Panic due to junk pointer in pf(4)

Max Laier max at love2party.net
Fri Aug 14 22:38:53 UTC 2009 

On Wednesday 12 August 2009 21:16:09 Peter Jeremy wrote:
> My firewall (7.2p3/i386) recently panic'd:
> Fatal trap 12: page fault while in kernel mode
> fault virtual address   = 0x1065e
> fault code              = supervisor read, page not present
> ...
> I have a crashdump that shows:
> #6  0xc06c9c1b in calltrap () at /usr/src/sys/i386/i386/exception.s:159
> #7  0xc044ecd0 in pf_state_tree_lan_ext_RB_REMOVE_COLOR (head=0xc2a256a8,
>     parent=0xc442c6a0, elm=0xc40aa8e0) at
> /usr/src/sys/contrib/pf/net/pf.c:391 #8  0xc044ef79 in
> pf_state_tree_lan_ext_RB_REMOVE (head=0xc2a256a8, elm=0xc404a11c) at
> /usr/src/sys/contrib/pf/net/pf.c:391
> #9  0xc045383e in pf_unlink_state (cur=0xc404a11c)
>     at /usr/src/sys/contrib/pf/net/pf.c:1158
> #10 0xc0456b6e in pf_purge_expired_states (maxcheck=119)
>     at /usr/src/sys/contrib/pf/net/pf.c:1242
> #11 0xc04570f9 in pf_purge_thread (v=0x0)
>     at /usr/src/sys/contrib/pf/net/pf.c:998
> #12 0xc0535781 in fork_exit (callout=0xc0456f50 <pf_purge_thread>, arg=0x0,
>     frame=0xd2d4cd38) at /usr/src/sys/kern/kern_fork.c:810
> #13 0xc06c9c90 in fork_trampoline () at
> /usr/src/sys/i386/i386/exception.s:264
>
> Working up, 'parent' in pf_state_tree_lan_ext_RB_REMOVE_COLOR() has
> a garbage u.s.entry_lan_ext:
> (kgdb) p parent->u
> $3 = {s = {entry_lan_ext = {rbe_left = 0x10602, rbe_right = 0x50000,
>       rbe_parent = 0xc40aa8e0, rbe_color = -1002258432}, entry_ext_gwy = {
>       rbe_left = 0xc3c42238, rbe_right = 0x1, rbe_parent = 0x0,
>       rbe_color = 0}, entry_id = {rbe_left = 0xc3c54470, rbe_right = 0x0,
>       rbe_parent = 0x0, rbe_color = 0}, entry_list = {tqe_next =
> 0xc41f9e6c, tqe_prev = 0x0}, kif = 0xc442c58c},
>   ifname = "\002\006\001\000\000\000\005\000à¨\nÄ\000ÀBÄ"}
>
> Does anyone have any suggestions on where to look next?

You could try the attached patch that I just set to re@ for inclusion.  There 
is an obvious error in how I handle the pf_consistency_lock in the purge 
thread that might well be the culprit for the error you are seeing.  I assume 
you can't trigger the panic at will, though.  In any case I'd be interested in 
your feedback, thanks.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pfpurge_lock.diff
Type: text/x-patch
Size: 5573 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20090814/563c4626/pfpurge_lock.bin

More information about the freebsd-stable mailing list