From owner-freebsd-bugs Thu Aug 9 15:40:14 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 608C237B405 for ; Thu, 9 Aug 2001 15:40:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f79Me1k25313; Thu, 9 Aug 2001 15:40:01 -0700 (PDT) (envelope-from gnats) Received: from melchior.cuivre.fr.eu.org (melchior.enst.fr [137.194.161.6]) by hub.freebsd.org (Postfix) with ESMTP id 0861037B403 for ; Thu, 9 Aug 2001 15:34:12 -0700 (PDT) (envelope-from thomas@cuivre.fr.eu.org) Received: from melusine.cuivre.fr.eu.org (melusine.enst.fr [137.194.160.34]) by melchior.cuivre.fr.eu.org (Postfix) with ESMTP id 7D958826F for ; Fri, 10 Aug 2001 00:34:09 +0200 (CEST) Received: by melusine.cuivre.fr.eu.org (Postfix, from userid 1000) id BD95424D46; Fri, 10 Aug 2001 00:34:11 +0200 (CEST) Message-Id: <20010809223411.BD95424D46@melusine.cuivre.fr.eu.org> Date: Fri, 10 Aug 2001 00:34:11 +0200 (CEST) From: Thomas Quinot Reply-To: Thomas Quinot To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: kern/29583: 4.4-PREREL/ipf 3.4.20: 'to' rule with tun causes crash Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 29583 >Category: kern >Synopsis: 4.4-PREREL/ipf 3.4.20: 'to' rule with tun causes crash >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Aug 09 15:40:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Thomas Quinot >Release: FreeBSD 4.4-PRERELEASE i386 >Organization: >Environment: System: FreeBSD melusine.cuivre.fr.eu.org 4.4-PRERELEASE FreeBSD 4.4-PRERELEASE #9: Thu Aug 9 17:33:53 CEST 2001 thomas@melusine.cuivre.fr.eu.org:/usr/obj/usr/src/sys/MELUSINE i386 >Description: I have an ipf rule that performs routing based on source address (for VPN purposes, using a pipsec tunnel) : block out log quick on tun0 to tun1:10.3.0.1 from VPN.IP.ADDR.ESS/32 to any group 11 (group 11 is the outbound group. When an outbound packet has the VPN tunnel interface address as its source, route it back through the VPN tunnel (tun1) instead of the default route (tun0)). This rule used to work as expected with ipfilter 3.4.16 under FreeBSD 4.3-STABLE. With 4.4-PRERELEASE (ipfilter 3.4.20), it freezes the machine. On one of my attempts, I obtained a kernel crash dump. One possible hypothesis is that ipfilter has corrupted an mbuf while moving the packet from one interface to another: Script started on Fri Aug 10 00:00:56 2001 $ gdb -k /usr/obj/usr/src/sys/MELUSINE/kernel.debug vmcore.5 GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd"... IdlePTD 4108288 initial pcb at 344dc0 panicstr: page fault panic messages: --- Fatal trap 12: page fault while in kernel mode fault virtual address = 0x6c2f6c71 fault code = supervisor read, page not present instruction pointer = 0x8:0xc018b2af stack pointer = 0x10:0xc8f4ad88 frame pointer = 0x10:0xc8f4ad98 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 518 (pipsecd) interrupt mask = net trap number = 12 panic: page fault syncing disks... 19 done Uptime: 26m53s dumping to dev #ad/0x20009, offset 270360 dump ata0: resetting devices .. done 127 126 125 124 123 122 121 120 119 118 117 116 115 114 113 112 111 110 109 108 107 106 105 104 103 102 101 100 99 98 97 96 95 94 93 92 91 90 89 88 87 86 85 84 83 82 81 80 79 78 77 76 75 74 73 72 71 70 69 68 67 66 65 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 [CTRL-C to abort] 42 [CTRL-C to abort] 41 [CTRL-C to abort] 40 [CTRL-C to abort] 39 [CTRL-C to abort] 38 [CTRL-C to abort] 37 [CTRL-C to abort] 36 [CTRL-C to abort] 35 34 [CTRL-C to abort] 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 --- #0 dumpsys () at /usr/src/sys/kern/kern_shutdown.c:472 472 if (dumping++) { (kgdb) bt #0 dumpsys () at /usr/src/sys/kern/kern_shutdown.c:472 #1 0xc016fbfd in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:312 #2 0xc016ffe5 in panic (fmt=0xc02f928c "%s") at /usr/src/sys/kern/kern_shutdown.c:580 #3 0xc02ae91b in trap_fatal (frame=0xc8f4ad48, eva=1815047281) at /usr/src/sys/i386/i386/trap.c:951 #4 