kern/168190: [pf] panic when using pf and route-to (maybe: bad fragment handling?)

Joerg Pulz Joerg.Pulz at frm2.tum.de
Wed May 23 19:50:05 UTC 2012 

The following reply was made to PR kern/168190; it has been noted by GNATS.

From: Joerg Pulz <Joerg.Pulz at frm2.tum.de>
To: Daniel Hartmeier <daniel at benzedrine.cx>
Cc: =?ISO-8859-15?Q?Ermal_Lu=E7i?= <eri at freebsd.org>,
        FreeBSD-gnats-submit at freebsd.org, freebsd-pf at freebsd.org
Subject: Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad
 fragment handling?)
Date: Wed, 23 May 2012 21:48:03 +0200 (CEST)

   This message is in MIME format.  The first part should be readable text,
   while the remaining parts are likely unreadable without MIME-aware tools.
 
 --3469798045-1716925155-1337802345=:21881
 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1; format=flowed
 Content-Transfer-Encoding: 8BIT
 Content-ID: <alpine.BSF.2.00.1205232145561.21881 at unqrf.nqzva.sez2>
 
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
 Content-ID: <alpine.BSF.2.00.1205232145560.21881 at unqrf.nqzva.sez2>
 
 On Tue, 22 May 2012, Daniel Hartmeier wrote:
 
 > If you have the chance, please try the patch below.
 >
 > It adds byte order checks all over the place, hoping for a panic closer
 > to the source of the problem.
 
 Daniel,
 
 system was running for about a day with your patch with many users using 
 it. It panic'ed some minutes ago.
 System configuration is still the same, no other patches, no changed 
 interface settings or removed/changed kernel options.
 
 Here is the kgdb(1) output with "m" and "ifp" listed.
 I hope this helps to get closer to the source of the problem.
 
 Let me know if you need more output.
 
 Kind regards
 Joerg
 
 
 #### kgdb.out_assert
 
 GNU gdb 6.1.1 [FreeBSD]
 Copyright 2004 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain conditions.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "amd64-marcel-freebsd"...
 
 Unread portion of the kernel message buffer:
 panic: ASSERT_HOST_BYTE_ORDER
 cpuid = 1
 KDB: stack backtrace:
 db_trace_self_wrapper() at db_trace_self_wrapper+0x2a
 kdb_backtrace() at kdb_backtrace+0x37
 panic() at panic+0x182
 pfil_run_hooks() at pfil_run_hooks+0x159
 ip_output() at ip_output+0x6de
 ip_forward() at ip_forward+0x19e
 ip_input() at ip_input+0x670
 swi_net() at swi_net+0x15a
 intr_event_execute_handlers() at intr_event_execute_handlers+0x66
 ithread_loop() at ithread_loop+0xaf
 fork_exit() at fork_exit+0x12a
 fork_trampoline() at fork_trampoline+0xe
 - --- trap 0, rip = 0, rsp = 0xffffff8000241d00, rbp = 0 ---
 KDB: enter: panic
 Dumping 585 out of 4077 MB:..3%..11%..22%..31%..41%..52%..61%..72%..82%..91%
 
