kern/51485: "Fatal trap 12" from bridge code with ipfw enabled, when passing a traceroute.

Eric Cohen eric at beta.MIT.EDU
Mon Apr 28 00:30:13 PDT 2003


>Number:         51485
>Category:       kern
>Synopsis:       "Fatal trap 12" from bridge code with ipfw enabled, when passing a traceroute.
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 28 00:30:11 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Eric Cohen <eric at beta.mit.edu>
>Release:        FreeBSD 5.0-RELEASE i386
>Organization:
>Environment:
System: FreeBSD 5.0-RELEASE FreeBSD 5.0-RELEASE #2: Sat Apr 26 15:53:04 PDT 2003 root@:/usr/src/sys/i386/compile/DATA i386

	Dell OptiPlex GXa PII/233 192MB, NatSemi DP83815 10/100, 3Com 3c905-TX (full dmesg output in attached tgz).
>Description:
	I have setup a bridge with an ipfw firewall (see attached archive for
	output of "ipfw list" (ipfw_list.txt), and other pertitnent
	configuration information).  When I do a traceroute from outside to a
	machine on the other side of the bridge (note that this also causes
	near simultaneous tcp traffic, as the output of the traceroute is sent
	across the network from outside via ssh), a trap 12 occurs on the
	bridge machine.  Here is the applicable firewall rule:
	
	02800 unreach port udp from any to 209.204.154.240/30 dst-port 33435-33524 in via sis0
	
	If I remove this rule and reboot, the bridge will run for a little
	while, then if there is some icmp traffic, the brige machine will
	appear frozen (no trap this time).  It is, however, still servicing
	interrupts, as I can switch vt's, turn numlock on/off etc, and even
	the bridge is still functioning (i.e. relaying packets), but all
	non-interrupt driven routines of the os are frozen.  I also see this
	behavior if I set the firewall to be completely open.

	I have narrowed the trap problem down to net/bridge.c::bdg_forward
	line 963.  It looks like ip_fw_chk_ptr (set to ipfw_chk in this case)
	is called just before doing "m0 = args.m;", but args.m is set NULL by
	the call to ipfw_chk.  We then get the trap when "EH_RESTORE(m0);"
	attempts to dereference m0 (see debug.txt in the attached archive for
	a log of the debugging session).  I did not attempt to debug the
	freezing problem, but it seems likely to be related.
	
	As an aside, the call to bdg_forward appears to be missing from the
	backtrace (the bt contains only the caller of bdg_forward,
	ether_input), but if you look at the eip in frame #14 "trap", you see
	that it falls within bdg_forward, which makes sense given the state of
	frame #15 (ether_input).
	
	I suspect this is an easy fix for someone who knows this code?  I
	don't know it though, and don't have the time to understand it well
	enough right now.

	I'd be happy to send the core, or post it somewhere, if someone wants
	it.
	
>How-To-Repeat:
	Do a traceroute from a machine outside of my bridge to a machine
	inside of the bridge, via an ssh session from within the bridge to the
	machine outside of the bridge.  Use the attached firewall ruleset.
	This is 100% reproducable.
>Fix:

	

