Date: Mon, 17 Nov 2003 20:35:42 +0300 (MSK) From: Yuriy Tsibizov <Yuriy.Tsibizov@gfk.ru> To: FreeBSD-gnats-submit@FreeBSD.org Cc: Yuriy.Tsibizov@gfk.ru Subject: kern/59576: kernel panic: attempted use of free mbuf! when BPF is in use on tun interface Message-ID: <200311171735.hAHHZgL5001224@free.home.local> Resent-Message-ID: <200311220650.hAM6oAKc083322@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 59576
>Category: kern
>Synopsis: kernel panic: attempted use of free mbuf! when BPF is in use on tun interface
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Nov 21 22:50:10 PST 2003
>Closed-Date:
>Last-Modified:
>Originator: Yuriy Tsibizov
>Release: FreeBSD 5.1-CURRENT i386
>Organization:
none
>Environment:
System: FreeBSD free.home.local 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Thu Nov 13 12:01:44 MSK 2003 root@free.home.local:/usr/obj/usr/src/sys/GENERIC i386
last World was built November, 9th
>Description:
I've got a panic after running
tcpdump -v -i tun0
tunoutput: attempted use of a free mbuf!
here is gdb backtrace from kernel crashdump:
GNU gdb 5.2.1 (FreeBSD)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-undermydesk-freebsd"...
panic: tunoutput: attempted use of a free mbuf!
panic messages:
---
panic: tunoutput: attempted use of a free mbuf!
cpuid = 0;
panic: from debugger
cpuid = 0;
Uptime: 3m23s
Dumping 256 MB
16 32 48 64 80 96 112 128 144 160 176 192 208 224 240
---
Reading symbols from /boot/kernel/logo_saver.ko...done.
Loaded symbols for /boot/kernel/logo_saver.ko
#0 doadump () at /usr/src/sys/kern/kern_shutdown.c:240
240 dumping++;
(kgdb) bt
#0 doadump () at /usr/src/sys/kern/kern_shutdown.c:240
#1 0xc066af8b in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:372
#2 0xc066b38d in panic () at /usr/src/sys/kern/kern_shutdown.c:550
#3 0xc0489a32 in db_panic () at /usr/src/sys/ddb/db_command.c:450
#4 0xc0489992 in db_command (last_cmdp=0xc0922cc0, cmd_table=0x0,
aux_cmd_tablep=0xc08a6270, aux_cmd_tablep_end=0xc08a6288)
at /usr/src/sys/ddb/db_command.c:346
#5 0xc0489ad5 in db_command_loop () at /usr/src/sys/ddb/db_command.c:472
#6 0xc048cad5 in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_trap.c:73
#7 0xc07ff55c in kdb_trap (type=3, code=0, regs=0xcf0298c8)
at /usr/src/sys/i386/i386/db_interface.c:171
#8 0xc0815648 in trap (frame=
{tf_fs = 24, tf_es = 16, tf_ds = 16, tf_edi = -1064972502, tf_esi = 1, tf_ebp = -821913324, tf_isp = -821913356, tf_ebx = 0, tf_edx = 0, tf_ecx = 0, tf_eax = 18, tf_trapno = 3, tf_err = 0, tf_eip = -1065355163, tf_cs = 8, tf_eflags = 646, tf_esp = -1064705964, tf_ss = -1064814156})
at /usr/src/sys/i386/i386/trap.c:580
#9 0xc0800fa8 in calltrap () at {standard input}:94
#10 0xc066b326 in panic (fmt=0xc085cf2a "%s: attempted use of a free mbuf!")
