From owner-freebsd-bugs@FreeBSD.ORG Wed Oct 27 17:00:46 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE53016A4F4 for ; Wed, 27 Oct 2004 17:00:46 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C06F143D5E for ; Wed, 27 Oct 2004 17:00:46 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i9RH0ko3082336 for ; Wed, 27 Oct 2004 17:00:46 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i9RH0kV2082326; Wed, 27 Oct 2004 17:00:46 GMT (envelope-from gnats) Resent-Date: Wed, 27 Oct 2004 17:00:46 GMT Resent-Message-Id: <200410271700.i9RH0kV2082326@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Dmitry Miloserdov Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74CE016A4CE for ; Wed, 27 Oct 2004 16:52:32 +0000 (GMT) Received: from bis.ru (ns.citlab.ru [195.128.76.226]) by mx1.FreeBSD.org (Postfix) with SMTP id 2B6C643D1D for ; Wed, 27 Oct 2004 16:52:31 +0000 (GMT) (envelope-from dmitry@bis.ru) Received: (qmail 94210 invoked by uid 1010); 27 Oct 2004 16:52:29 -0000 Message-Id: <20041027165229.94209.qmail@bis.ru> Date: 27 Oct 2004 16:52:29 -0000 From: Dmitry Miloserdov To: X-Send-Pr-Version: 3.113 Subject: kern/73208: panic by duplicating UDP NFS v2 packets X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Dmitry Miloserdov List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Oct 2004 17:00:47 -0000 >Number: 73208 >Category: kern >Synopsis: panic by duplicating UDP NFS v2 packets >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Oct 27 17:00:46 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Dmitry Miloserdov >Release: FreeBSD 5.3-RC1 i386 >Organization: >Environment: System: FreeBSD dhcp.bis.local 5.3-RC1 FreeBSD 5.3-RC1 #0: Wed Oct 27 15:48:02 MSD 2004 dmitry@dhcp.bis.local:/usr/obj/u/src5/sys/DHCP i386 >Description: System creshes when NFS server receive two same packets in a short period of time and command in them must be rejected by access control. In my opinion access control itself is not the reason of crash - it just helps exploit a race somethere. // Feel free to ignore my opinion BTW sending duplicate for most control NFS packets is default behavior of UnixWare NFS client. /etc/exports: /u -alldirs -mapall=www --- ls -ld /u/db drwxr-xr-x 2 www www 3072 25 Oct 21:54 /u/db --- On client trying create file /u/db/fil (which is allowed) and then client's creat() syscall trying to change group of /u/db/fil to primary group of client's user (which is denied). tethereal -td: 1 0.021505 192.168.1.4 -> 10.1.1.1 NFS V2 LOOKUP Call, DH:0x3273bcaa/db 2 0.000016 192.168.1.4 -> 10.1.1.1 NFS [RPC retransmission of #1]V2 LOOKUP Call, DH:0x3273bcaa/db 3 0.010767 192.168.1.4 -> 10.1.1.1 NFS V2 LOOKUP Call, DH:0x9d5440aa/fil 4 0.000015 192.168.1.4 -> 10.1.1.1 NFS [RPC retransmission of #3]V2 LOOKUP Call, DH:0x9d5440aa/fil 5 0.011850 192.168.1.4 -> 10.1.1.1 NFS V2 CREATE Call, DH:0x9d5440aa/fil 6 0.000016 192.168.1.4 -> 10.1.1.1 NFS [RPC retransmission of #5]V2 CREATE Call, DH:0x9d5440aa/fil 7 0.000534 192.168.1.4 -> 10.1.1.1 NFS V2 SETATTR Call, FH:0x7233c0b2 8 0.000012 192.168.1.4 -> 10.1.1.1 NFS [RPC retransmission