 Reading symbols from /boot/kernel/geom_mirror.ko...Reading symbols from /boot/kernel/geom_mirror.ko.symbols...done.
 done.
 Loaded symbols for /boot/kernel/geom_mirror.ko
 Reading symbols from /boot/kernel/ipmi.ko...Reading symbols from /boot/kernel/ipmi.ko.symbols...done.
 done.
 Loaded symbols for /boot/kernel/ipmi.ko
 #0  doadump (textdump=0) at pcpu.h:224
 224		__asm("movq %%gs:0,%0" : "=r" (td));
 (kgdb) up 10
 #10 0xffffffff8074b325 in pfil_run_hooks (ph=0xfffffe000581f880,
      mp=0xffffff8000241978, ifp=0xfffffe0003002000, dir=2, inp=0x0)
      at /usr/src/sys/net/pfil.c:89
 89				ASSERT_HOST_BYTE_ORDER(m);
 (kgdb) list
 84				ASSERT_HOST_BYTE_ORDER(m);
 85				rv = (*pfh->pfil_func)(pfh->pfil_arg, &m, ifp, dir,
 86				    inp);
 87				if (rv != 0 || m == NULL)
 88					break;
 89				ASSERT_HOST_BYTE_ORDER(m);
 90			}
 91		}
 92		PFIL_RUNLOCK(ph, &rmpt);
 93		*mp = m;
 (kgdb) p *m
 $1 = {m_hdr = {mh_next = 0xfffffe000586bb00, mh_nextpkt = 0x0,
      mh_data = 0xfffffe010045c974 "E", mh_len = 60, mh_flags = 66, mh_type = 1,
      pad = "­ÞÞÀ­Þ"}, M_dat = {MH = {MH_pkthdr = {rcvif = 0xfffffe0003001800,
          header = 0x0, len = 450, flowid = 0, csum_flags = 768,
          csum_data = 26073, tso_segsz = 0, PH_vt = {vt_vtag = 0, vt_nrecs = 0},
          tags = {slh_first = 0xfffffe000572c700}}, MH_dat = {MH_ext = {
            ext_buf = 0xc02c01fc0045 <Address 0xc02c01fc0045 out of bounds>,
            ext_free = 0xc02c01c20045, ext_arg1 = 0x4d46cb4f398a0437,
            ext_arg2 = 0xc201004557b3bb81, ext_size = 21286,
            ref_cnt = 0x240119ac02079b0a, ext_type = 2059207427},
          MH_databuf = "E\000ü\001,À\000\000E\000Â\001,À\000\0007\004\2129OËFM\201»³WE\000\001Â&S\000\000?\001\224\016\n\233\a\002¬\031\001$\003\003½z\000\000\000\000E\000\001¦åí\000\000>\021Ö\177¬\031\001$\n\233\a\002\0005ÿ_\001\222)Ûdh\201\200\000\001\000\003\000\b\000\bÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­Þ"}},
      M_databuf = "\000\030\000\003\000þÿÿ\000\000\000\000\000\000\000\000Â\001\000\000\000\000\000\000\000\003\000\000Ùe\000\000\000\000\000\000ÞÀ­Þ\000Çr\005\000þÿÿE\000ü\001,À\000\000E\000Â\001,À\000\0007\004\2129OËFM\201»³WE\000\001Â&S\000\000?\001\224\016\n\233\a\002¬\031\001$\003\003½z\000\000\000\000E\000\001¦åí\000\000>\021Ö\177¬\031\001$\n\233\a\002\0005ÿ_\001\222)Ûdh\201\200\000\001\000\003\000\b\000\bÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­Þ"...}}
 (kgdb) p *ifp
 $2 = {if_softc = 0xffffff80007b1000, if_l2com = 0xfffffe000300ba40,
    if_vnet = 0x0, if_link = {tqe_next = 0xfffffe0003001000,
      tqe_prev = 0xfffffe0003001818},
    if_xname = "bge1", '\0' <repeats 11 times>,
    if_dname = 0xfffffe00028f07d8 "bge", if_dunit = 1, if_refcount = 1,
    if_addrhead = {tqh_first = 0xfffffe0003009800,
      tqh_last = 0xfffffe000591b4b8}, if_pcount = 0, if_carp = 0x0,
    if_bpf = 0xfffffe0005126900, if_index = 6, if_index_reserved = 0,
    if_vlantrunk = 0x0, if_flags = 34819, if_capabilities = 524443,
    if_capenable = 524443, if_linkmib = 0x0, if_linkmiblen = 0, if_data = {
      ifi_type = 6 '\006', ifi_physical = 0 '\0', ifi_addrlen = 6 '\006',
      ifi_hdrlen = 18 '\022', ifi_link_state = 2 '\002',
      ifi_spare_char1 = 0 '\0', ifi_spare_char2 = 0 '\0',
      ifi_datalen = 152 '\230', ifi_mtu = 1500, ifi_metric = 0,
      ifi_baudrate = 1000000000, ifi_ipackets = 1922972, ifi_ierrors = 0,
      ifi_opackets = 962786, ifi_oerrors = 0, ifi_collisions = 0,
      ifi_ibytes = 1150684321, ifi_obytes = 312161748, ifi_imcasts = 942443,
      ifi_omcasts = 0, ifi_iqdrops = 0, ifi_noproto = 0, ifi_hwassist = 3,
      ifi_epoch = 1, ifi_lastchange = {tv_sec = 1337714565, tv_usec = 347019}},
    if_multiaddrs = {tqh_first = 0xfffffe0005915900,
      tqh_last = 0xfffffe0005a39100}, if_amcount = 0,
    if_output = 0xffffffff8073d805 <ether_output>,
    if_input = 0xffffffff8073cddb <ether_input>,
    if_start = 0xffffffff803c3087 <bge_start>,
    if_ioctl = 0xffffffff803c92ba <bge_ioctl>,
    if_init = 0xffffffff803c9274 <bge_init>,
    if_resolvemulti = 0xffffffff8073c79d <ether_resolvemulti>,
    if_qflush = 0xffffffff807355d2 <if_qflush>,
    if_transmit = 0xffffffff8073549e <if_transmit>, if_reassign = 0,
    if_home_vnet = 0x0, if_addr = 0xfffffe0003009800, if_llsoftc = 0x0,
    if_drv_flags = 64, if_snd = {ifq_head = 0x0, ifq_tail = 0x0, ifq_len = 0,
      ifq_maxlen = 511, ifq_drops = 0, ifq_mtx = {lock_object = {
          lo_name = 0xfffffe0003002028 "bge1", lo_flags = 16973824, lo_data = 0,
          lo_witness = 0xffffff80006cf480}, mtx_lock = 4}, ifq_drv_head = 0x0,
      ifq_drv_tail = 0x0, ifq_drv_len = 0, ifq_drv_maxlen = 511, altq_type = 0,
      altq_flags = 1, altq_disc = 0x0, altq_ifp = 0xfffffe0003002000,
      altq_enqueue = 0, altq_dequeue = 0, altq_request = 0, altq_clfier = 0x0,
      altq_classify = 0, altq_tbr = 0x0, altq_cdnr = 0x0},
    if_broadcastaddr = 0xffffffff80adb000 "ÿÿÿÿÿÿ", if_bridge = 0x0,
    if_label = 0x0, if_prefixhead = {tqh_first = 0x0,
      tqh_last = 0xfffffe0003002278}, if_afdata = {0x0, 0x0, 0xfffffe000581fa00,
      0x0 <repeats 25 times>, 0xfffffe0005814800, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
      0x0, 0x0, 0x0}, if_afdata_initialized = 2, if_afdata_lock = {
      lock_object = {lo_name = 0xffffffff80ada29a "if_afdata",
        lo_flags = 69402624, lo_data = 0, lo_witness = 0xffffff80006cf400},
      rw_lock = 1}, if_linktask = {ta_link = {stqe_next = 0x0}, ta_pending = 0,
      ta_priority = 0, ta_func = 0xffffffff80737a79 <do_link_state_change>,
      ta_context = 0xfffffe0003002000}, if_addr_mtx = {lock_object = {
        lo_name = 0xffffffff80acc360 "if_addr_mtx", lo_flags = 16973824,
        lo_data = 0, lo_witness = 0xffffff80006c8b80}, mtx_lock = 4},
    if_clones = {le_next = 0x0, le_prev = 0x0}, if_groups = {
      tqh_first = 0xfffffe00050d3ae0, tqh_last = 0xfffffe00050d3ae8},
    if_pf_kif = 0xfffffe0005889300, if_lagg = 0x0, if_description = 0x0,
    if_fib = 0, if_alloctype = 6 '\006', if_cspare = "\000\000", if_ispare = {0,
      0, 0, 0}, if_pspare = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
 (kgdb)
 
 #### kgdb.out_assert
 
 - -- 
 The beginning is the most important part of the work.
  				-Plato
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.18 (FreeBSD)
 
 iD8DBQFPvT72SPOsGF+KA+MRAvxgAJ91uOe4RymMtaUOoZ7IK61/qHpoSQCZAbd0
 /LVHK3BmvPKBUbd6e5rokUE=
 =9vPz
 -----END PGP SIGNATURE-----
 --3469798045-1716925155-1337802345=:21881--

More information about the freebsd-pf mailing list