begin 644 bridge_ipfw_bug.tgz
M'XL(`.]5K#X``^P[:W.C1K;Y>OD5Y]JY4_)$EFA`@#2Q:SVV/%'%#]78DW7J
MUBT5C\8B1D!XV%:R\]_O.=T@`=8\LEN;_1)J1 at +ZO%]]NM7VN5O>#XKGXIM_
MWZ4R534-XQM57IUO35.9^8UJF2/-U"S+U!&>C4;:-Z#^&V7:7&5>.!G`-UF2
M?-8&3TO.HS]#H#_W^E_2^V]P=G)[\G_[<.^[</@`#SR+>33P*39@^.AD0R]S
M\N7P<>4E&1\PY=W5!P$[&F@#!KWSC/.W-V<'RFF2KK/P?EF`AHX%>@\W25`\
M.1F'\Z2,?:<(D[@/L]@;*._.WD*80T!0>075!R]YY!GWP5U#L>1`K-[QF&=.
M!//2C4(/+D*/QSF".K$/ZZ0$Q%.>>.0E*PY%`M[2B>\YA`4!#),,_#`OLM`M
M"X[4TY#GD`0TC/+P##R>%4X8XU#LAR1>/E!NURF'O7R9/!'&.HSO]XARCI*2
M4"W0)8I+>CANGD3((UI#G``JDSEQL88`!4!-!P`-HO7HGACV.0H0"5I(A\SR
MY.3$)`CO2[(%/NV%NFT>"HE7:Y_G#X=D-S?W]P:#@9(Z<>A-P(FBQ'/+8`+X
M$:!N<5+@;;Z6`+#B>>[<\WRB'!X>*N=. at 48M,B<%IDT at Q1$(G#(JX&D91JA3
M7$4"K!*?*W+H,<R*$M$<W\^0&@`<@?K,U&K80TAH74>0ERG/'L,<-<VXX_<E
M)Q(M11(\+I0P1@>5'ED4TB2,"Q0=*M+V1'WV5$UW5&8KF*S>0PL$-H!,)4C'
M-UW7MY4@<S`:O at 3IC6Q%B)SS^Q5*TA;<=7*.X&H?HG"%\:(^!W3UH2!/(AU7
M at 4]<1W`VOP#$)!6!]=''@:[1S3TZ'IB29HF']D.;\"!R[O,MHI`X*],">.RX
M$4>#(8URA0$_NT:BJ('BE5E&XE94&FPU`WIA]BMC$\C#7(7G2/WN0!%.CLN5
MV[(%P3.M#IZM_Q4E7\<>!CUESD/>KZ(I1SE6F"DX@#$'7XRY#VD1KO@$V,K*
ME;-RE1)%-M;@\JV"H:=.2"]>%((1?\2LS@%CV4]BK@`S`>UEV&`:8*LP-H$Q
MM)]F`S,,'%6!6:8(XWT5P$\<'QE`[P"<`HD,Y3\*7_&QR)=EX2=/\<";:+JF
MX/^6'7PIW7??O5%Z#UC9#A2EN@&W^*<X[#,`"ESFNR9CE$LN5EKH8?87R9%F
MJE]!1S<-95_;T+$UG>C(5/X:.4;,4O9UB:\QSPA\PJ\=!CTW/:)D,/H8*K_Q
MHUTB/0;YP at T34LJTD)I14W,U3R5J][R(^9, at ET<IA?(11CW>DN\3<4^T-=6P
M^[!RGC=/!R)W/L.0V;JJ[(\VXJOFJ&+H1 at _0>R3A/1;X`381&*+10YP<C<:V
MT>*X4Z8OLM8,DRG[9L6::Y8?$.L``7*W3'$6X]!;U0)8- at GPY(0%%O,C[27U
M,LB'@?R_0"9)FI-ZAHT\K`T/YED;'IA]6_J>J[7HXQ2)<P*-J;[&`AHKY*,^
M-D?.#NUV\]?4L;)O5_PUSS9<XB]YMPCVH71(ED_%1[[./0PJ052WE?WQ)F(U
M6WL1^2/S:S+(TC&#U'\M\C'MA!*Z80=B-J,JN`C$K-<3\T-EQ,#BJ"1_=+HI
M0'.N_"!4I&L;F)%8ARJZ)M,V=%,Y`6X)BYEHC#%8YCAGXR1S5#%AYDL7O>!D
MX<RTS_2:$Y.Y*^IXQ:*:>WXO at D60B\J/@1`L.-TS4]S[=*^KZMA at NF;+83^D
M&:0"I7MLN[&DRA=NBB\.[3&SQZ95O0SSQDM[K%60S_02BP=CQG@\JM[ZSUOB
MWG.'N+,=)#VP2:+I1XYEV18Q3"5IBQFJI=KRK4>J5"K("?,(3)-9U:N6C)I$
MR84EC(]?\*EAC-#2AK2T-O)\FRQ-$2VM+=!_Q\X#N]>,O)"6Q<?)F-PSDLFC
M^Q83Q9!C<Y at M!`3.P@$EC:&*\K22H698(W5'@L:\&(:H!:'GI9NA5*:&V8F3
MH&#@!J/Q6&1GF"^R9YY0M?5D>5!]+#]M%5,O)'((+%+2PC+*K)J2[1HU)>PT
M,N at YV?U74AJ9I+0ML])S-%]$?U at LJ:U;1$F2;JAA5GE.E]HV58DSI:E.IA]7
M!#&*!$&L<@\+_HP-5X^\D)3%4<6182?P?9/?,2X"!$,T<9UXGRKO at C'1ICRV
MM,U$7\WS`3#]KXS[TS(._W^J=Q97[S$)_8-F:>V]$E[HP_G)Q<U4E-*#NEV#
M=/@L`T#YEJ$,&Q=A?V-OG43=SM9-^$33IUJ]J_STW/14G;_H^8VSMDN'AK/J
M>N\9#6>)K&(C40"VOGK>D/.>&RP:#GONN`SI-'WVW/3:=G%44?6D:AW'D>8X
M&S=<5ZNA>EO7J<_\8S<OPCC`IJ#!1W']>\JC)ZJ&WX%MB-*7<[E\&Q3\N6 at A
M1V',X77O!=:!<D$C8U.GY?A>JQBZ6>C?\X&W![0]4^043_6*<R.)"=\WB'YG
MZ_8Q92CM"O#8%S at UK.>V89G*QL<#;/*5\RQ980VAO0FHN4Y0IHFB[".5,(#A
M:YB?SRX6/UQ?_W@#KX?*9M$W?+U=_R%0QE/:Y\""5-):,A>24`43>P9!F/$G
M?!@T<(:;>^33^^_9_/SOBXOKD[/I&?SC'T`"AVGP!$?HF0/XO;78G/ZP>#^]
MN;U^/^VMU(,WE3RTHBH2%&)*4PE:$I98*G%1UF!%UWU2)%`9X\U&&[%T*W-:
MCQ%?K*V>QW$=2N*GN/!&<@TZ'S]EB+N[.[@EC1,LWD]$32RQPQP>>;;&F6<5
M1DY&^RE$&%=[&"9-_,Y,6$VJ*-#"6S[T#EKVVSR at U?/!"F-XI;Z!QH5:-<1_
M(O=PP*GC@>1RBB:M%JD$/7($5Q\N+MZT2*$6M-<3RSZ at IMNZNJ3\$/4N%ED9
M<<JQ-Y(4BN(GPN)YF:9)5H"$@S7_M%0Q)M=BF:0-T7:2JA.M0:M+BB^1R*O<
M>>0+OMS$S^7):1TRM#,E,\(?TFNI:MXF144RQ*9:^&:1%EGO%5''PEQ#K%0$
MD=[I.D:T63EOI0=UR[YXLZ)%9=O)NX*^HO69P&\E&?9E\`IF\P6FVOSZ_>WB
M;'KU\^+\XN3=`>4<22MM>T!4_0QMW<F=C!=E%A/DFS;IL$I4Q'-@?G)S`^3R
M`7PN^>!-B\39A\O+GZ^FMW45>/7JI;P_7]U*>;LEH9F%PN,P=[!>BO!_*"C?
M_'*U6J-Q^K3#YRUIBY$VEC"DBT$7=X9E?XG)XM.R_0'S1NR$BIKVP'DJ<S<+
M[\/8B;K(;7WEWI[TY^M5TVJUVI)15Q^Z1$8OB+,,/_1['RX79]=7MW\_F=TV
MXJQ);[5UXN];ZT@%`B<4>VKWF&U0OO!N?5'Q)>^GW*==H5T at 52"(1'P!\+'U