of #7]V2 SETATTR Call, FH:0x7233c0b2 9 0.863791 192.168.1.4 -> 10.1.1.1 NFS [RPC retransmission of #7]V2 SETATTR Call, FH:0x7233c0b2 --- On 8th packet system creshes. Problem not in content of packet but in packet's frequency as blocking half of nfs packets with ipfw allowes system fullfill request without panic. --- kernel trap 12 with interrupts disabled Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x24 fault code = supervisor read, page not present instruction pointer = 0x8:0xc0511337 stack pointer = 0x10:0xe4b45b50 frame pointer = 0x10:0xe4b45b64 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = resume, IOPL = 0 current process = 86 (swi1: net) trap number = 12 panic: page fault cpuid = 0 boot() called on cpu#0 Uptime: 6m50s --- (kgdb) bt #0 doadump () at pcpu.h:159 #1 0xc04f2293 in boot (howto=260) at /u/src5/sys/kern/kern_shutdown.c:397 #2 0xc04f25b9 in panic (fmt=0xc064bd2f "%s") at /u/src5/sys/kern/kern_shutdown.c:553 #3 0xc0629690 in trap_fatal (frame=0xe4b45b10, eva=36) at /u/src5/sys/i386/i386/trap.c:809 #4 0xc0628e4d in trap (frame= {tf_fs = -65512, tf_es = -457965552, tf_ds = -1068498928, tf_edi = -1041038560, tf_esi = -1066696864, tf_ebp = -457942172, tf_isp = -457942212, tf_ebx = -1041117680, tf_edx = -1041463000, tf_ecx = -1041462912, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1068428489, tf_cs = 8, tf_eflags = 65683, tf_esp = 40, tf_ss = 0}) at /u/src5/sys/i386/i386/trap.c:247 #5 0xc0617c3a in calltrap () at /u/src5/sys/i386/i386/exception.s:140 #6 0xffff0018 in ?? () #7 0xe4b40010 in ?? () #8 0xc0500010 in osethostid (td=0xc1f1ce10, uap=0x0) at /u/src5/sys/kern/kern_xxx.c:145 #9 0xc0511af1 in turnstile_wait (ts=0xc1ec8980, lock=0xc06b7f60, owner=0xc1f30320) at /u/src5/sys/kern/subr_turnstile.c:556 #10 0xc04e9899 in _mtx_lock_sleep (m=0xc06b7f60, td=0xc1f1ce10, opts=0, file=0x0, line=0) at /u/src5/sys/kern/kern_mutex.c:560 #11 0xc05b05ae in nfsrv_rcv (so=0xc234b144, arg=0xc22aa280, waitflag=1) at /u/src5/sys/nfsserver/nfs_srvsock.c:443 #12 0xc052ba6d in sowakeup (so=0xc234b144, sb=0xc234b194) at /u/src5/sys/kern/uipc_socket2.c:413 #13 0xc0580e90 in udp_append (last=0xc234b144, ip=0xc27b4810, n=0xc278b300, off=28) at /u/src5/sys/netinet/udp_usrreq.c:509 #14 0xc0580c93 in udp_input (m=0xc278b300, off=20) at /u/src5/sys/netinet/udp_usrreq.c:402 #15 0xc056fd1d in ip_input (m=0xc278b300) at /u/src5/sys/netinet/ip_input.c:739 #16 0xc055c38b in netisr_processqueue (ni=0xc06b03d8) at /u/src5/sys/net/netisr.c:233 #17 0xc055c7b6 in swi_net (dummy=0x0) at /u/src5/sys/net/netisr.c:346 #18 0xc04de181 in ithread_loop (arg=0xc1f34200) at /u/src5/sys/kern/kern_intr.c:547 #19 0xc04dd231 in fork_exit (callout=0xc04de028 , arg=0xc1f34200, frame=0xe4b45d48) at /u/src5/sys/kern/kern_fork.c:811 #20 0xc0617c9c in fork_trampoline () at /u/src5/sys/i386/i386/exception.s:209 --- As GENERIC kernel panics too, kernel config skipped. >How-To-Repeat: May be `ipfw tee natd` can emulate my situation but I didn't tried myself. >Fix: Disable UDP transport on NFS. But problem seems to be deeper. >Release-Note: >Audit-Trail: >Unformatted: