[Bug 253587] pf: page fault in pf_pull_hdr
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Feb 17 14:18:56 UTC 2021
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253587
Bug ID: 253587
Summary: pf: page fault in pf_pull_hdr
Product: Base System
Version: 13.0-STABLE
Hardware: amd64
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: bugs at FreeBSD.org
Reporter: spambox at haruhiism.net
Seems to affect the ip6 flow. Happened twice so far over about 16 hours.
FreeBSD 13.0-BETA2 amd64 on a PCEngines apu4d4; both GENERIC and custom kernel
configurations (with pf built in) are affected. The NICs are Intel i211-AT,
default hardware offload settings.
Kernel panic message:
Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address = 0x18
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff80c9aaf0
stack pointer = 0x28:0xfffffe0007f8b3b0
frame pointer = 0x28:0xfffffe0007f8b420
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 0 (if_io_tqg_1)
trap number = 12
panic: page fault
cpuid = 1
time = 1613563924
KDB: stack backtrace:
#0 0xffffffff80c56695 at kdb_backtrace+0x65
#1 0xffffffff80c09261 at vpanic+0x181
#2 0xffffffff80c090d3 at panic+0x43
#3 0xffffffff810891a7 at trap_fatal+0x387
#4 0xffffffff810891ff at trap_pfault+0x4f
#5 0xffffffff8108885d at trap+0x27d
#6 0xffffffff8105fc38 at calltrap+0x8
#7 0xffffffff82945494 at pf_pull_hdr+0x134
#8 0xffffffff8294f23b at pf_test6+0x36b
#9 0xffffffff8295fc80 at pf_check6_out+0x40
#10 0xffffffff80d40f17 at pfil_run_hooks+0x97
#11 0xffffffff80dfbff7 at ip6_forward+0x3c7
#12 0xffffffff80dfd915 at ip6_input+0xbb5
#13 0xffffffff80d3e26a at netisr_dispatch_src+0xca
#14 0xffffffff80d22a28 at ether_demux+0x148
#15 0xffffffff80d23dac at ether_nh_input+0x34c
#16 0xffffffff80d3e26a at netisr_dispatch_src+0xca
#17 0xffffffff80d22e79 at ether_input+0x69
kgdb:
Backtrace:
(kgdb) bt
#0 __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:55
#1 doadump (textdump=<optimized out>) at /usr/src/sys/kern/kern_shutdown.c:399
#2 0xffffffff807bb406 in kern_reboot (howto=260) at
/usr/src/sys/kern/kern_shutdown.c:486
#3 0xffffffff807bb880 in vpanic (fmt=<optimized out>, ap=<optimized out>) at
/usr/src/sys/kern/kern_shutdown.c:919
#4 0xffffffff807bb683 in panic (fmt=<unavailable>) at
/usr/src/sys/kern/kern_shutdown.c:843
#5 0xffffffff80b7c1a7 in trap_fatal (frame=0xfffffe0007f4c2f0, eva=24) at
/usr/src/sys/amd64/amd64/trap.c:915
#6 0xffffffff80b7c1ff in trap_pfault (frame=frame at entry=0xfffffe0007f4c2f0,
usermode=false, signo=<optimized out>, signo at entry=0x0, ucode=<optimized out>,
ucode at entry=0x0) at /usr/src/sys/amd64/amd64/trap.c:732
#7 0xffffffff80b7b85d in trap (frame=0xfffffe0007f4c2f0) at
/usr/src/sys/amd64/amd64/trap.c:398
