FreeBSD Mail Archives

Date:      Wed, 17 Feb 2021 14:18:56 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 253587] pf: page fault in pf_pull_hdr
Message-ID:  <bug-253587-227@https.bugs.freebsd.org/bugzilla/>

next in thread | raw e-mail | index | archive | help

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D253587

            Bug ID: 253587
           Summary: pf: page fault in pf_pull_hdr
           Product: Base System
           Version: 13.0-STABLE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: spambox@haruhiism.net

Seems to affect the ip6 flow. Happened twice so far over about 16 hours.

FreeBSD 13.0-BETA2 amd64 on a PCEngines apu4d4; both GENERIC and custom ker=
nel
configurations (with pf built in) are affected. The NICs are Intel i211-AT,
default hardware offload settings.

Kernel panic message:

Fatal trap 12: page fault while in kernel mode
cpuid =3D 1; apic id =3D 01
fault virtual address   =3D 0x18
fault code              =3D supervisor read data, page not present
instruction pointer     =3D 0x20:0xffffffff80c9aaf0
stack pointer           =3D 0x28:0xfffffe0007f8b3b0
frame pointer           =3D 0x28:0xfffffe0007f8b420
code segment            =3D base 0x0, limit 0xfffff, type 0x1b
                        =3D DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        =3D interrupt enabled, resume, IOPL =3D 0
current process         =3D 0 (if_io_tqg_1)
trap number             =3D 12
panic: page fault
cpuid =3D 1
time =3D 1613563924
KDB: stack backtrace:
#0 0xffffffff80c56695 at kdb_backtrace+0x65
#1 0xffffffff80c09261 at vpanic+0x181
#2 0xffffffff80c090d3 at panic+0x43
#3 0xffffffff810891a7 at trap_fatal+0x387
#4 0xffffffff810891ff at trap_pfault+0x4f
#5 0xffffffff8108885d at trap+0x27d
#6 0xffffffff8105fc38 at calltrap+0x8
#7 0xffffffff82945494 at pf_pull_hdr+0x134
#8 0xffffffff8294f23b at pf_test6+0x36b
#9 0xffffffff8295fc80 at pf_check6_out+0x40
#10 0xffffffff80d40f17 at pfil_run_hooks+0x97
#11 0xffffffff80dfbff7 at ip6_forward+0x3c7
#12 0xffffffff80dfd915 at ip6_input+0xbb5
#13 0xffffffff80d3e26a at netisr_dispatch_src+0xca
#14 0xffffffff80d22a28 at ether_demux+0x148
#15 0xffffffff80d23dac at ether_nh_input+0x34c
#16 0xffffffff80d3e26a at netisr_dispatch_src+0xca
#17 0xffffffff80d22e79 at ether_input+0x69

kgdb:

Backtrace:

