From owner-freebsd-bugs@FreeBSD.ORG Sun May 8 09:00:23 2011 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CC68A10656A5 for ; Sun, 8 May 2011 09:00:23 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E28348FC30 for ; Sun, 8 May 2011 09:00:20 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p4890KDq016847 for ; Sun, 8 May 2011 09:00:20 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p4890K3I016845; Sun, 8 May 2011 09:00:20 GMT (envelope-from gnats) Resent-Date: Sun, 8 May 2011 09:00:20 GMT Resent-Message-Id: <201105080900.p4890K3I016845@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Przemyslaw Frasunek Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 37D471065676 for ; Sun, 8 May 2011 08:51:17 +0000 (UTC) (envelope-from venglin@freebsd.lublin.pl) Received: from lagoon.freebsd.lublin.pl (lagoon.freebsd.lublin.pl [IPv6:2a02:2928:a::3]) by mx1.freebsd.org (Postfix) with ESMTP id 4981A8FC0C for ; Sun, 8 May 2011 08:51:16 +0000 (UTC) Received: by lagoon.freebsd.lublin.pl (Postfix, from userid 3000) id DDD8E239449; Sun, 8 May 2011 10:51:14 +0200 (CEST) Message-Id: <20110508085114.DDD8E239449@lagoon.freebsd.lublin.pl> Date: Sun, 8 May 2011 10:51:14 +0200 (CEST) From: Przemyslaw Frasunek To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/156877: [panic] dummynet move_pkt() null ptr dereference X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Przemyslaw Frasunek List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 May 2011 09:00:23 -0000 >Number: 156877 >Category: kern >Synopsis: [panic] dummynet move_pkt() null ptr dereference >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun May 08 09:00:20 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Przemyslaw Frasunek >Release: FreeBSD 7.3-RELEASE-p4 i386 >Organization: Nette sp. z o.o. >Environment: 7.3-RELEASE-p4 running dummynet, pf and mpd5 with 200-300 PPPoE sessions. >Description: NULL pointer dereference in dummynet move_pkt() due to empty m_pkthdr.tags: GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd"... Unread portion of the kernel message buffer: frame pointer = 0x28:0xc523ac18 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 45 (dummynet) trap number = 12 panic: page fault cpuid = 0 Uptime: 67d12h9m20s Physical memory: 2000 MB Dumping 232 MB: 217 201 185 169 153 137 121 105 89 73 57 41 25 9 Reading symbols from /boot/kernel/coretemp.ko...Reading symbols from /boot/kernel/coretemp.ko.symbols...done. done. Loaded symbols for /boot/kernel/coretemp.ko Reading symbols from /boot/kernel/smbus.ko...Reading symbols from /boot/kernel/smbus.ko.symbols...done. done. Loaded symbols for /boot/kernel/smbus.ko Reading symbols from /boot/kernel/smb.ko...Reading symbols from /boot/kernel/smb.ko.symbols...done. done. Loaded symbols for /boot/kernel/smb.ko Reading symbols from /boot/kernel/ichsmb.ko...Reading symbols from /boot/kernel/ichsmb.ko.symbols...done. done. Loaded symbols for /boot/kernel/ichsmb.ko Reading symbols from /boot/kernel/ipmi.ko...Reading symbols from /boot/kernel/ipmi.ko.symbols...done. done. Loaded symbols for /boot/kernel/ipmi.ko Reading symbols from /boot/kernel/acpi.ko...Reading symbols from /boot/kernel/acpi.ko.symbols...done. done. Loaded symbols for /boot/kernel/acpi.ko Reading symbols from /boot/kernel/ng_socket.ko...Reading symbols from /boot/kernel/ng_socket.ko.symbols...done. done. Loaded symbols for /boot/kernel/ng_socket.ko Reading symbols from /boot/kernel/netgraph.ko...Reading symbols from /boot/kernel/netgraph.ko.symbols...done. done. Loaded symbols for /boot/kernel/netgraph.ko Reading symbols from /boot/kernel/ng_mppc.ko...Reading symbols from /boot/kernel/ng_mppc.ko.symbols...done. done. Loaded symbols for /boot/kernel/ng_mppc.ko Reading symbols from /boot/kernel/rc4.ko...Reading symbols from /boot/kernel/rc4.ko.symbols...done. done. Loaded symbols for /boot/kernel/rc4.ko Reading symbols from /boot/kernel/ng_ether.ko...Reading symbols from /boot/kernel/ng_ether.ko.symbols...done. done. Loaded symbols for /boot/kernel/ng_ether.ko Reading symbols from /boot/kernel/ng_pppoe.ko...Reading symbols from /boot/kernel/ng_pppoe.ko.symbols...done. done. Loaded symbols for /boot/kernel/ng_pppoe.ko Reading symbols from /boot/kernel/if_tap.ko...Reading symbols from /boot/kernel/if_tap.ko.symbols...done. done. Loaded symbols for /boot/kernel/if_tap.ko Reading symbols from /boot/kernel/ng_tee.ko...Reading symbols from /boot/kernel/ng_tee.ko.symbols...done. done. Loaded symbols for /boot/kernel/ng_tee.ko Reading symbols from /boot/kernel/ng_iface.ko...Reading symbols from /boot/kernel/ng_iface.ko.symbols...done. done. Loaded symbols for /boot/kernel/ng_iface.ko Reading symbols from /boot/kernel/ng_ppp.ko...Reading symbols from /boot/kernel/ng_ppp.ko.symbols...done. done. Loaded symbols for /boot/kernel/ng_ppp.ko Reading symbols from /boot/kernel/ng_tcpmss.ko...Reading symbols from /boot/kernel/ng_tcpmss.ko.symbols...done. done. Loaded symbols for /boot/kernel/ng_tcpmss.ko Reading symbols from /boot/kernel/ng_bpf.ko...Reading symbols from /boot/kernel/ng_bpf.ko.symbols...done. done. Loaded symbols for /boot/kernel/ng_bpf.ko Reading symbols from /boot/kernel/ng_car.ko...Reading symbols from /boot/kernel/ng_car.ko.symbols...done. done. Loaded symbols for /boot/kernel/ng_car.ko #0 doadump () at pcpu.h:196 196 __asm __volatile("movl %%fs:0,%0" : "=r" (td)); (kgdb) bt #0 doadump () at pcpu.h:196 #1 0xc0836ac7 in boot (howto=260) at ../../../kern/kern_shutdown.c:418 #2 0xc0836d99 in panic (fmt=Variable "fmt" is not available. ) at ../../../kern/kern_shutdown.c:574 #3 0xc0b5ef1c in trap_fatal (frame=0xc523abcc, eva=24) at ../../../i386/i386/trap.c:950 #4 0xc0b5f1a0 in trap_pfault (frame=0xc523abcc, usermode=0, eva=24) at ../../../i386/i386/trap.c:863 #5 0xc0b5fb95 in trap (frame=0xc523abcc) at ../../../i386/i386/trap.c:541 #6 0xc0b42e7b in calltrap () at ../../../i386/i386/exception.s:166 #7 0xc0923b80 in move_pkt (pkt=0xd1060700, q=0xcbbcc600, p=0xc6922800, len=1494) at ../../../netinet/ip_dummynet.c:545 #8 0xc0924630 in ready_event (q=0xcbbcc600, head=0xc523ac8c, tail=0xc523ac88) at ../../../netinet/ip_dummynet.c:593 #9 0xc0926445 in dummynet_task (context=0x0, pending=1) at ../../../netinet/ip_dummynet.c:847 #10 0xc086e135 in taskqueue_run (queue=0xc56e7480) at ../../../kern/subr_taskqueue.c:282 #11 0xc086e348 in taskqueue_thread_loop (arg=0xc0d4dc08) at ../../../kern/subr_taskqueue.c:401 #12 0xc080e9f9 in fork_exit (callout=0xc086e280 , arg=0xc0d4dc08, frame=0xc523ad38) at ../../../kern/kern_fork.c:811 #13 0xc0b42ef0 in fork_trampoline () at ../../../i386/i386/exception.s:271 (kgdb) frame 7 #7 0xc0923b80 in move_pkt (pkt=0xd1060700, q=0xcbbcc600, p=0xc6922800, len=1494) at ../../../netinet/ip_dummynet.c:545 545 dt->output_time = curr_time + p->delay ; (kgdb) list - 535 static void 536 move_pkt(struct mbuf *pkt, struct dn_flow_queue *q, struct dn_pipe *p, 537 int len) 538 { 539 struct dn_pkt_tag *dt = dn_tag_get(pkt); 540 541 q->head = pkt->m_nextpkt ; 542 q->len-- ; 543 q->len_bytes -= len ; 544 (kgdb) print *pkt $1 = {m_hdr = {mh_next = 0x0, mh_nextpkt = 0xd60e7b00, mh_data = 0xc6bb2810 "E", mh_len = 1494, mh_flags = 1027, mh_type = 1, pad = "\000"}, M_dat = {MH = {MH_pkthdr = {rcvif = 0xc56e8000, header = 0x0, len = 1494, csum_flags = 3840, csum_data = 65535, tso_segsz = 0, ether_vtag = 5, tags = {slh_first = 0x0}}, MH_dat = { MH_ext = {ext_buf = 0xc6bb2800 "!í", ext_free = 0, ext_args = 0x0, ext_size = 2048, ref_cnt = 0xc6c4e294, ext_type = 6}, MH_databuf = "\000(»Æ\000\000\000\000\000\000\000\000\000\b\000\000\224âÄÆ\006\000\000\000\000Úæjó\001\002j\200\020ÿÿ\024¥\000\000\001\001\005\nó\001\rÂó\001Fz\220jÉÛÈwå¬-<²\r\001í#\034ü\217C\210'£fÌDÑiVÀ\003\0204ô\003:Çí\211þ\207\f\215@3\000\t\0020\006P|\225\030\027¼ôQ\024\r¼ÜËó\033C\206±\tQíA\034x£\036¿üû~Ê\000ØØà7E\016¨i%>\206©\210/ã\231awÊÚ:ðdK\230B!+\234\025Y\000[Eb_$\005D#÷\\Öm\024@Që>\202op*Y-Âò Ã`Ì\0323.(\221\227"...}}, M_databuf = "\000\200nÅ\000\000\000\000Ö\005\000\000\000\017\000\000ÿÿ\000\000\000\000\005\000\000\000\000\000\000(»Æ\000\000\000\000\000\000\000\000\000\b\000\000\224âÄÆ\006\000\000\000\000Úæjó\001\002j\200\020ÿÿ\024¥\000\000\001\001\005\nó\001\rÂó\001Fz\220jÉÛÈwå¬-<²\r\001í#\034ü\217C\210'£fÌDÑiVÀ\003\0204ô\003:Çí\211þ\207\f\215@3\000\t\0020\006P|\225\030\027¼ôQ\024\r¼ÜËó\033C\206±\tQíA\034x£\036¿üû~Ê\000ØØà7E\016¨i%>\206©\210/ã\231awÊÚ:ðdK\230B!+\234\025Y\000[Eb_$\005D"...}} (kgdb) x/i $eip 0xc0923b80 : mov %edx,0x8(%eax) (kgdb) info reg eax eax 0x10 16 >How-To-Repeat: Unknown. Happened after 67 days of uptime, without any changes in dummynet rules. >Fix: Unknown. >Release-Note: >Audit-Trail: >Unformatted: