Message-Id: <201205240910.q4O9A4rt044627@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Joerg Pulz Cc: Subject: Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad fragment handling?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Joerg Pulz List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 May 2012 09:10:04 -0000 The following reply was made to PR kern/168190; it has been noted by GNATS. From: Joerg Pulz To: Daniel Hartmeier Cc: bug-followup@FreeBSD.org, freebsd-pf@FreeBSD.org Subject: Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad fragment handling?) Date: Thu, 24 May 2012 10:58:54 +0200 (CEST) This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --3469798045-664628730-1337849937=:89783 Content-Type: TEXT/PLAIN; format=flowed; charset=ISO-8859-15 Content-Transfer-Encoding: 8BIT -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 24 May 2012, Daniel Hartmeier wrote: > On Wed, May 23, 2012 at 10:10:04PM +0000, Joerg Pulz wrote: > >> here is what i could get out. >> I was unable to print *pfh and pfh->pfil_func, but i printed the other >> two and *ph, maybe this helps. > > That looks corrupted: ph_type = 92404512, ph_nhooks = -512 makes no > sense to me. > > Can you go up one stack frame (to #11), which should be ip_output() > > 509 /* Run through list of hooks for output packets. */ > 510 odst.s_addr = ip->ip_dst.s_addr; > 511 ASSERT_HOST_BYTE_ORDER(m); > 512 error = pfil_run_hooks(&V_inet_pfil_hook, &m, ifp, PFIL_OUT, inp); > 513 if (error != 0 || m == NULL) > 514 goto done; > > and there print V_inet_pfil_hook? Daniel, i can't print V_inet_pfil_hook: No symbol "V_inet_pfil_hook" in current context. Meanwhile, the system was running over night with your second patch and panic'ed in the morning, about 3 hours ago. I was able to print *ifp, *pfh, pfh->pfil_func, pf_check_out, fr_check_wrapper and ipfw_check_hook. I couldn't print: *ph: Variable "ph" is not available. *m0: Cannot access memory at address 0xb000b0 Below is the output. Kind regards Joerg #### kgdb.out_assert_new GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-marcel-freebsd"... Unread portion of the kernel message buffer: panic: ipfw_check_hook:281 ASSERT_HOST_BYTE_ORDER 45056 176 cpuid = 1 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2a kdb_backtrace() at kdb_backtrace+0x37 panic() at panic+0x182 ipfw_check_hook() at ipfw_check_hook+0x511 pfil_run_hooks() at pfil_run_hooks+0xf1 ip_output() at ip_output+0x6de ip_forward() at ip_forward+0x19e ip_input() at ip_input+0x680 swi_net() at swi_net+0x15a intr_event_execute_handlers() at intr_event_execute_handlers+0x66 ithread_loop() at ithread_loop+0xaf fork_exit() at fork_exit+0x12a fork_trampoline() at fork_trampoline+0xe - --- trap 0, rip = 0, rsp = 0xffffff8000241d00, rbp = 0 --- KDB: enter: panic Dumping 559 out of 4077 MB:..3%..12%..21%..32%..41%..52%..61%..72%..81%..92% Reading symbols from /boot/kernel/geom_mirror.ko...Reading symbols from /boot/kernel/geom_mirror.ko.symbols...done. done. Loaded symbols for /boot/kernel/geom_mirror.ko Reading symbols from /boot/kernel/ipmi.ko...Reading symbols from /boot/kernel/ipmi.ko.symbols...done. done. Loaded symbols for /boot/kernel/ipmi.ko #0 doadump (textdump=0) at pcpu.h:224 224 __asm("movq %%gs:0,%0" : "=r" (td)); (kgdb) up 10 #10 0xffffffff8077a144 in ipfw_check_hook (arg=) at /usr/src/sys/netinet/ipfw/ip_fw_pfil.c:281 281 ASSERT_HOST_BYTE_ORDER(*m0); (kgdb) list 276 FREE_PKT(*m0); 277 *m0 = NULL; 278 } 279 if (*m0 && mtod(*m0, struct ip *)->ip_v == 4) { 280 SET_HOST_IPLEN(mtod(*m0, struct ip *)); 281 ASSERT_HOST_BYTE_ORDER(*m0); 282 } 283 return ret; 284 } 285 (kgdb) p *ifp $1 = {if_softc = 0xffffff80007a9000, if_l2com = 0xfffffe000300b200, if_vnet = 0x0, if_link = {tqe_next = 0xfffffe0003002000, tqe_prev = 0xfffffe0003003818}, if_xname = "bge0", '\0' , if_dname = 0xfffffe00028f07d8 "bge", if_dunit = 0, if_refcount = 1, if_addrhead = {tqh_first = 0xfffffe000300a000, tqh_last = 0xfffffe000591a0b8}, if_pcount = 0, if_carp = 0x0, if_bpf = 0xfffffe00050d4680, if_index = 5, if_index_reserved = 0, if_vlantrunk = 0x0, if_flags = 34819, if_capabilities = 