(kgdb) bt
#0  __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:55
#1  doadump (textdump=3D<optimized out>) at /usr/src/sys/kern/kern_shutdown=
.c:399
#2  0xffffffff807bb406 in kern_reboot (howto=3D260) at
/usr/src/sys/kern/kern_shutdown.c:486
#3  0xffffffff807bb880 in vpanic (fmt=3D<optimized out>, ap=3D<optimized ou=
t>) at
/usr/src/sys/kern/kern_shutdown.c:919
#4  0xffffffff807bb683 in panic (fmt=3D<unavailable>) at
/usr/src/sys/kern/kern_shutdown.c:843
#5  0xffffffff80b7c1a7 in trap_fatal (frame=3D0xfffffe0007f4c2f0, eva=3D24)=
 at
/usr/src/sys/amd64/amd64/trap.c:915
#6  0xffffffff80b7c1ff in trap_pfault (frame=3Dframe@entry=3D0xfffffe0007f4=
c2f0,
usermode=3Dfalse, signo=3D<optimized out>, signo@entry=3D0x0, ucode=3D<opti=
mized out>,
ucode@entry=3D0x0) at /usr/src/sys/amd64/amd64/trap.c:732
#7  0xffffffff80b7b85d in trap (frame=3D0xfffffe0007f4c2f0) at
/usr/src/sys/amd64/amd64/trap.c:398
#8  <signal handler called>
#9  0xffffffff8084d0a0 in m_copydata (m=3D0x0, off=3D40, len=3D2,
cp=3Dcp@entry=3D0xfffffe0007f4c540 "") at /usr/src/sys/kern/uipc_mbuf.c:649
#10 0xffffffff809b3a24 in pf_pull_hdr (m=3Dm@entry=3D0xfffff8005865ec00,
off=3Doff@entry=3D40, p=3Dp@entry=3D0xfffffe0007f4c540, len=3Dlen@entry=3D2,
actionp=3Dactionp@entry=3D0x0, reasonp=3Dreasonp@entry=3D0xfffffe0007f4c5b6=
, af=3D28
'\034') at /usr/src/sys/netpfil/pf/pf.c:5422
#11 0xffffffff809bd7cb in pf_test6 (dir=3Ddir@entry=3D2, pflags=3D393216,
ifp=3D<optimized out>, m0=3D<optimized out>, m0@entry=3D0xfffffe0007f4c6b8,=
 inp=3D0x0)
at /usr/src/sys/netpfil/pf/pf.c:6398
#12 0xffffffff809cbf60 in pf_check6_out (m=3D0xfffffe0007f4c6b8, ifp=3D0x28,
flags=3D40, ruleset=3D<optimized out>, inp=3D0x0) at
/usr/src/sys/netpfil/pf/pf_ioctl.c:4535
#13 0xffffffff808fe1b7 in pfil_run_hooks (head=3D<optimized out>, p=3D...,
ifp=3D0xfffff800026d3800, flags=3Dflags@entry=3D393216, inp=3Dinp@entry=3D0=
x0) at
/usr/src/sys/net/pfil.c:187
#14 0xffffffff80975177 in ip6_forward (m=3D0xfffff8005865ec00,
srcrt=3Dsrcrt@entry=3D0) at /usr/src/sys/netinet6/ip6_forward.c:316
#15 0xffffffff80976a95 in ip6_input (m=3D0xfffff8005865ec00) at
/usr/src/sys/netinet6/ip6_input.c:896
#16 0xffffffff808fb50a in netisr_dispatch_src (proto=3D6, source=3D<optimiz=
ed out>,
source@entry=3D0, m=3D0xfffffe0007f4c540) at /usr/src/sys/net/netisr.c:1143
#17 0xffffffff808fb7ff in netisr_dispatch (proto=3D1483074560, m=3D0x2) at
/usr/src/sys/net/netisr.c:1234
#18 0xffffffff808dfcc8 in ether_demux (ifp=3Difp@entry=3D0xfffff80002481800,
m=3D0x28) at /usr/src/sys/net/if_ethersubr.c:923
#19 0xffffffff808e104c in ether_input_internal (ifp=3D0xfffff80002481800, m=
=3D0x28)
at /usr/src/sys/net/if_ethersubr.c:709
#20 ether_nh_input (m=3D<optimized out>) at /usr/src/sys/net/if_ethersubr.c=
:739
#21 0xffffffff808fb50a in netisr_dispatch_src (proto=3Dproto@entry=3D5,
source=3D<optimized out>, source@entry=3D0, m=3D0xfffffe0007f4c540,
m@entry=3D0xfffff8005865ec00) at /usr/src/sys/net/netisr.c:1143
#22 0xffffffff808fb7ff in netisr_dispatch (proto=3D1483074560, proto@entry=
=3D5,
m=3D0x2, m@entry=3D0xfffff8005865ec00) at /usr/src/sys/net/netisr.c:1234
#23 0xffffffff808e0119 in ether_input (ifp=3D<optimized out>,
m=3D0xfffff8005865ec00) at /usr/src/sys/net/if_ethersubr.c:830
#24 0xffffffff808f7c48 in iflib_rxeof (rxq=3D<optimized out>,
rxq@entry=3D0xfffff80002481000, budget=3D<optimized out>) at
/usr/src/sys/net/iflib.c:3008
#25 0xffffffff808f1fa2 in _task_fn_rx (context=3D0xfffff80002481000) at
/usr/src/sys/net/iflib.c:3951
#26 0xffffffff808076ad in gtaskqueue_run_locked
(queue=3Dqueue@entry=3D0xfffff80002424700) at
/usr/src/sys/kern/subr_gtaskqueue.c:371
#27 0xffffffff8080734c in gtaskqueue_thread_loop (arg=3D<optimized out>,
arg@entry=3D0xfffffe0008d54008) at /usr/src/sys/kern/subr_gtaskqueue.c:547
#28 0xffffffff8077990e in fork_exit (callout=3D0xffffffff808072a0
<gtaskqueue_thread_loop>, arg=3D0xfffffe0008d54008, frame=3D0xfffffe0007f4c=
c00) at
/usr/src/sys/kern/kern_fork.c:1069
#29 <signal handler called>

Frames:

(kgdb) f 10
#10 0xffffffff809b3a24 in pf_pull_hdr (m=3Dm@entry=3D0xfffff8005865ec00,
off=3Doff@entry=3D40, p=3Dp@entry=3D0xfffffe0007f4c540,
    len=3Dlen@entry=3D2, actionp=3Dactionp@entry=3D0x0,
reasonp=3Dreasonp@entry=3D0xfffffe0007f4c5b6, af=3D28 '\034')
    at /usr/src/sys/netpfil/pf/pf.c:5422
5422            m_copydata(m, off, len, p);
(kgdb) print m
$3 =3D (struct mbuf *) 0xfffff8005865ec00

(kgdb) f 9
#9  0xffffffff8084d0a0 in m_copydata (m=3D0x0, off=3D40, len=3D2,
cp=3Dcp@entry=3D0xfffffe0007f4c540 "")
    at /usr/src/sys/kern/uipc_mbuf.c:649
649                     if (off < m->m_len)
(kgdb) print m
$4 =3D (const struct mbuf *) 0x0

m in frame 10:

(kgdb) print *m
$1 =3D {{m_next =3D 0x0, m_slist =3D {sle_next =3D 0x0}, m_stailq =3D {stqe=
_next =3D 0x0}},
{m_nextpkt =3D 0x0, m_slistpkt =3D {
      sle_next =3D 0x0}, m_stailqpkt =3D {stqe_next =3D 0x0}}, m_data =3D
0xfffff8005865ec58 "\001", m_len =3D 0, m_type =3D 1,
  m_flags =3D 2, {{{m_pkthdr =3D {{snd_tag =3D 0x0, rcvif =3D 0x0}, tags =
=3D {slh_first =3D
0x0}, len =3D 1232, flowid =3D 0,
          csum_flags =3D 0, fibnum =3D 0, numa_domain =3D 255 '\377', rssty=
pe =3D 0
'\000', {rcv_tstmp =3D 0, {
              l2hlen =3D 0 '\000', l3hlen =3D 0 '\000', l4hlen =3D 0 '\000'=
, l5hlen =3D
0 '\000', inner_l2hlen =3D 0 '\000',
              inner_l3hlen =3D 0 '\000', inner_l4hlen =3D 0 '\000', inner_l=
5hlen =3D
0 '\000'}}, PH_per =3D {
            eight =3D "\000\000\000\000\000\000\000", sixteen =3D {0, 0, 0,=
 0},
thirtytwo =3D {0, 0}, sixtyfour =3D {0},
            unintptr =3D {0}, ptr =3D 0x0}, PH_loc =3D {eight =3D
"\000\000\000\000\000\000\000", sixteen =3D {0, 0, 0, 0},
            thirtytwo =3D {0, 0}, sixtyfour =3D {0}, unintptr =3D {0}, ptr =
=3D 0x0}},
{m_epg_npgs =3D 0 '\000',
          m_epg_nrdy =3D 0 '\000', m_epg_hdrlen =3D 0 '\000', m_epg_trllen =
=3D 0
'\000', m_epg_1st_off =3D 0,
          m_epg_last_len =3D 0, m_epg_flags =3D 0 '\000', m_epg_record_type=
 =3D 0
'\000', __spare =3D "\000",
          m_epg_enc_cnt =3D 0, m_epg_tls =3D 0x4d0, m_epg_so =3D 0xff000000=
000000,
m_epg_seqno =3D 0, m_epg_stailq =3D {
            stqe_next =3D 0x0}}}, {m_ext =3D {{ext_count =3D 1, ext_cnt =3D
0xd00125500000001}, ext_size =3D 4096, ext_type =3D 3,
          ext_flags =3D 1, {{ext_buf =3D 0xfffff8012b419000 "", ext_arg2 =
=3D 0x0},
{extpg_pa =3D {18446735282637213696, 0,
                372221068050365953, 5427120254332600373, 134752106675459166=
51},
              extpg_trail =3D
"\303y\262a\265\272\361\362Q\346P\020\000\246\a\325\000\000\060\060\061/def=
ault,2018,-1\000MM_CHARSET=3DUTF-8\000BLOCKSIZE",
extpg_hdr =3D "=3DK\000SHLVL=3D1\000\000\000c\354\360\000\000\000\000\002\0=
00"}},
          ext_free =3D 0x0, ext_arg1 =3D 0x0}, m_pktdat =3D 0xfffff8005865e=
c58
"\001"}}, m_dat =3D 0xfffff8005865ec20 ""}}

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-253587-227>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation