kern/176992: panic from ipfilter/ipnat when VIMAGE options used
Oleg Ginzburg
olevole at olevole.ru
Fri Mar 15 14:00:00 UTC 2013
>Number: 176992
>Category: kern
>Synopsis: panic from ipfilter/ipnat when VIMAGE options used
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Mar 15 14:00:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Oleg Ginzburg
>Release: 10-current
>Organization:
>Environment:
>Description:
ipfilter/ipnat panics when vimage feature is enabled and need for rework or should be marked as incompatible options with vimage.
root at acerbsd:/usr/obj/usr/src/sys/G # kgdb kernel.debug /var/crash/vmcore.last
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...
Unread portion of the kernel message buffer:
Fatal trap 12: page fault while in kernel mode
cpuid = 3; apic id = 03
fault virtual address = 0x28
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff809aa3da
stack pointer = 0x28:0xffffff810e7b8650
frame pointer = 0x28:0xffffff810e7b8670
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 1927 (ipnat)
trap number = 12
panic: page fault
cpuid = 3
Uptime: 1m21s
Dumping 305 out of 3926 MB:..6%..11%..21%..32%..42%..53%..63%..74%..84%..95%
Reading symbols from /boot/kernel/tmpfs.ko...Reading symbols from /boot/kernel/tmpfs.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/tmpfs.ko
Reading symbols from /boot/kernel/linprocfs.ko...Reading symbols from /boot/kernel/linprocfs.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/linprocfs.ko
Reading symbols from /boot/kernel/linux.ko...Reading symbols from /boot/kernel/linux.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/linux.ko
Reading symbols from /boot/kernel/linsysfs.ko...Reading symbols from /boot/kernel/linsysfs.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/linsysfs.ko
Reading symbols from /boot/kernel/fdescfs.ko...Reading symbols from /boot/kernel/fdescfs.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/fdescfs.ko
Reading symbols from /boot/kernel/nullfs.ko...Reading symbols from /boot/kernel/nullfs.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/nullfs.ko
Reading symbols from /boot/kernel/pf.ko...Reading symbols from /boot/kernel/pf.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/pf.ko
Reading symbols from /boot/kernel/ipl.ko...Reading symbols from /boot/kernel/ipl.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ipl.ko
#0 doadump (textdump=<value optimized out>) at pcpu.h:229
229 __asm("movq %%gs:%1,%0" : "=r" (td)
(kgdb) bt full
#0 doadump (textdump=<value optimized out>) at pcpu.h:229
No locals.
#1 0xffffffff808eef24 in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:447
_ep = (struct eventhandler_entry *) 0x0
_el = <value optimized out>
first_buf_printf = 1
#2 0xffffffff808ef382 in panic (fmt=0x104 <Address 0x104 out of bounds>) at /usr/src/sys/kern/kern_shutdown.c:754
ap = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0xffffff810e7b82b0, reg_save_area = 0xffffff810e7b81e0}}
#3 0xffffffff80c97b3d in trap_fatal (frame=0xfffffe0006c754b8, eva=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:872