MYB/P"`/]$_IA))%X:>VMVJQ-E^V24Z06L9?XY!HL`DNJ;"[MDU85EJ:@EU/`
MQ[8;&D4/N^L(.Z2BK11FN8^->R*2?-67<2EW1`_Z9U>+V^O%V[-W&*9G?>C6
M@(:U1-HT9#@+<U2;K]QHC5.NG*_'P7C4GJ\M=7P\080"LQR__@=;J3Y];!&L
M#@)C`N$7N1M=@SE:!TS3CK<TQET:^H:I"_"M^JSUJ8_J$>>#+9K?1;/^..N@
M2T/JBST/"'WSD%A['=:[:!+:*GF$VDS8"B*6FS:PNL;51I\WKM,UKK9#0UR<
M=9LL#9VP)=(UDZXW9=V(B:R=+6M7[6*9;2RQ(Q\XZ@:Y(;>K=Y&E5;U5NF7I
M/'>Q.GVE96B[_.EWC6*-MLJZ=I>&48L=@0 at E7CDF3_MLZQJOJ^Y(>VDD*7'#
M2%Y7S]&H'08.A8'QDEM7A9&T3\2=EG&-79[QG`ZRJ;U@^I)C-PA,*:GHDJ%:
M>FN^:2`85>NM1?UNJ%NJ]$KM2QF#9L>`C)EV@\@.GQ&1,/8V[#UNNO86HRNP
MS?XX6]Z5W3:_(O1Y-TWM\0ZO2A>Y1B?'>3<`QUHG`-4M<K=`\&XU&F\X/W61
M>9=ST!';5D>?YNQUD;T.,M.^/B*#H(N\*PTD!:\MMD,_5W>0[5V<W1V<$;FK
ML\:^E`N(9'>1C&8NO!;1Z(PTP]BB\.Z25WW!A^:*#0)3NPC:KO*Y6RNF=Y%W
MV=/N&'+7LOREC%AOCXZ.&[L*'21#;<LI9MU.X4,TMXNF-V<RC#761M"Z]C#L
M'3.9:A@=,-LXWM+H1LI([3"U.TRM+H*TXR\Q;S+5.^V';>D-IMW!D=4VT,B0
MO4&'=3>?3+6>`:/:0-*P6Y1N%IG2IK\X\-72ZJQ+8_2RX+T05N]:W93.R4M7
M8ADM';L[5*UEJ%+O%[S<F^IB2;@O(Z1;V&\UVF,,XP*7+G)Q(YE3VPNO#SY*
M*XUTC=-^=85UO"7T>DM)_Q<I-:K$MT:]BZO3+W=V<V^T!3>J]PT%W>TOWLI_
M^C327]>???FX^O_/GO]CFLH,<?Z/F:9NFDR>_S/^.O_W9US;$WL][P#8>*P=
M:JJJB_W;ZE@?S+/D%RR(`Z4+;(W[^$D_%^&G+CY-\6F+3S$Z9N)3$Y\"9FPH
M_T7DW_-[L4N>!&*7XD-,VY]Y6*SIS:D3A3@/Q*$S@!/LAP3;7!P8RAZY/U!J
MX48#]?#]]&)Z<C.%?3:!2RS;)VD&&D-6$]6>&!;,SV[I0*(N]AUX%GI_<_P\
M&N1)''J#F!>389EGPSSSAODZE[]4><DJ#2,^I(.1RCSC4>+XW`<>!?69N+TA
M'6L8RJ?J:Z_^S<&P,.;5 at 7(;KKB7E.(,VEYH:R-C#^C`XZ\EC[TU,#;6F:W!
M#[^U(6]O3EMPFLXLR[1MBR!/YQ\F,$?3A>4*9K/A]A;N>!(/3WG$,[1"#[$&
MEGUX^<-O8-KFH1?1_A)BTP[ZM=ABPGE@[QV/RS#F,^2,\L/,%Y.#B9,QW!0\
M%8>VCL!`G'/N%"5ZX`CG;S7`?OO[\_F'_D^7T_[9M#^_F?91[/[ES?O^_&3:
MOSR=]D_O[/[-=-Z_O'V/+]_1RY/^Z>7U3_W+R[MCA?:98,572;86)]>PX=3,
MT5B#GCPD=J`XCTZX`3E"AZK62+6PB>LQFPF(61P6(<;*;R3FN^GU)2_H)X;2
M14\6?*74QL$8!A)CLT->G:U3XO19G<#W*Z=8PN9,WC&@_58);26[";8B%=3L
