Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 01 Sep 2016 05:29:12 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-pf@FreeBSD.org
Subject:   [Bug 185633] [pf] scrubbing bug in transparent mode bug with bigger than MTU UDP packet
Message-ID:  <bug-185633-17777-oxJXtLEEyo@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-185633-17777@https.bugs.freebsd.org/bugzilla/>
References:  <bug-185633-17777@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D185633

--- Comment #11 from Olivier Cochard <olivier@freebsd.org> ---
I've generated a core dump (with a DEBUG kernel) and looked into it:=20=20=
=20=20

                Unread portion of the kernel message buffer:
panic: vtnet_txq_encap: no mbuf packet header!
cpuid =3D 0
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00003ab=
530
vpanic() at vpanic+0x182/frame 0xfffffe00003ab5b0
kassert_panic() at kassert_panic+0x126/frame 0xfffffe00003ab620
vtnet_txq_mq_start_locked() at vtnet_txq_mq_start_locked+0x635/frame
0xfffffe00003ab6e0
vtnet_txq_mq_start() at vtnet_txq_mq_start+0x6f/frame 0xfffffe00003ab720
bridge_enqueue() at bridge_enqueue+0x9a/frame 0xfffffe00003ab760
bridge_forward() at bridge_forward+0x322/frame 0xfffffe00003ab7c0
bridge_input() at bridge_input+0x5f4/frame 0xfffffe00003ab830
ether_nh_input() at ether_nh_input+0x2ab/frame 0xfffffe00003ab870
netisr_dispatch_src() at netisr_dispatch_src+0x80/frame 0xfffffe00003ab8d0
ether_input() at ether_input+0x62/frame 0xfffffe00003ab900
vtnet_rxq_eof() at vtnet_rxq_eof+0x835/frame 0xfffffe00003ab9b0
vtnet_rx_vq_intr() at vtnet_rx_vq_intr+0x4e/frame 0xfffffe00003ab9e0
intr_event_execute_handlers() at intr_event_execute_handlers+0x96/frame
0xfffffe00003aba20
ithread_loop() at ithread_loop+0xa6/frame 0xfffffe00003aba70
fork_exit() at fork_exit+0x84/frame 0xfffffe00003abab0
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00003abab0
--- trap 0, rip =3D 0, rsp =3D 0, rbp =3D 0 ---
KDB: enter: panic

Reading symbols from /data/debug/boot/kernel/if_bridge.ko.debug...done.
Loaded symbols for /data/debug/boot/kernel/if_bridge.ko.debug
Reading symbols from /boot/kernel/bridgestp.ko...done.
Loaded symbols for /boot/kernel/bridgestp.ko
Reading symbols from /boot/kernel/pf.ko...done.
Loaded symbols for /boot/kernel/pf.ko
#0  doadump (textdump=3D0) at pcpu.h:221
221     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) bt
#0  doadump (textdump=3D0) at pcpu.h:221
#1  0xffffffff8035512b in db_dump (dummy=3D<value optimized out>, dummy2=3D=
false,
    dummy3=3D0, dummy4=3D0x0)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/ddb/db_command.c:546
#2  0xffffffff80354f29 in db_command (cmd_table=3D<value optimized out>)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/ddb/db_command.c:453
#3  0xffffffff80354c84 in db_command_loop ()
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/ddb/db_command.c:506
#4  0xffffffff80357d2b in db_trap (type=3D<value optimized out>,
    code=3D<value optimized out>)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/ddb/db_main.c:251
#5  0xffffffff808fe593 in kdb_trap (type=3D<value optimized out>,
    code=3D<value optimized out>, tf=3D<value optimized out>)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/subr_kdb.c:654
#6  0xffffffff80c9993d in trap (frame=3D0xfffffe00003ab460)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/trap.c:556
#7  0xffffffff80c7a2d1 in calltrap ()
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/exception.S:236
#8  0xffffffff808fdc3b in kdb_enter (why=3D0xffffffff8118cc44 "panic",
    msg=3D0x80 <Address 0x80 out of bounds>) at cpufunc.h:63
#9  0xffffffff808c05ff in vpanic (fmt=3D<value optimized out>,
    ap=3D0xfffffe00003ab5f0)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_shutdown.c:752
#10 0xffffffff808c0456 in kassert_panic (fmt=3D<value optimized out>)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_shutdown.c:649
#11 0xffffffff807bc0d5 in vtnet_txq_mq_start_locked (txq=3D0xfffff80003698b=
00,
    m=3D0xfffff80003e25700)
    at
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/dev/virtio/network/if_vtnet.c:2185
#12 0xffffffff807bce3f in vtnet_txq_mq_start (ifp=3D0xfffff800036d3800,
    m=3D0xfffff80003e25700)
    at
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/dev/virtio/network/if_vtnet.c:2381
#13 0xffffffff8221b72a in bridge_enqueue (sc=3D0xfffff8000369d200,
    dst_ifp=3D<value optimized out>, m=3D<value optimized out>)
    at
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri=
dge.c:1920
#14 0xffffffff8221e2c2 in bridge_forward (sc=3D<value optimized out>,
    sbif=3D<value optimized out>, m=3D0xfffffe00003ab410)
    at
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri=
dge.c:2271
#15 0xffffffff8221d564 in bridge_input (ifp=3D<value optimized out>,
    m=3D<value optimized out>)
    at
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri=
dge.c:2475
#16 0xffffffff809afc4b in ether_nh_input (m=3D<value optimized out>)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/net/if_ethersubr.c:602
#17 0xffffffff809c4cb0 in netisr_dispatch_src (proto=3D5, source=3D0,
    m=3D0xfffff80003e25600)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/net/netisr.c:1120
#18 0xffffffff809af252 in ether_input (ifp=3D<value optimized out>, m=3D0x0)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/net/if_ethersubr.c:757
#19 0xffffffff807bb675 in vtnet_rxq_eof (rxq=3D<value optimized out>)
    at
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/dev/virtio/network/if_vtnet.c:1745
#20 0xffffffff807bc69e in vtnet_rx_vq_intr (xrxq=3D0xfffff80003698e00)
    at
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/dev/virtio/network/if_vtnet.c:1876
#21 0xffffffff8088dde6 in intr_event_execute_handlers (
    p=3D<value optimized out>, ie=3D<value optimized out>)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_intr.c:1262
#22 0xffffffff8088e466 in ithread_loop (arg=3D<value optimized out>)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_intr.c:1275
#23 0xffffffff8088b4f4 in fork_exit (
    callout=3D0xffffffff8088e3c0 <ithread_loop>, arg=3D0xfffff800034c1ee0,
    frame=3D0xfffffe00003abac0)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_fork.c:1038
#24 0xffffffff80c7a80e in fork_trampoline ()
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/exception.S:611
#25 0x0000000000000000 in ?? ()
Current language:  auto; currently minimal

