[Bug 185633] [pf] scrubbing bug in transparent mode bug with bigger than MTU UDP packet

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Mon Aug 29 12:21:09 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=185633

--- Comment #6 from Olivier Cochard <olivier at freebsd.org> ---
I've generated a core dump and start kgdb on it:

There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...

Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x1c
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff8221c218
stack pointer           = 0x28:0xfffffe000dff36c0
frame pointer           = 0x28:0xfffffe000dff3730
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 11 (irq267: virtio_pci1)
trap number             = 12
panic: page fault
cpuid = 0
KDB: stack backtrace:
#0 0xffffffff809590b7 at kdb_backtrace+0x67
#1 0xffffffff80911f32 at vpanic+0x182
#2 0xffffffff80911da3 at panic+0x43
#3 0xffffffff80d36c11 at trap_fatal+0x351
#4 0xffffffff80d36e03 at trap_pfault+0x1e3
#5 0xffffffff80d3638c at trap+0x26c
#6 0xffffffff80d19e71 at calltrap+0x8
#7 0xffffffff8221dd74 at bridge_forward+0x304
#8 0xffffffff8221d0ce at bridge_input+0x5de
#9 0xffffffff80a1a290 at ether_nh_input+0x2a0
#10 0xffffffff80a30c05 at netisr_dispatch_src+0xa5
#11 0xffffffff80a19936 at ether_input+0x26
#12 0xffffffff807f0c6c at vtnet_rxq_eof+0x84c
#13 0xffffffff807f1be3 at vtnet_rx_vq_intr+0x93
#14 0xffffffff808d68ef at intr_event_execute_handlers+0x20f
#15 0xffffffff808d6b56 at ithread_loop+0xc6
#16 0xffffffff808d3535 at fork_exit+0x85
#17 0xffffffff80d1a3ae at fork_trampoline+0xe
Uptime: 2m55s
Dumping 113 out of 224 MB:..15%..29%..43%..57%..71%..85%..99%

Reading symbols from /data/debug/boot/kernel/if_bridge.ko.debug...done.
Loaded symbols for /data/debug/boot/kernel/if_bridge.ko.debug
Reading symbols from /boot/kernel/bridgestp.ko...done.
Loaded symbols for /boot/kernel/bridgestp.ko
Reading symbols from /boot/kernel/pf.ko...done.
Loaded symbols for /boot/kernel/pf.ko
#0  doadump (textdump=<value optimized out>) at pcpu.h:221
221     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) bt
#0  doadump (textdump=<value optimized out>) at pcpu.h:221
#1  0xffffffff809119b9 in kern_reboot (howto=260)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_shutdown.c:366
#2  0xffffffff80911f6b in vpanic (fmt=<value optimized out>,
    ap=<value optimized out>)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_shutdown.c:759
#3  0xffffffff80911da3 in panic (fmt=0x0)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_shutdown.c:690
#4  0xffffffff80d36c11 in trap_fatal (frame=0xfffffe000dff3610, eva=28)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/trap.c:841
#5  0xffffffff80d36e03 in trap_pfault (frame=0xfffffe000dff3610, usermode=0)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/trap.c:691
#6  0xffffffff80d3638c in trap (frame=0xfffffe000dff3610)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/trap.c:442
#7  0xffffffff80d19e71 in calltrap ()
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/exception.S:236
#8  0xffffffff8221c218 in bridge_pfil (mp=<value optimized out>,
    bifp=<value optimized out>, ifp=0xfffff8000329f000,
    dir=<value optimized out>)
    at
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bridge.c:3511
#9  0xffffffff8221dd74 in bridge_forward (sc=<value optimized out>,
    sbif=<value optimized out>, m=0x0)
    at
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bridge.c:2265
#10 0xffffffff8221d0ce in bridge_input (ifp=<value optimized out>,
    m=<value optimized out>)
    at
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bridge.c:2475
#11 0xffffffff80a1a290 in ether_nh_input (m=<value optimized out>)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/net/if_ethersubr.c:602
#12 0xffffffff80a30c05 in netisr_dispatch_src (proto=5,
    source=<value optimized out>, m=0x0)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/net/netisr.c:1120
#13 0xffffffff80a19936 in ether_input (ifp=<value optimized out>, m=0x0)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/net/if_ethersubr.c:757
#14 0xffffffff807f0c6c in vtnet_rxq_eof (rxq=<value optimized out>)
    at
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/dev/virtio/network/if_vtnet.c:1745
#15 0xffffffff807f1be3 in vtnet_rx_vq_intr (xrxq=0xfffff800032b8c00)
    at
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/dev/virtio/network/if_vtnet.c:1876
#16 0xffffffff808d68ef in intr_event_execute_handlers (
    p=<value optimized out>, ie=<value optimized out>)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_intr.c:1262
#17 0xffffffff808d6b56 in ithread_loop (arg=<value optimized out>)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_intr.c:1275
#18 0xffffffff808d3535 in fork_exit (
    callout=0xffffffff808d6a90 <ithread_loop>, arg=0xfffff800032b2f80,
    frame=0xfffffe000dff3ac0)
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_fork.c:1038
#19 0xffffffff80d1a3ae in fork_trampoline ()
    at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/exception.S:611
#20 0x0000000000000000 in ?? ()
Current language:  auto; currently minimal

=> Displaying code at instruction pointer creating the problem:

(kgdb) list *0xffffffff8221c218
0xffffffff8221c218 is in bridge_pfil
(/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bridge.c:3511).
3506   
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bridge.c:
No such file or directory.
        in
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bridge.c

(kgdb) frame 8
#8  0xffffffff8221c218 in bridge_pfil (mp=<value optimized out>,
    bifp=<value optimized out>, ifp=0xfffff8000329f000,
    dir=<value optimized out>)
    at
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bridge.c:3511
3511    in
/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bridge.c


===== I didn't have source code (just debug symbol) on this machin, then
looking in if_bridge.c at line 3511: It's bridge_fragment() function (called by
bridge_pfil):

3481 static int
3482 bridge_fragment(struct ifnet *ifp, struct mbuf *m, struct ether_header
*eh,
3483     int snap, struct llc *llc)
3484 {
3485     struct mbuf *m0;
3486     struct ip *ip;
3487     int error = -1;
3488
3489     if (m->m_len < sizeof(struct ip) &&
3490         (m = m_pullup(m, sizeof(struct ip))) == NULL)
3491         goto out;
3492     ip = mtod(m, struct ip *);
3493
3494     m->m_pkthdr.csum_flags |= CSUM_IP;
3495     error = ip_fragment(ip, &m, ifp->if_mtu, ifp->if_hwassist);
3496     if (error)
3497         goto out;
3498
3499     /* walk the chain and re-add the Ethernet header */
3500     for (m0 = m; m0; m0 = m0->m_nextpkt) {
3501         if (error == 0) {
3502             if (snap) {
3503                 M_PREPEND(m0, sizeof(struct llc), M_NOWAIT);
3504                 if (m0 == NULL) {
3505                     error = ENOBUFS;
3506                     continue;
3507                 }
3508                 bcopy(llc, mtod(m0, caddr_t),
3509                     sizeof(struct llc));
3510             }
3511             M_PREPEND(m0, ETHER_HDR_LEN, M_NOWAIT);
3512             if (m0 == NULL) {
3513                 error = ENOBUFS;
3514                 continue;
3515             }
3516             bcopy(eh, mtod(m0, caddr_t), ETHER_HDR_LEN);
3517         } else
3518             m_freem(m);
3519     }
3520
3521     if (error == 0)
3522         KMOD_IPSTAT_INC(ips_fragmented);
3523
3524     return (error);
3525
3526 out:
3527     if (m != NULL)
3528         m_freem(m);
3529     return (error);
3530 }


=> The line that create problem should be:
M_PREPEND(m0, ETHER_HDR_LEN, M_NOWAIT);

Right ?