0xc02ae5d5 in trap_pfault (frame=0xc8f4ad48, usermode=0, eva=1815047281) at /usr/src/sys/i386/i386/trap.c:844 #5 0xc02ae17f in trap (frame={tf_fs = 134479888, tf_es = -1065877488, tf_ds = -923533296, tf_edi = 6685184, tf_esi = 1815047265, tf_ebp = -923488872, tf_isp = -923488908, tf_ebx = -1065820160, tf_edx = 6685184, tf_ecx = -923488560, tf_eax = 6685184, tf_trapno = 12, tf_err = 0, tf_eip = -1072123217, tf_cs = 8, tf_eflags = 66054, tf_esp = -1065820160, tf_ss = -1065820160}) at /usr/src/sys/i386/i386/trap.c:443 #6 0xc018b2af in m_freem (m=0x6c2f6c61) at /usr/src/sys/kern/uipc_mbuf.c:618 #7 0xc018b2cd in m_freem (m=0xc0759700) at /usr/src/sys/kern/uipc_mbuf.c:618 #8 0xc01b5c0a in tunread (dev=0xc0cc1e80, uio=0xc8f4aed0, flag=8323072) at /usr/src/sys/net/if_tun.c:584 #9 0xc01a7e27 in spec_read (ap=0xc8f4ae5c) at /usr/src/sys/miscfs/specfs/spec_vnops.c:253 #10 0xc0242888 in ufsspec_read (ap=0xc8f4ae5c) at /usr/src/sys/ufs/ufs/ufs_vnops.c:1834 ---Type to continue, or q to quit--- #11 0xc0242e7d in ufs_vnoperatespec (ap=0xc8f4ae5c) at /usr/src/sys/ufs/ufs/ufs_vnops.c:2391 #12 0xc01a3daf in vn_read (fp=0xc0d67f80, uio=0xc8f4aed0, cred=0xc0731880, flags=0, p=0xc8edba40) at vnode_if.h:334 #13 0xc017e149 in dofileread (p=0xc8edba40, fp=0xc0d67f80, fd=9, buf=0x804e660, nbyte=4096, offset=-1, flags=0) at /usr/src/sys/sys/file.h:146 #14 0xc017e00a in read (p=0xc8edba40, uap=0xc8f4af80) at /usr/src/sys/kern/sys_generic.c:117 #15 0xc02aebba in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = 134538848, tf_esi = 0, tf_ebp = -1077936800, tf_isp = -923488300, tf_ebx = 9, tf_edx = 134538496, tf_ecx = 134538532, tf_eax = 3, tf_trapno = 7, tf_err = 2, tf_eip = 672790868, tf_cs = 31, tf_eflags = 518, tf_esp = -1077937148, tf_ss = 47}) at /usr/src/sys/i386/i386/trap.c:1150 #16 0xc029fdd5 in Xint0x80_syscall () #17 0x80490ef in ?? () (kgdb) fr 8 #8 0xc01b5c0a in tunread (dev=0xc0cc1e80, uio=0xc8f4aed0, flag=8323072) at /usr/src/sys/net/if_tun.c:584 584 m_freem(m0); (kgdb) list 579 m0 = m; 580 } 581 582 if (m0) { 583 TUNDEBUG("%s%d: Dropping mbuf\n", ifp->if_name, ifp->if_unit); 584 m_freem(m0); 585 } 586 return error; 587 } 588 (kgdb) print ifp $1 = (struct ifnet *) 0xc0d5c308 (kgdb) print *ifp $2 = {if_softc = 0xc0d5c300, if_name = 0xc02d5d20 "tun", if_link = { tqe_next = 0x0, tqe_prev = 0xc0cfef10}, if_addrhead = { tqh_first = 0xc0d5c200, tqh_last = 0xc0d69c60}, if_pcount = 0, if_bpf = 0x0, if_index = 5, if_unit = 1, if_timer = 0, if_flags = -32687, if_ipending = 0, if_linkmib = 0x0, if_linkmiblen = 0, if_data = { ifi_type = 23 '\027', ifi_physical = 0 '\000', ifi_addrlen = 0 '\000', ifi_hdrlen = 0 '\000', ifi_recvquota = 0 '\000', ifi_xmitquota = 0 '\000', ifi_mtu = 1500, ifi_metric = 0, ifi_baudrate = 0, ifi_ipackets = 999, ifi_ierrors = 0, ifi_opackets = 1127, ifi_oerrors = 0, ifi_collisions = 0, ifi_ibytes = 139268, ifi_obytes = 1176565, ifi_imcasts = 0, ifi_omcasts = 0, ifi_iqdrops = 0, ifi_noproto = 0, ifi_hwassist = 0, ifi_unused = 0, ifi_lastchange = {tv_sec = 997392138, tv_usec = 502288}}, if_multiaddrs = {lh_first = 0xc0d54c20}, if_amcount = 0, if_output = 0xc01b53f8 , if_start = 0, if_done = 0, if_ioctl = 0xc01b52a0 , if_watchdog = 0, if_poll_recv = 0, if_poll_xmit = 0, if_poll_intren = 0, if_poll_slowinput = 0, if_init = 0, if_resolvemulti = 0, if_snd = {ifq_head = 0x0, ifq_tail = 0x0, ifq_len = 0, ifq_maxlen = 50, ifq_drops = 0}, if_poll_slowq = 0x0, if_prefixhead = { tqh_first = 0x0, tqh_last = 0xc0d5c3d8}} (kgdb) fr 6 #6 0xc018b2af in m_freem (m=0x6c2f6c61) at /usr/src/sys/kern/uipc_mbuf.c:618 618 MFREE(m, n); Note: This was also reported as FreeBSD PR kern/ >How-To-Repeat: Create a rule set with a 'to' rule diverting packets from one tun interface to another tun interface [it is unknown whether this problem occurs with non-tun interfaces]. Trigger the rule by sending out a matching packet. >Fix: None known. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message