code = <value optimized out>
ss = 40
type = 12
esp = <value optimized out>
softseg = {ssd_base = 0, ssd_limit = 1048575, ssd_type = 27, ssd_dpl = 0, ssd_p = 1, ssd_long = 1, ssd_def32 = 0, ssd_gran = 1}
msg = <value optimized out>
#4 0xffffffff80c97e91 in trap_pfault (frame=0xffffff810e7b85a0, usermode=0) at /usr/src/sys/amd64/amd64/trap.c:789
id = <value optimized out>
va = 0
vm = <value optimized out>
map = 0xfffffe000628e7a8
rv = <value optimized out>
ftype = 0 '\0'
td = (struct thread *) 0xfffffe0006c81490
p = (struct proc *) 0xfffffe0006c754b8
eva = 40
#5 0xffffffff80c982f6 in trap (frame=0xffffff810e7b85a0) at /usr/src/sys/amd64/amd64/trap.c:463
regs = {r_r15 = 0, r_r14 = 0, r_r13 = 0, r_r12 = 0, r_r11 = 0, r_r10 = 0, r_r9 = 0, r_r8 = 0, r_rdi = 0, r_rsi = 0, r_rbp = 0, r_rbx = 0, r_rdx = 0, r_rcx = 0, r_rax = 4196000, r_trapno = 6414336, r_fs = 8,
r_gs = 0, r_err = 0, r_es = 0, r_ds = 0, r_rip = 0, r_cs = 0, r_rflags = 0, r_rsp = 0, r_ss = 0}
td = (struct thread *) 0xfffffe0006c81490
p = <value optimized out>
i = <value optimized out>
ucode = <value optimized out>
code = 0
type = 12
addr = <value optimized out>
ksi = {ksi_link = {tqe_next = 0x0, tqe_prev = 0x0}, ksi_info = {si_signo = 8613312, si_errno = 8, si_code = 6415360, si_pid = 8, si_uid = 0, si_status = 0, si_addr = 0x0, si_value = {sival_int = 0, sival_ptr = 0x0,
sigval_int = 0, sigval_ptr = 0x0}, _reason = {_fault = {_trapno = 0}, _timer = {_timerid = 0, _overrun = 0}, _mesgq = {_mqd = 0}, _poll = {_band = 0}, __spare__ = {__spare1__ = 0, __spare2__ = {0, 0, 0, 0, 0, 0,
0}}}}, ksi_flags = 0, ksi_sigq = 0x0}
#6 0xffffffff80c81c33 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:228
No locals.
#7 0xffffffff809aa3da in ifunit (name=0xfffffe0006b7c944 "wlan0") at /usr/src/sys/net/if.c:2016
ifp = <value optimized out>
#8 0xffffffff818dfa3a in fr_resolvenic (name=<value optimized out>, v=<value optimized out>) at /usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/fil.c:6565
nic = <value optimized out>
#9 0xffffffff818c8a25 in nat_resolverule (n=0xfffffe0006b7c800) at /usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_nat.c:1108
No locals.
#10 0xffffffff818c99b3 in fr_nat_ioctl (data=0xfffffe0006049780 "", cmd=2151182908, mode=2, uid=0, ctx=0xfffffe0006c81490) at /usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_nat.c:976
ptr = <value optimized out>
nl = {nl_inip = {s_addr = 0}, nl_outip = {s_addr = 0}, nl_realip = {s_addr = 0}, nl_flags = 0, nl_inport = 0, nl_outport = 0, nl_realport = 0}
nat = <value optimized out>
nt = (ipnat_t *) 0xfffffe0006b7c800
n = (ipnat_t *) 0x0
np = (ipnat_t **) 0xffffffff818ec558
error = 17
ret = <value optimized out>
arg = <value optimized out>
getlock = 1
natd = {in_lock = {ipf_lkun_s = {ipf_slk = {lock_object = {lo_name = 0x0, lo_flags = 0, lo_data = 0, lo_witness = 0x0}, mtx_lock = 0}, ipf_lname = 0x0}, ipf_emu = {eMm_owner = 0x0, eMm_heldin = 0x0, eMm_magic = 0,
eMm_held = 0, eMm_heldat = 0}}, in_next = 0x0, in_rnext = 0x0, in_prnext = 0x0, in_mnext = 0x0, in_pmnext = 0x0, in_tqehead = {0x0, 0x0}, in_ifps = {0x0, 0x0}, in_apr = 0x0, in_comment = 0x0, in_next6 = {i6 = {0, 0,
0, 0}, in4 = {s_addr = 0}, in6 = {__u6_addr = {__u6_addr8 = '\0' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, vptr = {0x0, 0x0}, lptr = {0, 0}, i6un = {type = 0,
subtype = 0, label = '\0' <repeats 11 times>}}, in_space = 0, in_hits = 0, in_use = 0, in_hv = 0, in_flineno = 0, in_pnext = 0, in_v = 4 '\004', in_xxx = 0 '\0', in_flags = 32832, in_mssclamp = 0, in_age = {0, 0},
in_redir = 1, in_p = 0, in_in = {{i6 = {10, 0, 0, 0}, in4 = {s_addr = 10}, in6 = {__u6_addr = {__u6_addr8 = "\n", '\0' <repeats 14 times>, __u6_addr16 = {10, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {10, 0, 0, 0}}}, vptr = {
0xa, 0x0}, lptr = {0xa, 0}, i6un = {type = 10, subtype = 0, label = '\0' <repeats 11 times>}}, {i6 = {255, 0, 0, 0}, in4 = {s_addr = 255}, in6 = {__u6_addr = {__u6_addr8 = "�", '\0' <repeats 14 times>,
__u6_addr16 = {255, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {255, 0, 0, 0}}}, vptr = {0xff, 0x0}, lptr = {0xff, 0}, i6un = {type = 255, subtype = 0, label = '\0' <repeats 11 times>}}}, in_out = {{i6 = {83994816, 0, 0,
0}, in4 = {s_addr = 83994816}, in6 = {__u6_addr = {__u6_addr8 = "�\001\005", '\0' <repeats 11 times>, __u6_addr16 = {43200, 1281, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {83994816, 0, 0, 0}}}, vptr = {0x501a8c0, 0x0},
lptr = {0x501a8c0, 0}, i6un = {type = 43200, subtype = 1281, label = '\0' <repeats 11 times>}}, {i6 = {4294967295, 0, 0, 0}, in4 = {s_addr = 4294967295}, in6 = {__u6_addr = {
__u6_addr8 = "����", '\0' <repeats 11 times>, __u6_addr16 = {65535, 65535, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {4294967295, 0, 0, 0}}}, vptr = {0xffffffff, 0x0}, lptr = {0xffffffff, 0}, i6un = {type = 65535,
subtype = 65535, label = '\0' <repeats 11 times>}}}, in_src = {{i6 = {10, 0, 0, 0}, in4 = {s_addr = 10}, in6 = {__u6_addr = {__u6_addr8 = "\n", '\0' <repeats 14 times>, __u6_addr16 = {10, 0, 0, 0, 0, 0, 0, 0},
__u6_addr32 = {10, 0, 0, 0}}}, vptr = {0xa, 0x0}, lptr = {0xa, 0}, i6un = {type = 10, subtype = 0, label = '\0' <repeats 11 times>}}, {i6 = {255, 0, 0, 0}, in4 = {s_addr = 255}, in6 = {__u6_addr = {
__u6_addr8 = "�", '\0' <repeats 14 times>, __u6_addr16 = {255, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {255, 0, 0, 0}}}, vptr = {0xff, 0x0}, lptr = {0xff, 0}, i6un = {type = 255, subtype = 0,
label = '\0' <repeats 11 times>}}}, in_tuc = {ftu_tcpfm = 0 '\0', ftu_tcpf = 0 '\0', ftu_src = {frp_cmp = 0, frp_port = 0, frp_top = 0}, ftu_dst = {frp_cmp = 0, frp_port = 0, frp_top = 0}}, in_port = {0, 0},
in_ppip = 0, in_ippip = 0, in_ifnames = {"wlan0\000\000\000\000\000\000\000\000\000\000", "wlan0\000\000\000\000\000\000\000\000\000\000"}, in_plabel = '\0' <repeats 15 times>, in_tag = {ipt_un = {iptu_num = {0, 0, 0, 0},
iptu_tag = '\0' <repeats 15 times>}, ipt_not = 0}}
#11 0xffffffff807c6bbb in devfs_ioctl_f (fp=0xfffffe0006c1aaa0, com=2151182908, data=<value optimized out>, cred=<value optimized out>, td=0xfffffe0006c81490) at /usr/src/sys/fs/devfs/devfs_vnops.c:757
dev = (struct cdev *) 0xfffffe0006b7b200