MZI;.I8D#>H'C<>6#^*WDV_GL/11$K@\6$BXR.F):18**JVQ?55(O=(F/,#-@
MJV_H%W?0,PP5+NX.8)GD8H-V?CJK]MR/B0!AE3FH77'P/1$3T&4NI!4,%.<^
M_8-<T+CTLY\GB_$AWLHE04#\Y:D\4`=JQ4(JPB3OM[/K&Z)UV)&ZPF)M++9#
M8%8/^&&>1LZZ#S^].SGN<.[%"?@9%0<<*!QOR?T#)<P=MS+!X>SF9`=[J\$>
MH859"+!B+PC0,<3*EM)D\]GLS@#,>5VGS?$B2VCK]!A$R-!JR2$3X5?0XL0V
MG.2Y1N%[%J at 09K\",VBTXD0`K`:P*H!1$Z"2!^L<QC6)VX</-V_;FFF[C5*A
M2EOTA6O*^"%.GN(VNKX;74H at _)0EJS#G<'NGD3&PENVRAN<):^!7T*<OUQ9/
MKBN>/#GF6>+)ET^^+I\DI!]4X1<$JFK(\*-;B\)/6$9MQI/>\"C*JE5F)');
M`S(:TC=#GMH9PF_M#V at XEG*/*PT]J6'U),?<2D-#ZB2?/*FAU]10W6JHUQJ.
MFPH:;06-K18-!34:&FV&7+4Y1$FE56GQB:P<M=-2VY&66CWPJ;0<?RHMZ<@Q
MXETYQ0U?A7`VQ]4_AC=3AVCAMT[.;^\VQO4]80[?"S9&HCV<RDCCJ at J),&!-
M!;9U1:OX;7[SJXX(3$!5)^IX,G(GC$\"?V):RBJD4DK"7<ZVVA*^4CZDRS6-
MB+\S"#V83:=3L%5MH)<HF1\ZVY(O9P9):X.(^M%1\=M^?7-X?G9'#_*I>2M'
MG+)(E.>(>.JGR0ITC+/1X>T=G#M8H84Z41 at _P-U%(Q0-&6[6+ILTBYV at N],D
MGCHQ at HG-)H8Z,<W*)*QC$D17XKRRB'`@SA[2 at 9\Q!MO at _'/&2+(5\;M.Q;K[
M_?5E+N(M3&1D^%5U\$VL#2+!JF=*I+Z89\4SEB*,&5G>,;Q7=.`W4S<OG.+!
MQ;!#1C_RM9A*&UD/O=!6#>U`SKS2ZJ:!Q,T.`<(_N86:Q#'(0S98T*5G9$(*
M3 at J!B\,K`E%)<Z'F_&:(#4Y2YFA"@:(U<200G1B-0$Q+42A@^[6[9V>@*X%4
M9!HOG=C#UC2(DC1==_315,OJP]44>R839YD,O"B)>4M%/:"*I0=D/CT8"7E,
MS.Q?0=NH+7F=S\ZOMW^38(.[+CC]8(GQM4PB'Z%(((;=QN&/;T$?C/9D at 1!A
M0B3D(Z"&J9!][F3TTV0D1&G)9%'YU*M0M[8.%7 at WEZ>'4?C`P5N&:8XQWIN>
MSH?3^7PXO]&&5[.W;R^FM+\#I]>7\Y/;&3[*OV"1Z$*-IQ#[/68.\=]+1;#I
M;8DW&U[+VIB*M$^C4'19\XO9'##'GI+LH9,4%624%@(P$Z,O1V;UGWH<"LO$
M0G\E%\:Y$0VL^(D^B60)W\29NHU(`8SE&0UO;OXXIT+"UD&@8,.NJ^HQ5LM$
M;7E>6+DJLD:#_)8Z8DSDG[LP<S123^@-:]#0!`VMHJ$W$5D;\?'>:=58[,7J
M6:661[0,.IVUK]+^_]NWMMW$D2#Z'+["+]%.)(/[:AL418*0G64W!)0$95>C
M?>!B9ZPA@&*<R?[]5'4;,-#Q at .:R#],GRDP2UZEVE]O5=9KN8?Y:C^+B:YW7
M-!C8FSZ1A%XXX^'L-WC)TC1YG*%(G&?/>)KD'7H^^U:".)800+"/(L24OTV`
