From owner-freebsd-bugs@freebsd.org Wed Feb 17 14:18:56 2021 Return-Path: Delivered-To: freebsd-bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2ECE35428BB for ; Wed, 17 Feb 2021 14:18:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4Dgg1r0gVdz3M1B for ; Wed, 17 Feb 2021 14:18:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id 14F42542EB4; Wed, 17 Feb 2021 14:18:56 +0000 (UTC) Delivered-To: bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 138C9542EB3 for ; Wed, 17 Feb 2021 14:18:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dgg1q6t4lz3MGv for ; Wed, 17 Feb 2021 14:18:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id DEC3025CBD for ; Wed, 17 Feb 2021 14:18:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 11HEItcA097500 for ; Wed, 17 Feb 2021 14:18:55 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 11HEItaw097499 for bugs@FreeBSD.org; Wed, 17 Feb 2021 14:18:55 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 253587] pf: page fault in pf_pull_hdr Date: Wed, 17 Feb 2021 14:18:56 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: spambox@haruhiism.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Feb 2021 14:18:56 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D253587 Bug ID: 253587 Summary: pf: page fault in pf_pull_hdr Product: Base System Version: 13.0-STABLE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: spambox@haruhiism.net Seems to affect the ip6 flow. Happened twice so far over about 16 hours. FreeBSD 13.0-BETA2 amd64 on a PCEngines apu4d4; both GENERIC and custom ker= nel configurations (with pf built in) are affected. The NICs are Intel i211-AT, default hardware offload settings. Kernel panic message: Fatal trap 12: page fault while in kernel mode cpuid =3D 1; apic id =3D 01 fault virtual address =3D 0x18 fault code =3D supervisor read data, page not present instruction pointer =3D 0x20:0xffffffff80c9aaf0 stack pointer =3D 0x28:0xfffffe0007f8b3b0 frame pointer =3D 0x28:0xfffffe0007f8b420 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 0 (if_io_tqg_1) trap number =3D 12 panic: page fault cpuid =3D 1 time =3D 1613563924 KDB: stack backtrace: #0 0xffffffff80c56695 at kdb_backtrace+0x65 #1 0xffffffff80c09261 at vpanic+0x181 #2 0xffffffff80c090d3 at panic+0x43 #3 0xffffffff810891a7 at trap_fatal+0x387 #4 0xffffffff810891ff at trap_pfault+0x4f #5 0xffffffff8108885d at trap+0x27d #6 0xffffffff8105fc38 at calltrap+0x8 #7 0xffffffff82945494 at pf_pull_hdr+0x134 #8 0xffffffff8294f23b at pf_test6+0x36b #9 0xffffffff8295fc80 at pf_check6_out+0x40 #10 0xffffffff80d40f17 at pfil_run_hooks+0x97 #11 0xffffffff80dfbff7 at ip6_forward+0x3c7 #12 0xffffffff80dfd915 at ip6_input+0xbb5 #13 0xffffffff80d3e26a at netisr_dispatch_src+0xca #14 0xffffffff80d22a28 at ether_demux+0x148 #15 0xffffffff80d23dac at ether_nh_input+0x34c #16 0xffffffff80d3e26a at netisr_dispatch_src+0xca #17 0xffffffff80d22e79 at ether_input+0x69 kgdb: Backtrace: (kgdb) bt #0 __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:55 #1 doadump (textdump=3D) at /usr/src/sys/kern/kern_shutdown= .c:399 #2 0xffffffff807bb406 in kern_reboot (howto=3D260) at /usr/src/sys/kern/kern_shutdown.c:486 #3 0xffffffff807bb880 in vpanic (fmt=3D, ap=3D) at /usr/src/sys/kern/kern_shutdown.c:919 #4 0xffffffff807bb683 in panic (fmt=3D) at /usr/src/sys/kern/kern_shutdown.c:843 #5 0xffffffff80b7c1a7 in trap_fatal (frame=3D0xfffffe0007f4c2f0, eva=3D24)= at /usr/src/sys/amd64/amd64/trap.c:915 #6 0xffffffff80b7c1ff in trap_pfault (frame=3Dframe@entry=3D0xfffffe0007f4= c2f0, usermode=3Dfalse, signo=3D, signo@entry=3D0x0, ucode=3D, ucode@entry=3D0x0) at /usr/src/sys/amd64/amd64/trap.c:732 #7 0xffffffff80b7b85d in trap (frame=3D0xfffffe0007f4c2f0) at /usr/src/sys/amd64/amd64/trap.c:398 #8 #9 0xffffffff8084d0a0 in m_copydata (m=3D0x0, off=3D40, len=3D2, cp=3Dcp@entry=3D0xfffffe0007f4c540 "") at /usr/src/sys/kern/uipc_mbuf.c:649 #10 0xffffffff809b3a24 in pf_pull_hdr (m=3Dm@entry=3D0xfffff8005865ec00, off=3Doff@entry=3D40, p=3Dp@entry=3D0xfffffe0007f4c540, len=3Dlen@entry=3D2, actionp=3Dactionp@entry=3D0x0, reasonp=3Dreasonp@entry=3D0xfffffe0007f4c5b6= , af=3D28 '\034') at /usr/src/sys/netpfil/pf/pf.c:5422 #11 0xffffffff809bd7cb in pf_test6 (dir=3Ddir@entry=3D2, pflags=3D393216, ifp=3D, m0=3D, m0@entry=3D0xfffffe0007f4c6b8,= inp=3D0x0) at /usr/src/sys/netpfil/pf/pf.c:6398 #12 0xffffffff809cbf60 in pf_check6_out (m=3D0xfffffe0007f4c6b8, ifp=3D0x28, flags=3D40, ruleset=3D, inp=3D0x0) at /usr/src/sys/netpfil/pf/pf_ioctl.c:4535 #13 0xffffffff808fe1b7 in pfil_run_hooks (head=3D, p=3D..., ifp=3D0xfffff800026d3800, flags=3Dflags@entry=3D393216, inp=3Dinp@entry=3D0= x0) at /usr/src/sys/net/pfil.c:187 #14 0xffffffff80975177 in ip6_forward (m=3D0xfffff8005865ec00, srcrt=3Dsrcrt@entry=3D0) at /usr/src/sys/netinet6/ip6_forward.c:316 #15 0xffffffff80976a95 in ip6_input (m=3D0xfffff8005865ec00) at /usr/src/sys/netinet6/ip6_input.c:896 #16 0xffffffff808fb50a in netisr_dispatch_src (proto=3D6, source=3D, source@entry=3D0, m=3D0xfffffe0007f4c540) at /usr/src/sys/net/netisr.c:1143 #17 0xffffffff808fb7ff in netisr_dispatch (proto=3D1483074560, m=3D0x2) at /usr/src/sys/net/netisr.c:1234 #18 0xffffffff808dfcc8 in ether_demux (ifp=3Difp@entry=3D0xfffff80002481800, m=3D0x28) at /usr/src/sys/net/if_ethersubr.c:923 #19 0xffffffff808e104c in ether_input_internal (ifp=3D0xfffff80002481800, m= =3D0x28) at /usr/src/sys/net/if_ethersubr.c:709 #20 ether_nh_input (m=3D) at /usr/src/sys/net/if_ethersubr.c= :739 #21 0xffffffff808fb50a in netisr_dispatch_src (proto=3Dproto@entry=3D5, source=3D, source@entry=3D0, m=3D0xfffffe0007f4c540, m@entry=3D0xfffff8005865ec00) at /usr/src/sys/net/netisr.c:1143 #22 0xffffffff808fb7ff in netisr_dispatch (proto=3D1483074560, proto@entry= =3D5, m=3D0x2, m@entry=3D0xfffff8005865ec00) at /usr/src/sys/net/netisr.c:1234 #23 0xffffffff808e0119 in ether_input (ifp=3D, m=3D0xfffff8005865ec00) at /usr/src/sys/net/if_ethersubr.c:830 #24 0xffffffff808f7c48 in iflib_rxeof (rxq=3D, rxq@entry=3D0xfffff80002481000, budget=3D) at /usr/src/sys/net/iflib.c:3008 #25 0xffffffff808f1fa2 in _task_fn_rx (context=3D0xfffff80002481000) at /usr/src/sys/net/iflib.c:3951 #26 0xffffffff808076ad in