kern/59576: kernel panic: attempted use of free mbuf! when BPF is in use on tun interface

Yuriy Tsibizov Yuriy.Tsibizov at gfk.ru
Fri Nov 21 22:50:14 PST 2003 

>Number:         59576
>Category:       kern
>Synopsis:       kernel panic: attempted use of free mbuf! when BPF is in use on tun interface
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Nov 21 22:50:10 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Yuriy Tsibizov
>Release:        FreeBSD 5.1-CURRENT i386
>Organization:
none
>Environment:
System: FreeBSD free.home.local 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Thu Nov 13 12:01:44 MSK 2003 root at free.home.local:/usr/obj/usr/src/sys/GENERIC i386
last World was built November, 9th

>Description:
I've got a panic after running
tcpdump -v -i tun0
tunoutput: attempted use of a free mbuf!

here is gdb backtrace from kernel crashdump:

GNU gdb 5.2.1 (FreeBSD)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-undermydesk-freebsd"...
panic: tunoutput: attempted use of a free mbuf!
panic messages:
---
panic: tunoutput: attempted use of a free mbuf!
cpuid = 0; 
panic: from debugger
cpuid = 0; 
Uptime: 3m23s
Dumping 256 MB
 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240
---
Reading symbols from /boot/kernel/logo_saver.ko...done.
Loaded symbols for /boot/kernel/logo_saver.ko
#0  doadump () at /usr/src/sys/kern/kern_shutdown.c:240
240		dumping++;
(kgdb) bt
#0  doadump () at /usr/src/sys/kern/kern_shutdown.c:240
#1  0xc066af8b in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:372
#2  0xc066b38d in panic () at /usr/src/sys/kern/kern_shutdown.c:550
#3  0xc0489a32 in db_panic () at /usr/src/sys/ddb/db_command.c:450
#4  0xc0489992 in db_command (last_cmdp=0xc0922cc0, cmd_table=0x0, 
    aux_cmd_tablep=0xc08a6270, aux_cmd_tablep_end=0xc08a6288)
    at /usr/src/sys/ddb/db_command.c:346
#5  0xc0489ad5 in db_command_loop () at /usr/src/sys/ddb/db_command.c:472
#6  0xc048cad5 in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_trap.c:73
#7  0xc07ff55c in kdb_trap (type=3, code=0, regs=0xcf0298c8)
    at /usr/src/sys/i386/i386/db_interface.c:171
#8  0xc0815648 in trap (frame=
      {tf_fs = 24, tf_es = 16, tf_ds = 16, tf_edi = -1064972502, tf_esi = 1, tf_ebp = -821913324, tf_isp = -821913356, tf_ebx = 0, tf_edx = 0, tf_ecx = 0, tf_eax = 18, tf_trapno = 3, tf_err = 0, tf_eip = -1065355163, tf_cs = 8, tf_eflags = 646, tf_esp = -1064705964, tf_ss = -1064814156})
    at /usr/src/sys/i386/i386/trap.c:580
#9  0xc0800fa8 in calltrap () at {standard input}:94
#10 0xc066b326 in panic (fmt=0xc085cf2a "%s: attempted use of a free mbuf!")
    at /usr/src/sys/kern/kern_shutdown.c:534
#11 0xc06e23c3 in tunoutput (ifp=0xc2e4fc08, m0=0xc16d9600, dst=0xc2e52d10, 
    rt=0xc30bc000) at /usr/src/sys/net/if_tun.c:473
#12 0xc06fea4c in ip_output (m0=0x1, opt=0xc16d96c4, ro=0xc2f8478c, flags=0, 
    imo=0x0, inp=0xc2f84750) at /usr/src/sys/netinet/ip_output.c:1037
#13 0xc070e789 in udp_output (inp=0xc2f84750, m=0xc16d9600, addr=0x0, 
    control=0x0, td=0xc2f31b40) at /usr/src/sys/netinet/udp_usrreq.c:876
#14 0xc070ef67 in udp_send (so=0x0, flags=0, m=0xc16d9600, addr=0x0, 
    control=0x0, td=0x0) at /usr/src/sys/netinet/udp_usrreq.c:1072
#15 0xc06aa7bd in sosend (so=0xc2f821e0, addr=0x0, uio=0xcf029c48, 
    top=0xc16d9600, control=0x0, flags=0, td=0xc2f31b40)
    at /usr/src/sys/kern/uipc_socket.c:715
#16 0xc06aedec in kern_sendit (td=0xc2f31b40, s=5, mp=0xcf029cc0, flags=0, 
    control=0x0) at /usr/src/sys/kern/uipc_syscalls.c:722
#17 0xc06aec3e in sendit (td=0x0, s=0, mp=0xcf029cc0, flags=0)
    at /usr/src/sys/kern/uipc_syscalls.c:662
#18 0xc06aef7b in sendto (td=0x0, uap=0x0)
    at /usr/src/sys/kern/uipc_syscalls.c:783
#19 0xc0816010 in syscall (frame=
      {tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = 135897088, tf_esi = 29, tf_ebp = -1077944824, tf_isp = -821912204, tf_ebx = 674744424, tf_edx = 0, tf_ecx = 0, tf_eax = 133, tf_trapno = 12, tf_err = 2, tf_eip = 674234687, tf_cs = 31, tf_eflags = 530, tf_esp = -1077944868, tf_ss = 47})
    at /usr/src/sys/i386/i386/trap.c:1010
#20 0xc0800ffd in Xint0x80_syscall () at {standard input}:136
---Can't read userspace from dump, or kernel process---