But how to display m0 variable ? It seems I can only see "ifp" variable:

(kgdb) p *ifp
$3 = {if_link = {tqe_next = 0xfffff80003385800,
    tqe_prev = 0xfffff8000329f800}, if_clones = {le_next = 0x0,
    le_prev = 0x0}, if_groups = {tqh_first = 0xfffff800032b2420,
    tqh_last = 0xfffff800032b2428}, if_alloctype = 6 '\006',
  if_softc = 0xfffff800031e7000, if_llsoftc = 0x0, if_l2com = 0x0,
  if_dname = 0xfffff80003176a58 "vtnet", if_dunit = 1, if_index = 2,
  if_index_reserved = 0, if_xname = 0xfffff8000329f060 "vtnet1",
  if_description = 0x0, if_flags = 35075, if_drv_flags = 64,
  if_capabilities = 1572904, if_capenable = 524328, if_linkmib = 0x0,
  if_linkmiblen = 0, if_refcount = 1, if_type = 6 '\006',
  if_addrlen = 6 '\006', if_hdrlen = 18 '\022', if_link_state = 2 '\002',
  if_mtu = 1500, if_metric = 0, if_baudrate = 10000000000, if_hwassist = 0,
  if_epoch = 1, if_lastchange = {tv_sec = 1472470495, tv_usec = 912458},
  if_snd = {ifq_head = 0x0, ifq_tail = 0x0, ifq_len = 0, ifq_maxlen = 10240,
    ifq_mtx = {lock_object = {lo_name = 0xfffff8000329f060 "vtnet1",
        lo_flags = 16973824, lo_data = 0, lo_witness = 0x0}, mtx_lock = 4},
    ifq_drv_head = 0x0, ifq_drv_tail = 0x0, ifq_drv_len = 0,
    ifq_drv_maxlen = 0, altq_type = 0, altq_flags = 0, altq_disc = 0x0,
    altq_ifp = 0xfffff8000329f000, altq_enqueue = 0, altq_dequeue = 0,
    altq_request = 0, altq_clfier = 0x0, altq_classify = 0, altq_tbr = 0x0,
    altq_cdnr = 0x0}, if_linktask = {ta_link = {stqe_next = 0x0},
    ta_pending = 0, ta_priority = 0,
    ta_func = 0xffffffff80a0d610 <do_link_state_change>,
    ta_context = 0xfffff8000329f000}, if_addr_lock = {lock_object = {
      lo_name = 0xffffffff81232f6f "if_addr_lock", lo_flags = 86179840,
      lo_data = 0, lo_witness = 0x0}, rw_lock = 1}, if_addrhead = {
    tqh_first = 0xfffff800032b7900, tqh_last = 0xfffff8000368c028},
  if_multiaddrs = {tqh_first = 0xfffff800033c6b80,
    tqh_last = 0xfffff800033c6e80}, if_amcount = 0,
  if_addr = 0xfffff800032b7900,
  if_broadcastaddr = 0xffffffff81233490 "▒▒▒▒▒▒", if_afdata_lock = {
    lock_object = {lo_name = 0xffffffff81232f7c "if_afdata",
      lo_flags = 86179840, lo_data = 0, lo_witness = 0x0}, rw_lock = 1},
  if_afdata = 0xfffff8000329f208, if_afdata_initialized = 2, if_fib = 0,
  if_vnet = 0x0, if_home_vnet = 0x0, if_vlantrunk = 0x0,
  if_bpf = 0xfffff800032c6a80, if_pcount = 1, if_bridge = 0xfffff8000368de00,
  if_lagg = 0x0, if_pf_kif = 0xfffff8000341fd00, if_carp = 0x0,
  if_label = 0x0, if_netmap = 0xfffff800032f7400,
  if_output = 0xffffffff80a18d60 <ether_output>,
  if_input = 0xffffffff80a19910 <ether_input>, if_start = 0,
  if_ioctl = 0xffffffff807f20e0 <vtnet_ioctl>,
  if_init = 0xffffffff807f1f90 <vtnet_init>,
  if_resolvemulti = 0xffffffff80a19950 <ether_resolvemulti>,
  if_qflush = 0xffffffff807f2900 <vtnet_qflush>,
  if_transmit = 0xffffffff807f27f0 <vtnet_txq_mq_start>, if_reassign = 0,
  if_get_counter = 0xffffffff807f2780 <vtnet_get_counter>,
  if_requestencap = 0xffffffff80a19a70 <ether_requestencap>,
  if_counters = 0xfffff8000329f410, if_hw_tsomax = 65518,
  if_hw_tsomaxsegcount = 35, if_hw_tsomaxsegsize = 2048,
  if_pspare = 0xfffff8000329f480, if_ispare = 0xfffff8000329f4a0}
(kgdb)

Regards,

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-pf mailing list