gtaskqueue_run_locked (queue=3Dqueue@entry=3D0xfffff80002424700) at /usr/src/sys/kern/subr_gtaskqueue.c:371 #27 0xffffffff8080734c in gtaskqueue_thread_loop (arg=3D, arg@entry=3D0xfffffe0008d54008) at /usr/src/sys/kern/subr_gtaskqueue.c:547 #28 0xffffffff8077990e in fork_exit (callout=3D0xffffffff808072a0 , arg=3D0xfffffe0008d54008, frame=3D0xfffffe0007f4c= c00) at /usr/src/sys/kern/kern_fork.c:1069 #29 Frames: (kgdb) f 10 #10 0xffffffff809b3a24 in pf_pull_hdr (m=3Dm@entry=3D0xfffff8005865ec00, off=3Doff@entry=3D40, p=3Dp@entry=3D0xfffffe0007f4c540, len=3Dlen@entry=3D2, actionp=3Dactionp@entry=3D0x0, reasonp=3Dreasonp@entry=3D0xfffffe0007f4c5b6, af=3D28 '\034') at /usr/src/sys/netpfil/pf/pf.c:5422 5422 m_copydata(m, off, len, p); (kgdb) print m $3 =3D (struct mbuf *) 0xfffff8005865ec00 (kgdb) f 9 #9 0xffffffff8084d0a0 in m_copydata (m=3D0x0, off=3D40, len=3D2, cp=3Dcp@entry=3D0xfffffe0007f4c540 "") at /usr/src/sys/kern/uipc_mbuf.c:649 649 if (off < m->m_len) (kgdb) print m $4 =3D (const struct mbuf *) 0x0 m in frame 10: (kgdb) print *m $1 =3D {{m_next =3D 0x0, m_slist =3D {sle_next =3D 0x0}, m_stailq =3D {stqe= _next =3D 0x0}}, {m_nextpkt =3D 0x0, m_slistpkt =3D { sle_next =3D 0x0}, m_stailqpkt =3D {stqe_next =3D 0x0}}, m_data =3D 0xfffff8005865ec58 "\001", m_len =3D 0, m_type =3D 1, m_flags =3D 2, {{{m_pkthdr =3D {{snd_tag =3D 0x0, rcvif =3D 0x0}, tags = =3D {slh_first =3D 0x0}, len =3D 1232, flowid =3D 0, csum_flags =3D 0, fibnum =3D 0, numa_domain =3D 255 '\377', rssty= pe =3D 0 '\000', {rcv_tstmp =3D 0, { l2hlen =3D 0 '\000', l3hlen =3D 0 '\000', l4hlen =3D 0 '\000'= , l5hlen =3D 0 '\000', inner_l2hlen =3D 0 '\000', inner_l3hlen =3D 0 '\000', inner_l4hlen =3D 0 '\000', inner_l= 5hlen =3D 0 '\000'}}, PH_per =3D { eight =3D "\000\000\000\000\000\000\000", sixteen =3D {0, 0, 0,= 0}, thirtytwo =3D {0, 0}, sixtyfour =3D {0}, unintptr =3D {0}, ptr =3D 0x0}, PH_loc =3D {eight =3D "\000\000\000\000\000\000\000", sixteen =3D {0, 0, 0, 0}, thirtytwo =3D {0, 0}, sixtyfour =3D {0}, unintptr =3D {0}, ptr = =3D 0x0}}, {m_epg_npgs =3D 0 '\000', m_epg_nrdy =3D 0 '\000', m_epg_hdrlen =3D 0 '\000', m_epg_trllen = =3D 0 '\000', m_epg_1st_off =3D 0, m_epg_last_len =3D 0, m_epg_flags =3D 0 '\000', m_epg_record_type= =3D 0 '\000', __spare =3D "\000", m_epg_enc_cnt =3D 0, m_epg_tls =3D 0x4d0, m_epg_so =3D 0xff000000= 000000, m_epg_seqno =3D 0, m_epg_stailq =3D { stqe_next =3D 0x0}}}, {m_ext =3D {{ext_count =3D 1, ext_cnt =3D 0xd00125500000001}, ext_size =3D 4096, ext_type =3D 3, ext_flags =3D 1, {{ext_buf =3D 0xfffff8012b419000 "", ext_arg2 = =3D 0x0}, {extpg_pa =3D {18446735282637213696, 0, 372221068050365953, 5427120254332600373, 134752106675459166= 51}, extpg_trail =3D "\303y\262a\265\272\361\362Q\346P\020\000\246\a\325\000\000\060\060\061/def= ault,2018,-1\000MM_CHARSET=3DUTF-8\000BLOCKSIZE", extpg_hdr =3D "=3DK\000SHLVL=3D1\000\000\000c\354\360\000\000\000\000\002\0= 00"}}, ext_free =3D 0x0, ext_arg1 =3D 0x0}, m_pktdat =3D 0xfffff8005865e= c58 "\001"}}, m_dat =3D 0xfffff8005865ec20 ""}} --=20 You are receiving this mail because: You are the assignee for the bug.=