524443, if_capenable = 524443, if_linkmib = 0x0, if_linkmiblen = 0, if_data = { ifi_type = 6 '\006', ifi_physical = 0 '\0', ifi_addrlen = 6 '\006', ifi_hdrlen = 18 '\022', ifi_link_state = 2 '\002', ifi_spare_char1 = 0 '\0', ifi_spare_char2 = 0 '\0', ifi_datalen = 152 '\230', ifi_mtu = 1500, ifi_metric = 0, ifi_baudrate = 1000000000, ifi_ipackets = 221591, ifi_ierrors = 0, ifi_opackets = 3800, ifi_oerrors = 0, ifi_collisions = 0, ifi_ibytes = 18564820, ifi_obytes = 2351574, ifi_imcasts = 205582, ifi_omcasts = 0, ifi_iqdrops = 0, ifi_noproto = 0, ifi_hwassist = 3, ifi_epoch = 1, ifi_lastchange = {tv_sec = 1337811753, tv_usec = 642476}}, if_multiaddrs = {tqh_first = 0xfffffe0005915300, tqh_last = 0xfffffe00058d10c0}, if_amcount = 0, if_output = 0xffffffff8073da85 , if_input = 0xffffffff8073d05b , if_start = 0xffffffff803c32f7 , if_ioctl = 0xffffffff803c952a , if_init = 0xffffffff803c94e4 , if_resolvemulti = 0xffffffff8073ca1d , if_qflush = 0xffffffff80735842 , if_transmit = 0xffffffff8073570e , if_reassign = 0, if_home_vnet = 0x0, if_addr = 0xfffffe000300a000, if_llsoftc = 0x0, if_drv_flags = 64, if_snd = {ifq_head = 0x0, ifq_tail = 0x0, ifq_len = 0, ifq_maxlen = 511, ifq_drops = 0, ifq_mtx = {lock_object = { lo_name = 0xfffffe0003001828 "bge0", lo_flags = 16973824, lo_data = 0, lo_witness = 0xffffff80006cf480}, mtx_lock = 4}, ifq_drv_head = 0x0, ifq_drv_tail = 0x0, ifq_drv_len = 0, ifq_drv_maxlen = 511, altq_type = 0, altq_flags = 1, altq_disc = 0x0, altq_ifp = 0xfffffe0003001800, altq_enqueue = 0, altq_dequeue = 0, altq_request = 0, altq_clfier = 0x0, altq_classify = 0, altq_tbr = 0x0, altq_cdnr = 0x0}, if_broadcastaddr = 0xffffffff80adb860 "ÿÿÿÿÿÿ", if_bridge = 0x0, if_label = 0x0, if_prefixhead = {tqh_first = 0x0, tqh_last = 0xfffffe0003001a78}, if_afdata = {0x0, 0x0, 0xfffffe0005821a20, 0x0 , 0xfffffe00058168c0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, if_afdata_initialized = 2, if_afdata_lock = { lock_object = {lo_name = 0xffffffff80adaafa "if_afdata", lo_flags = 69402624, lo_data = 0, lo_witness = 0xffffff80006cf400}, rw_lock = 1}, if_linktask = {ta_link = {stqe_next = 0x0}, ta_pending = 0, ta_priority = 0, ta_func = 0xffffffff80737ce9 , ta_context = 0xfffffe0003001800}, if_addr_mtx = {lock_object = { lo_name = 0xffffffff80accbc0 "if_addr_mtx", lo_flags = 16973824, lo_data = 0, lo_witness = 0xffffff80006c8b80}, mtx_lock = 4}, if_clones = {le_next = 0x0, le_prev = 0x0}, if_groups = { tqh_first = 0xfffffe0003007b20, tqh_last = 0xfffffe0003007b28}, if_pf_kif = 0xfffffe000588b400, if_lagg = 0x0, if_description = 0x0, if_fib = 0, if_alloctype = 6 '\006', if_cspare = "\000\000", if_ispare = {0, 0, 0, 0}, if_pspare = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}} (kgdb) up #11 0xffffffff8074b53d in pfil_run_hooks (ph=) at /usr/src/sys/net/pfil.c:85 85 rv = (*pfh->pfil_func)(pfh->pfil_arg, &m, ifp, dir, (kgdb) list 80 KASSERT(ph->ph_nhooks >= 0, ("Pfil hook count dropped < 0")); 81 for (pfh = pfil_hook_get(dir, ph); pfh != NULL; 82 pfh = TAILQ_NEXT(pfh, pfil_link)) { 83 if (pfh->pfil_func != NULL) { 84 ASSERT_HOST_BYTE_ORDER(m); 85 rv = (*pfh->pfil_func)(pfh->pfil_arg, &m, ifp, dir, 86 inp); 87 if (rv != 0 || m == NULL) 88 break; 89 ASSERT_HOST_BYTE_ORDER(m); (kgdb) p *pfh $2 = {pfil_link = {tqe_next = 0xfffffe00058c5980, tqe_prev = 0xfffffe0005821b00}, pfil_func = 0xffffffff80779c33 , pfil_arg = 0x0} (kgdb) p pfh->pfil_func $3 = (int (*)(void *, struct mbuf **, struct ifnet *, int, struct inpcb *)) 0xffffffff80779c33 (kgdb) p pf_check_out $4 = {int (void *, struct mbuf **, struct ifnet *, int, struct inpcb *)} 0xffffffff8032d39a (kgdb) p fr_check_wrapper $5 = {int (void *, struct mbuf **, struct ifnet *, int)} 0xffffffff802fc303 (kgdb) p ipfw_check_hook $6 = {int (void *, struct mbuf **, struct ifnet *, int, struct inpcb *)} 0xffffffff80779c33 (kgdb) #### kgdb.out_assert_new - -- The beginning is the most important part of the work. -Plato -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iD8DBQFPvfhRSPOsGF+KA+MRAlM/AKClrSdzDyqSgechCL/RKRtj6KHpVQCfQtCL PQk+XB5xpajaVmaGba7wD7s= =J22z -----END PGP SIGNATURE----- --3469798045-664628730-1337849937=:89783--