at /usr/src/sys/kern/kern_shutdown.c:534
#11 0xc06e23c3 in tunoutput (ifp=0xc2e4fc08, m0=0xc16d9600, dst=0xc2e52d10,
rt=0xc30bc000) at /usr/src/sys/net/if_tun.c:473
#12 0xc06fea4c in ip_output (m0=0x1, opt=0xc16d96c4, ro=0xc2f8478c, flags=0,
imo=0x0, inp=0xc2f84750) at /usr/src/sys/netinet/ip_output.c:1037
#13 0xc070e789 in udp_output (inp=0xc2f84750, m=0xc16d9600, addr=0x0,
control=0x0, td=0xc2f31b40) at /usr/src/sys/netinet/udp_usrreq.c:876
#14 0xc070ef67 in udp_send (so=0x0, flags=0, m=0xc16d9600, addr=0x0,
control=0x0, td=0x0) at /usr/src/sys/netinet/udp_usrreq.c:1072
#15 0xc06aa7bd in sosend (so=0xc2f821e0, addr=0x0, uio=0xcf029c48,
top=0xc16d9600, control=0x0, flags=0, td=0xc2f31b40)
at /usr/src/sys/kern/uipc_socket.c:715
#16 0xc06aedec in kern_sendit (td=0xc2f31b40, s=5, mp=0xcf029cc0, flags=0,
control=0x0) at /usr/src/sys/kern/uipc_syscalls.c:722
#17 0xc06aec3e in sendit (td=0x0, s=0, mp=0xcf029cc0, flags=0)
at /usr/src/sys/kern/uipc_syscalls.c:662
#18 0xc06aef7b in sendto (td=0x0, uap=0x0)
at /usr/src/sys/kern/uipc_syscalls.c:783
#19 0xc0816010 in syscall (frame=
{tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = 135897088, tf_esi = 29, tf_ebp = -1077944824, tf_isp = -821912204, tf_ebx = 674744424, tf_edx = 0, tf_ecx = 0, tf_eax = 133, tf_trapno = 12, tf_err = 2, tf_eip = 674234687, tf_cs = 31, tf_eflags = 530, tf_esp = -1077944868, tf_ss = 47})
at /usr/src/sys/i386/i386/trap.c:1010
#20 0xc0800ffd in Xint0x80_syscall () at {standard input}:136
---Can't read userspace from dump, or kernel process---
(kgdb) f 11
#11 0xc06e23c3 in tunoutput (ifp=0xc2e4fc08, m0=0xc16d9600, dst=0xc2e52d10,
rt=0xc30bc000) at /usr/src/sys/net/if_tun.c:473
473 BPF_MTAP(ifp, &m);
(kgdb) list 460
455 m0->m_data += sizeof(int);
456 }
457
458 if (ifp->if_bpf) {
459 /*
460 * We need to prepend the address family as
461 * a four byte field. Cons up a dummy header
462 * to pacify bpf. This is safe because bpf
463 * will only read from the mbuf (i.e., it won't
464 * try to free it or keep a pointer to it).
465 */
466 struct mbuf m;
467 uint32_t af = dst->sa_family;
468
469 m.m_next = m0;
470 m.m_len = 4;
471 m.m_data = (char *)⁡
472
473 BPF_MTAP(ifp, &m);
474 }
(kgdb) q
There are other network drivers that have the same (or similar) code as above:
if_ic.c (dev/iicbus)
if_plip.c (dev/plip)
if_disc.c
if_gif.c
if_loop.c
if_tun.c (all from net)
All of this drivers will cause panic if you try to use tcpdump on this
interfaces, becuse of 1.28-1.29 changes in net/bpf.h (addition of
M_ASSERTVALID to BPF_MTRAP macro)..
if_stf.c (net) has similar code, but does not use BPF_MTRAP macro unless
HAVE_OLD_BPF is not defined (it calls bpf_mtap(...) directly).
>How-To-Repeat:
open ppp connection using userland ppp
run tcpdump -v -itun0
>Fix:
I don't know how to properly fix it.
We can call bpf_mtap(...) directly, as if_stf.c does.
We can set mbuf flags to something like M_RDONLY: add
m.m_flags = M_RDONLY
to the code above.
We can replace all this code with
{
struct mbuf *m;
m = m_prepend(m0,4,M_NOWAIT);
// copy (af) to first 4 bytes of m->m_data
BPF_MTAP(ifp,m);
m->m_len-=4; //wrong?
}
>Release-Note:
>Audit-Trail:
>Unformatted:
Date: Mon, 17 Nov 2003 20:35:42 +0300 (MSK)
Message-Id: <200311171735.hAHHZgL5001224@free.home.local>
To: FreeBSD-gnats-submit@freebsd.org
Subject: kernel panic: attempted use of free mbuf! when BPF is in use on tun interface
From: Yuriy Tsibizov <Yuriy.Tsibizov@gfk.ru>
Reply-To: Yuriy Tsibizov <Yuriy.Tsibizov@gfk.ru>
Cc: Yuriy.Tsibizov@gfk.ru
X-send-pr-version: 3.113
X-GNATS-Notify:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311171735.hAHHZgL5001224>