#8 <signal handler called>
#9 0xffffffff8084d0a0 in m_copydata (m=0x0, off=40, len=2,
cp=cp at entry=0xfffffe0007f4c540 "") at /usr/src/sys/kern/uipc_mbuf.c:649
#10 0xffffffff809b3a24 in pf_pull_hdr (m=m at entry=0xfffff8005865ec00,
off=off at entry=40, p=p at entry=0xfffffe0007f4c540, len=len at entry=2,
actionp=actionp at entry=0x0, reasonp=reasonp at entry=0xfffffe0007f4c5b6, af=28
'\034') at /usr/src/sys/netpfil/pf/pf.c:5422
#11 0xffffffff809bd7cb in pf_test6 (dir=dir at entry=2, pflags=393216,
ifp=<optimized out>, m0=<optimized out>, m0 at entry=0xfffffe0007f4c6b8, inp=0x0)
at /usr/src/sys/netpfil/pf/pf.c:6398
#12 0xffffffff809cbf60 in pf_check6_out (m=0xfffffe0007f4c6b8, ifp=0x28,
flags=40, ruleset=<optimized out>, inp=0x0) at
/usr/src/sys/netpfil/pf/pf_ioctl.c:4535
#13 0xffffffff808fe1b7 in pfil_run_hooks (head=<optimized out>, p=...,
ifp=0xfffff800026d3800, flags=flags at entry=393216, inp=inp at entry=0x0) at
/usr/src/sys/net/pfil.c:187
#14 0xffffffff80975177 in ip6_forward (m=0xfffff8005865ec00,
srcrt=srcrt at entry=0) at /usr/src/sys/netinet6/ip6_forward.c:316
#15 0xffffffff80976a95 in ip6_input (m=0xfffff8005865ec00) at
/usr/src/sys/netinet6/ip6_input.c:896
#16 0xffffffff808fb50a in netisr_dispatch_src (proto=6, source=<optimized out>,
source at entry=0, m=0xfffffe0007f4c540) at /usr/src/sys/net/netisr.c:1143
#17 0xffffffff808fb7ff in netisr_dispatch (proto=1483074560, m=0x2) at
/usr/src/sys/net/netisr.c:1234
#18 0xffffffff808dfcc8 in ether_demux (ifp=ifp at entry=0xfffff80002481800,
m=0x28) at /usr/src/sys/net/if_ethersubr.c:923
#19 0xffffffff808e104c in ether_input_internal (ifp=0xfffff80002481800, m=0x28)
at /usr/src/sys/net/if_ethersubr.c:709
#20 ether_nh_input (m=<optimized out>) at /usr/src/sys/net/if_ethersubr.c:739
#21 0xffffffff808fb50a in netisr_dispatch_src (proto=proto at entry=5,
source=<optimized out>, source at entry=0, m=0xfffffe0007f4c540,
m at entry=0xfffff8005865ec00) at /usr/src/sys/net/netisr.c:1143
#22 0xffffffff808fb7ff in netisr_dispatch (proto=1483074560, proto at entry=5,
m=0x2, m at entry=0xfffff8005865ec00) at /usr/src/sys/net/netisr.c:1234
#23 0xffffffff808e0119 in ether_input (ifp=<optimized out>,
m=0xfffff8005865ec00) at /usr/src/sys/net/if_ethersubr.c:830
#24 0xffffffff808f7c48 in iflib_rxeof (rxq=<optimized out>,
rxq at entry=0xfffff80002481000, budget=<optimized out>) at
/usr/src/sys/net/iflib.c:3008
#25 0xffffffff808f1fa2 in _task_fn_rx (context=0xfffff80002481000) at
/usr/src/sys/net/iflib.c:3951
#26 0xffffffff808076ad in gtaskqueue_run_locked
(queue=queue at entry=0xfffff80002424700) at
/usr/src/sys/kern/subr_gtaskqueue.c:371
#27 0xffffffff8080734c in gtaskqueue_thread_loop (arg=<optimized out>,
arg at entry=0xfffffe0008d54008) at /usr/src/sys/kern/subr_gtaskqueue.c:547
#28 0xffffffff8077990e in fork_exit (callout=0xffffffff808072a0
<gtaskqueue_thread_loop>, arg=0xfffffe0008d54008, frame=0xfffffe0007f4cc00) at
/usr/src/sys/kern/kern_fork.c:1069
#29 <signal handler called>
Frames:
(kgdb) f 10
#10 0xffffffff809b3a24 in pf_pull_hdr (m=m at entry=0xfffff8005865ec00,
off=off at entry=40, p=p at entry=0xfffffe0007f4c540,
len=len at entry=2, actionp=actionp at entry=0x0,
reasonp=reasonp at entry=0xfffffe0007f4c5b6, af=28 '\034')
at /usr/src/sys/netpfil/pf/pf.c:5422
5422 m_copydata(m, off, len, p);
(kgdb) print m
$3 = (struct mbuf *) 0xfffff8005865ec00
(kgdb) f 9
#9 0xffffffff8084d0a0 in m_copydata (m=0x0, off=40, len=2,
cp=cp at entry=0xfffffe0007f4c540 "")
at /usr/src/sys/kern/uipc_mbuf.c:649
649 if (off < m->m_len)
(kgdb) print m
$4 = (const struct mbuf *) 0x0
m in frame 10:
(kgdb) print *m
$1 = {{m_next = 0x0, m_slist = {sle_next = 0x0}, m_stailq = {stqe_next = 0x0}},
{m_nextpkt = 0x0, m_slistpkt = {
sle_next = 0x0}, m_stailqpkt = {stqe_next = 0x0}}, m_data =
0xfffff8005865ec58 "\001", m_len = 0, m_type = 1,
m_flags = 2, {{{m_pkthdr = {{snd_tag = 0x0, rcvif = 0x0}, tags = {slh_first =
0x0}, len = 1232, flowid = 0,
csum_flags = 0, fibnum = 0, numa_domain = 255 '\377', rsstype = 0
'\000', {rcv_tstmp = 0, {
l2hlen = 0 '\000', l3hlen = 0 '\000', l4hlen = 0 '\000', l5hlen =
0 '\000', inner_l2hlen = 0 '\000',
inner_l3hlen = 0 '\000', inner_l4hlen = 0 '\000', inner_l5hlen =
0 '\000'}}, PH_per = {
eight = "\000\000\000\000\000\000\000", sixteen = {0, 0, 0, 0},
thirtytwo = {0, 0}, sixtyfour = {0},
unintptr = {0}, ptr = 0x0}, PH_loc = {eight =
"\000\000\000\000\000\000\000", sixteen = {0, 0, 0, 0},
thirtytwo = {0, 0}, sixtyfour = {0}, unintptr = {0}, ptr = 0x0}},
{m_epg_npgs = 0 '\000',
m_epg_nrdy = 0 '\000', m_epg_hdrlen = 0 '\000', m_epg_trllen = 0
'\000', m_epg_1st_off = 0,
m_epg_last_len = 0, m_epg_flags = 0 '\000', m_epg_record_type = 0
'\000', __spare = "\000",
m_epg_enc_cnt = 0, m_epg_tls = 0x4d0, m_epg_so = 0xff000000000000,
m_epg_seqno = 0, m_epg_stailq = {
stqe_next = 0x0}}}, {m_ext = {{ext_count = 1, ext_cnt =
0xd00125500000001}, ext_size = 4096, ext_type = 3,
ext_flags = 1, {{ext_buf = 0xfffff8012b419000 "", ext_arg2 = 0x0},
{extpg_pa = {18446735282637213696, 0,
372221068050365953, 5427120254332600373, 13475210667545916651},
extpg_trail =
"\303y\262a\265\272\361\362Q\346P\020\000\246\a\325\000\000\060\060\061/default,2018,-1\000MM_CHARSET=UTF-8\000BLOCKSIZE",
extpg_hdr = "=K\000SHLVL=1\000\000\000c\354\360\000\000\000\000\002\000"}},
ext_free = 0x0, ext_arg1 = 0x0}, m_pktdat = 0xfffff8005865ec58
"\001"}}, m_dat = 0xfffff8005865ec20 ""}}
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list