MP.[:DV,;X*2D`4TH"%!X%Y+Q)R=2V[4HU."8^M-HK-9(<8MNKKDP#>2;EB98
M3^NS2MDTJF)^GZSVN*!&6J>-2:3WR>/6AF@&I<5T_OB(%ME,';("2=:Z[;3?
M7SF$$0:ULU;>E2$F%T[JI-N"^6KXNH1D%G(F2!MZ]L'WZX%'I>?S?W6VA<KT
M">92R(*#=A>J>>!#.84",F3HX:%]Z3RT&?3LSU:5D/:@"1']P,/`9Q23PL81
M*SJ"-P\\A=H3%V9/5'N23&Q[$ON>*$%70H2TT"W_'_#65_=3EY3[VU[DGI<Q
MAN:R#9,F3*!77?BQBC__+GU^=9&SZ(K5[_1$I8O/&8..JUY.C%L at LSAM>#"_
M>!#HE`XK#\W;F\[-^X;CJ<.(^K3>?`&%R7_XL)_42)D<;_8T6WJC9#G*]'Z\
M at SD3Z$2I>?:Q*.1"Q@/:;'E7+>>=$G5GJ*+,-7ZD"RM3L8E2:U579>GH*/_`
M4_>4$_'R,WA-L<"!&A9N.!OE<\#4&?P!-;AZ&O!7U]%K-76/X-F_%S2'`JR&
MNX2QGG/HBLQ4+U(]G3$\GS=_T0L1*2Y5+>:?\2QMI7`NH:'WM(TFC_F&/M<9
M)3%^@&17_W]!)+$^9OPC/P(H7_\GE$NY6?_GN/[/F+#K_S\%6D#K*C&L"WX^
MZ+NMVUZS?=F\NW=O!S>8 at MT^S">=NTOWKM/M7U_][78'U_<=M+APGI:9 at T<<
M*B<)E,*^$T<A:3284M]QW(@CI<#]X%2=1EX\1W'R.H5*UQ=..H8LGDR4<-)T
M!W at U1D2-2E&#N1VK:YBW/JTW*D`A,GJ&@F",.GG+6,K*B4IS!NU_HG1K412#
MY(0$&8U!.ZS5J',>9]-I=9(MIM'KQ5GE!$;&,@/E/!POH<C1NOK[1TJ)<A4I
M)<Q]_Q0:>BM0S"GT<D?.?Y]>3A>;7H:4G/=[G9O[GOJWM%/3^89'1!VC<]WK
M]5O-R[_6P=GE^3P4JV at T&K30:3SGO1TG>@HMO!46L1H_E`4UJ%=K=&ODZ#SC
MV`EN'VI+P31)ES]P`OA*_L=CM.O\#U(1\[_PB<W_/P-X^HTH)89"S$D66 at T,
MX7=0:*C]\,L+G9=DJ%=+">BR$D;`:M17',J*)%Y&JB,IU"R_R!(E+..]R;)F
M?)@O8*[8;\;_RLV1&GQ[3!0Y00D'ZI?\YK8H81E%$!.EOJ(LQ]OV^-\D75:5
MBJ&40\&_S!:XZK5AXV?0A[!YW<BF![%Y:&:S@]AX#-3$7@^7;%)@4QZL/&R;
M"Z/Y?D>#'9Y\HYG0W(QO-`>-;C8/S.9,FLUQ>.!YY\\[]BOO8%(WFU"VL<&5
MB-PFV8\%-H<K_(31/;.=XLOCI,C2-\G8FK;U7"EAHNI+R>5>U%DQ#S!NYH/1
MWM/:N"SPQ='MAZ3(EV9^2`YLWS^Z?0E/K>@A,'M09H?=`PZ4;/8<#<<?]2K&
M[J at W/,G-^\H%EU7.)1/;XX]M!E>")R1VAT[!6!G at XF[J$)>[P at U=2BN8X_,!
MOYO<I*P5OL&R++?`95;R/L/E=78PW2A<7Z>#Y-%X79:\(A4=;E,W\.K_/6%;
M6%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%C\\O@"HH5#
%]@!X````
`
end


>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list