Date: Wed, 30 Jul 2025 11:12:16 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 288549] PF panic with NAT + UDP fragments Message-ID: <bug-288549-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=288549 Bug ID: 288549 Summary: PF panic with NAT + UDP fragments Product: Base System Version: 15.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: danilo@FreeBSD.org Hi, I'm experiencing a reliably reproducible kernel panic involving PF, NAT and IP fragments that encapsulates UDP on FreeBSD 15. FreeBSD capeta 15.0-CURRENT FreeBSD 15.0-CURRENT #24 main-n278879-4be9c6f38e78: Sat Jul 19 13:19:28 IST 2025 danilo@capeta:/usr/obj/usr/src/amd64.amd64/sys/CAPETA amd64 Scenario: Bhyve VM with Linux connected to a UDP-based VPN with another UDP-based VPN connecting through it (no judgment please :|). It crashes as soon as I put some traffic through it. In my host's pf.conf I have "match in all scrub (reassemble tcp)" and some NAT rules. Here is the panic + stack trace. Let me know if you need to information. Fatal trap 12: page fault while in kernel mode cpuid = 1; apic id = 01 fault virtual address = 0x0 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff83b85db9 stack pointer = 0x28:0xfffffe02ca6cc520 frame pointer = 0x28:0xfffffe02ca6cc550 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 6059 (vtnet-5:0 tx) rdi: fffffe02ca6cc7e8 rsi: 0000000000000000 rdx: fffffe02ca6cc800 rcx: fffff8018f7a7590 r8: 000000000000a6cf r9: 000000000000a6cf rax: 0000000000000000 rbx: 0000000000000111 rbp: fffffe02ca6cc550 r10: 0000000000001b00 r11: 00000000000010ac r12: 00000000000057ca r13: 0000000000000100 r14: 00000000000057ca r15: 00000000000046cb trap number = 12 panic: page fault cpuid = 1 time = 1753862377 KDB: stack backtrace: #0 0xffffffff80bc2d8d at kdb_backtrace+0x5d #1 0xffffffff80b732e6 at vpanic+0x136 #2 0xffffffff80b731a3 at panic+0x43 #3 0xffffffff81095088 at trap_pfault+0x3c8 #4 0xffffffff8106a0d8 at calltrap+0x8 #5 0xffffffff83b869a6 at pf_translate_compat+0x406 #6 0xffffffff83b8c64a at pf_test_rule+0x27a #7 0xffffffff83b8abee at pf_test+0x199e #8 0xffffffff83ba3b1e at pf_check_out+0x2e #9 0xffffffff80ccb928 at pfil_mbuf_fwd+0x38 #10 0xffffffff80d472c7 at ip_tryforward+0x267 #11 0xffffffff80d49941 at ip_input+0x2e1 #12 0xffffffff80cc881f at netisr_dispatch_src+0x9f #13 0xffffffff80cac678 at ether_demux+0x138 #14 0xffffffff80cadb02 at ether_nh_input+0x332 #15 0xffffffff80cc881f at netisr_dispatch_src+0x9f #16 0xffffffff80cac9e6 at ether_input+0x56 #17 0xffffffff80cb24cb at tunwrite+0x53b Uptime: 7m49s #0 __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:57 #1 doadump (textdump=<optimized out>) at /usr/src/sys/kern/kern_shutdown.c:399 #2 0xffffffff80b72e69 in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:519 #3 0xffffffff80b73377 in vpanic (fmt=0xffffffff811efdb9 "%s", ap=ap@entry=0xfffffe02ca6cc3e0) at /usr/src/sys/kern/kern_shutdown.c:974 #4 0xffffffff80b731a3 in panic (fmt=<unavailable>) at /usr/src/sys/kern/kern_shutdown.c:887 #5 0xffffffff81095088 in trap_fatal (frame=<optimized out>, eva=<optimized out>) at /usr/src/sys/amd64/amd64/trap.c:974 #6 0xffffffff81095088 in trap_pfault (frame=0xfffffe02ca6cc460, usermode=false, signo=<optimized out>, ucode=<optimized out>) #7 <signal handler called> #8 0xffffffff83b85db9 in pf_change_ap (pd=pd@entry=0xfffffe02ca6cc7e8, a=<optimized out>, p=p@entry=0xfffffe02ca6cc800, an=0xfffff8018f7a7590, pn=42703) at /usr/src/sys/netpfil/pf/pf.c:3326 #9 0xffffffff83b869a6 in pf_translate_compat (ctx=ctx@entry=0xfffffe02ca6cc5c8) at /usr/src/sys/netpfil/pf/pf.c:6406 #10 0xffffffff83b8c64a in pf_test_rule (rm=rm@entry=0xfffffe02ca6cc968, sm=sm@entry=0xfffffe02ca6cc970, pd=pd@entry=0xfffffe02ca6cc7e8, am=am@entry=0xfffffe02ca6cc950, rsm=rsm@entry=0xfffffe02ca6cc938, reason=reason@entry=0xfffffe02ca6cc994, inp=0x0) at /usr/src/sys/netpfil/pf/pf.c:5842 #11 0xffffffff83b8abee in pf_test (af=af@entry=2 '\002', dir=dir@entry=2, pflags=393216, ifp=0xfffff8010593e800, m0=m0@entry=0xfffffe02ca6cca58, inp=0x0, default_actions=0x0) at /usr/src/sys/netpfil/pf/pf.c:10612 #12 0xffffffff83ba3b1e in pf_check_out (m=0xfffffe02ca6cca58, ifp=0xfffff8018f7a7590, flags=-898840576, ruleset=<optimized out>, inp=0xa6cf) at /usr/src/sys/netpfil/pf/pf_ioctl.c:6628 #13 0xffffffff80ccb928 in pfil_mbuf_common (flags=393216, pch=<optimized out>, m=<optimized out>, ifp=<optimized out>, inp=<optimized out>) at /usr/src/sys/net/pfil.c:212 #14 pfil_mbuf_fwd (head=<optimized out>, m=m@entry=0xfffffe02ca6cca58, ifp=0xfffff8010593e800, inp=inp@entry=0x0) at /usr/src/sys/net/pfil.c:246 #15 0xffffffff80d472c7 in ip_tryforward (m=0xfffff8015e8b4c00) at /usr/src/sys/netinet/ip_fastfwd.c:402 #16 0xffffffff80d49941 in ip_input (m=0xfffff8015e8b4c00) at /usr/src/sys/netinet/ip_input.c:585 #17 0xffffffff80cc881f in netisr_dispatch_src (proto=proto@entry=1, source=source@entry=0, m=0xfffffe02ca6cc800) at /usr/src/sys/net/netisr.c:1151 #18 0xffffffff80cc8bff in netisr_dispatch (proto=3396126696, proto@entry=1, m=0xfffffe02ca6cc800) at /usr/src/sys/net/netisr.c:1242 #19 0xffffffff80cac678 in ether_demux (ifp=ifp@entry=0xfffff8010c41d000, m=0xfffff8015e8b4c00) at /usr/src/sys/net/if_ethersubr.c:938 #20 0xffffffff80cadb02 in ether_input_internal (ifp=0xfffff8010c41d000, m=0xfffff8015e8b4c00) at /usr/src/sys/net/if_ethersubr.c:702 #21 ether_nh_input (m=<optimized out>) at /usr/src/sys/net/if_ethersubr.c:732 #22 0xffffffff80cc881f in netisr_dispatch_src (proto=proto@entry=5, source=source@entry=0, m=0xfffffe02ca6cc800) at /usr/src/sys/net/netisr.c:1151 #23 0xffffffff80cc8bff in netisr_dispatch (proto=3396126696, proto@entry=5, m=0xfffffe02ca6cc800) at /usr/src/sys/net/netisr.c:1242 #24 0xffffffff80cac9e6 in ether_input (ifp=<optimized out>, m=0x0) at /usr/src/sys/net/if_ethersubr.c:843 #25 0xffffffff80cb24cb in tunwrite_l2 (tp=<optimized out>, m=0xfffff8015e8b4c00, vhdr=<optimized out>) at /usr/src/sys/net/if_tuntap.c:1805 #26 tunwrite (dev=<optimized out>, uio=<optimized out>, flag=<optimized out>) at /usr/src/sys/net/if_tuntap.c:1924 #27 0xffffffff809f3c9a in devfs_write_f (fp=0xfffff8012630f690, uio=0xfffff807853a1d80, cred=<optimized out>, flags=0, td=0xfffff803af50b780) at /usr/src/sys/fs/devfs/devfs_vnops.c:1942 #28 0xffffffff80be5f11 in fo_write (fp=0xfffff8012630f690, uio=0xfffff807853a1d80, active_cred=0xfffffe02ca6cc800, td=0xfffff803af50b780, flags=<optimized out>) at /usr/src/sys/sys/file.h:361 #29 dofilewrite (td=td@entry=0xfffff803af50b780, fd=fd@entry=7, fp=0xfffff8012630f690, auio=auio@entry=0xfffff807853a1d80, offset=offset@entry=-1, flags=flags@entry=0) at /usr/src/sys/kern/sys_generic.c:565 #30 0xffffffff80be5e44 in kern_writev (td=0xfffff803af50b780, fd=7, auio=0xfffff807853a1d80) at /usr/src/sys/kern/sys_generic.c:492 #31 sys_writev (td=0xfffff803af50b780, uap=<optimized out>) at /usr/src/sys/kern/sys_generic.c:478 #32 0xffffffff810959e6 in syscallenter (td=0xfffff803af50b780) at /usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:193 #33 amd64_syscall (td=0xfffff803af50b780, traced=0) at /usr/src/sys/amd64/amd64/trap.c:1215 #34 <signal handler called> #35 0x00003b79391530ba in ?? () Checking frame 8, you can see that pd->pcksum is NULL. (kgdb) frame 8 #8 0xffffffff83b85db9 in pf_change_ap (pd=pd@entry=0xfffffe02ca6cc7e8, a=<optimized out>, p=p@entry=0xfffffe02ca6cc800, an=0xfffff8018f7a7590, pn=42703) at /usr/src/sys/netpfil/pf/pf.c:3326 3326 *pd->pcksum = pf_cksum_fixup(pf_cksum_fixup(*pd->pcksum, (kgdb) p pd->pcksum $22 = (u_int16_t *) 0x0 And it's NULL because this description is flagged as PF_VPROTO_FRAGMENT: (kgdb) p pd->virtual_proto $23 = 256 And because it's a PF_VPROTO_FRAGMENT, pf_setup_pdesc will not set pd->pcksum (what makes sense I guess?). pf_change_ap checks to see if pd->pcksum is not NULL but I don't have INVARIANTS in my kernel: MPASS(pd->pcksum). -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-288549-227>