(kgdb) f 11
#11 0xc06e23c3 in tunoutput (ifp=0xc2e4fc08, m0=0xc16d9600, dst=0xc2e52d10, 
    rt=0xc30bc000) at /usr/src/sys/net/if_tun.c:473
473			BPF_MTAP(ifp, &m);
(kgdb) list 460
455			m0->m_data += sizeof(int);
456		}
457	
458		if (ifp->if_bpf) {
459			/*
460			 * We need to prepend the address family as
461			 * a four byte field.  Cons up a dummy header
462			 * to pacify bpf.  This is safe because bpf
463			 * will only read from the mbuf (i.e., it won't
464			 * try to free it or keep a pointer to it).
465			 */
466			struct mbuf m;
467			uint32_t af = dst->sa_family;
468	
469			m.m_next = m0;
470			m.m_len = 4;
471			m.m_data = (char *)⁡
472	
473			BPF_MTAP(ifp, &m);
474		}
(kgdb) q

There are other network drivers that have the same (or similar) code as above:
if_ic.c (dev/iicbus)
if_plip.c (dev/plip)
if_disc.c
if_gif.c
if_loop.c
if_tun.c (all from net)

All of this drivers will cause panic if you try to use tcpdump on this
interfaces, becuse of 1.28-1.29 changes in net/bpf.h (addition of
M_ASSERTVALID to BPF_MTRAP macro)..

if_stf.c (net) has similar code, but does not use BPF_MTRAP macro unless
HAVE_OLD_BPF is not defined (it calls bpf_mtap(...) directly).


>How-To-Repeat:
open ppp connection using userland ppp
run tcpdump -v -itun0
>Fix:
I don't know how to properly fix it. 
We can call bpf_mtap(...) directly, as if_stf.c does. 
We can set mbuf flags to something like M_RDONLY: add

m.m_flags = M_RDONLY 

to the code above.
We can replace all this code with 
{
	struct mbuf *m;
	m = m_prepend(m0,4,M_NOWAIT);
	// copy (af) to first 4 bytes of m->m_data
	BPF_MTAP(ifp,m);
	m->m_len-=4; //wrong?
} 

>Release-Note:
>Audit-Trail:
>Unformatted:
 Date: Mon, 17 Nov 2003 20:35:42 +0300 (MSK)
 Message-Id: <200311171735.hAHHZgL5001224 at free.home.local>
 To: FreeBSD-gnats-submit at freebsd.org
 Subject: kernel panic: attempted use of free mbuf! when BPF is in use on tun interface
 From: Yuriy Tsibizov <Yuriy.Tsibizov at gfk.ru>
 Reply-To: Yuriy Tsibizov <Yuriy.Tsibizov at gfk.ru>
 Cc: Yuriy.Tsibizov at gfk.ru
 X-send-pr-version: 3.113
 X-GNATS-Notify:

More information about the freebsd-bugs mailing list