=3D> It seems that bridge_enqueue() is sending a bad/unexisting mbuf to the
interface.

(kgdb) frame 13
#13 0xffffffff8221b72a in bridge_enqueue (sc=3D0xfffff8000369d200,
    dst_ifp=3D<value optimized out>, m=3D<value optimized out>)
    at
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri=
dge.c:1920
1920                    if ((err =3D dst_ifp->if_transmit(dst_ifp, m))) {

=3D> kgdb can't display m (mbuf pointer) value here, but at the previous fr=
ame it
can display it:

(kgdb) frame 14
#14 0xffffffff8221e2c2 in bridge_forward (sc=3D<value optimized out>,
    sbif=3D<value optimized out>, m=3D0xfffffe00003ab410)
    at
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri=
dge.c:2271
2271            bridge_enqueue(sc, dst_if, m);
(kgdb) print m
$1 =3D (struct mbuf *) 0xfffffe00003ab410

On my VMs that are using vtnet interface, vtnet didn't have VLANTAG neither
VLAN_HWTAGGING:

[root@router]~# ifconfig vtnet1
vtnet1: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric=
 0 mtu
1500
        options=3D80028<VLAN_MTU,JUMBO_MTU,LINKSTATE>


Then bridge_enqueue() should trigger this code part:

         /*
         * If underlying interface can not do VLAN tag insertion itself
         * then attach a packet tag that holds it.
         */
        if ((m->m_flags & M_VLANTAG) &&
            (dst_ifp->if_capenable & IFCAP_VLAN_HWTAGGING) =3D=3D 0) {


I beleive there is something wrong here.
Then I've insered a : M_ASSERTPKTHDR(m);
just before line 1920: if ((err =3D dst_ifp->if_transmit(dst_ifp, m)))

and this new ASSERT is triggered :

[root@router]~# panic: bridge_enqueue: no mbuf packet header!
cpuid =3D 0
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00003ab=
630
vpanic() at vpanic+0x182/frame 0xfffffe00003ab6b0
kassert_panic() at kassert_panic+0x126/frame 0xfffffe00003ab720
bridge_enqueue() at bridge_enqueue+0x11a/frame 0xfffffe00003ab760
bridge_forward() at bridge_forward+0x322/frame 0xfffffe00003ab7c0
bridge_input() at bridge_input+0x5f4/frame 0xfffffe00003ab830
ether_nh_input() at ether_nh_input+0x2ab/frame 0xfffffe00003ab870
netisr_dispatch_src() at netisr_dispatch_src+0x80/frame 0xfffffe00003ab8d0
ether_input() at ether_input+0x62/frame 0xfffffe00003ab900
vtnet_rxq_eof() at vtnet_rxq_eof+0x835/frame 0xfffffe00003ab9b0
vtnet_rx_vq_intr() at vtnet_rx_vq_intr+0x4e/frame 0xfffffe00003ab9e0
intr_event_execute_handlers() at intr_event_execute_handlers+0x96/frame
0xfffffe00003aba20
ithread_loop() at ithread_loop+0xa6/frame 0xfffffe00003aba70
fork_exit() at fork_exit+0x84/frame 0xfffffe00003abab0
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00003abab0
--- trap 0, rip =3D 0, rsp =3D 0, rbp =3D 0 ---
KDB: enter: panic
[ thread pid 11 tid 100025 ]
Stopped at      kdb_enter+0x3b: movq    $0,kdb_why

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-185633-17777-oxJXtLEEyo>