dsw = (struct cdevsw *) 0xffffffff818ea900
vp = <value optimized out>
vpold = <value optimized out>
error = 0
---Type <return> to continue, or q <return> to quit---
i = <value optimized out>
ref = <value optimized out>
p = <value optimized out>
fpop = (struct file *) 0x0
#12 0xffffffff8093fbe4 in kern_ioctl (td=<value optimized out>, fd=<value optimized out>, com=2151182908, data=0xfffffe0006049780 "") at file.h:306
fp = (struct file *) 0xfffffe0006c1aaa0
fdp = (struct filedesc *) 0xfffffe000627b800
error = 0
tmp = -127
locked = <value optimized out>
#13 0xffffffff8093fd5d in sys_ioctl (td=0xfffffe0006c81490, uap=0xffffff810e7b9a30) at /usr/src/sys/kern/sys_generic.c:693
arg = 0
error = 0
size = 56
data = 0xfffffe0006049780 ""
#14 0xffffffff80c9730b in amd64_syscall (td=0xfffffe0006c81490, traced=0) at subr_syscall.c:134
sa = {code = 54, callp = 0xffffffff81271c60, args = {3, 2151182908, 140737488345424, 0, -34374477104, 0, -545217865040, -2138341345}, narg = 3}
error = 0
ksi = {ksi_link = {tqe_next = 0xffffff810e7b9a00, tqe_prev = 0xffffffff80d0a8fd}, ksi_info = {si_signo = 242981376, si_errno = 1, si_code = -2138062933, si_pid = -1, si_uid = 2129757952, si_status = -128,
si_addr = 0xffffff800021ddb8, si_value = {sival_int = 2219392, sival_ptr = 0xffffff800021dd80, sigval_int = 2219392, sigval_ptr = 0xffffff800021dd80}, _reason = {_fault = {_trapno = -2126377920}, _timer = {
_timerid = -2126377920, _overrun = -1}, _mesgq = {_mqd = -2126377920}, _poll = {_band = -2126377920}, __spare__ = {__spare1__ = -2126377920, __spare2__ = {2128191524, 37, 113726648, -512, 242981424, -127,
-2137812303}}}}, ksi_flags = 0, ksi_sigq = 0x0}
#15 0xffffffff80c81f17 in Xfast_syscall () at /usr/src/sys/amd64/amd64/exception.S:387
No locals.
#16 0x0000000800b5604a in ?? ()
No symbol table info available.
Previous frame inner to this frame (corrupt stack?)
(kgdb) fr 11
#11 0xffffffff807c6bbb in devfs_ioctl_f (fp=0xfffffe0006c1aaa0, com=2151182908, data=<value optimized out>, cred=<value optimized out>, td=0xfffffe0006c81490) at /usr/src/sys/fs/devfs/devfs_vnops.c:757
757 error = dsw->d_ioctl(dev, com, data, fp->f_flag, td);
(kgdb) l
752 error = copyout(p, fgn->buf, i);
753 td->td_fpop = fpop;
754 dev_relthread(dev, ref);
755 return (error);
756 }
757 error = dsw->d_ioctl(dev, com, data, fp->f_flag, td);
758 td->td_fpop = NULL;
759 dev_relthread(dev, ref);
760 if (error == ENOIOCTL)
761 error = ENOTTY;
(kgdb) fr 10
#10 0xffffffff818c99b3 in fr_nat_ioctl (data=0xfffffe0006049780 "", cmd=2151182908, mode=2, uid=0, ctx=0xfffffe0006c81490) at /usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_nat.c:976
976 if (nat_resolverule(n) != 0)
(kgdb) l
971 ipnat_t *n, **np;
972 int getlock;
973 {
974 int error = 0, i, j;
975
976 if (nat_resolverule(n) != 0)
977 return ENOENT;
978
979 if ((n->in_age[0] == 0) && (n->in_age[1] != 0))
980 return EINVAL;
(kgdb)
>How-To-Repeat:
recompile kernel with "options VIMAGE" and try to start ipnat.
>Fix:
ipfilter must learn CURVNET_SET and CURVNET_RESTORE macros
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list