[Bug 209475] pf didn't check if enough free RAM for net.pf.states_hashsize

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sun May 29 21:39:01 UTC 2016


--- Comment #4 from fehmi noyan isi <fnoyanisi at yahoo.com> ---

In this forum post [1] from David, there is a bit of discussion about this PR
(apart from the original question).

Would checking the requested amount of memory by malloc(9) against the
available RAM (obtained via sysctl hw.physmem) be a good approach to avoid this

To test this, I setup two identical VMs (in fact, VM2 is the copied & renamed
version of VM1 bhyve image) with 512MB of RAM, running FreeBSD-CURRENT, single
CPU core.

VM1 has the pf.c that comes with the FreeBSD-CURRENT source, whereas VM2 has a
patched version of the file, which performs a sanity check on the requested
memory by malloc(9) against the RAM size. If the requested memory is more than
the available memory, ph_hashsize is set to PF_HASHSIZ, which 32768.

On both VMs, I set net.pf.states_hashsize to 2147483648 (way more than the RAM
on the VM) via /boot/loader.conf. pf(4) is loaded with service(8) command. With
this configuration on each VM, VM1 fails to start pf(4), whereas VM2 is
successful to load the kernel module with net.pf.states_hashsize set to 32768.

vm1 # uname -a
FreeBSD test-pf 11.0-CURRENT FreeBSD 11.0-CURRENT #0 r297692: Fri Apr  8
03:07:13 UTC 2016  root at releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC 
vm1 # cat /boot/loader.conf
net.pf.states_hashsize: 2147483648
vm1 # sysctl hw.realmem
hw.realmem: 536870912
vm1 # kldstat
Id Refs Address  Size  Name
1  3 0xffffffff80200000 1ee2bc0  kernel
vm1 # service pf onestart
Enabling pfKernel page fault with the following non-sleepable locks held:
exclusive rw pf rulesets (pf rulesets) r = 0 (0xffffffff822466e0) locked @
stack backtrace:
#0 0xffffffff80a91a90 at witness_debugger+0x70
#1 0xffffffff80a92d77 at witness_warn+0x3d7
#2 0xffffffff80e92817 at trap_pfault+0x57
#3 0xffffffff80e91ea4 at trap+0x284
#4 0xffffffff80e71ea7 at calltrap+0x8
#5 0xffffffff8090b646 at devfs_ioctl_f+0x156
#6 0xffffffff80a97106 at kern_ioctl+0x246
#7 0xffffffff80a96e51 at sys_ioctl+0x171
#8 0xffffffff80e92f6b at amd64_syscall+0x2db
#9 0xffffffff80e7218b at Xfast_syscall+0xfb

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x0
fault code     = supervisor read data, page not present
instruction pointer   = 0x20:0xffffffff8223001f
stack pointer    = 0x28:0xfffffe002b724310
frame pointer    = 0x28:0xfffffe002b724800
code segment     = base 0x0, limit 0xfffff, type 0x1b
       = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags   = interrupt enabled, resume, IOPL = 0
current process     = 635 (pfctl)
[ thread pid 635 tid 100074 ]
Stopped at  pfioctl+0x4ef:  movq  (%rdi),%rsi

vm2 # uname -a
FreeBSD test-pf 11.0-CURRENT FreeBSD 11.0-CURRENT #2: Sun May 29 12:06:57 NZST
2016  test at test-pf:/usr/obj/usr/src/sys/GENERIC  amd64
vm2 # cat /boot/loader.conf
vm2 # sysctl hw.realmem
hw.realmem: 536870912
vm2 # kldstat
Id Refs Address  Size  Name
1  1 0xffffffff80200000 1ee2bc0  kernel
vm2 # service pf onestart
Enabling pf.
vm2 # kldstat
Id Refs Address  Size  Name
1  3 0xffffffff80200000 1ee2bc0  kernel
2  1 0xffffffff82219000 34c30  pf.ko

[1] https://forums.freebsd.org/threads/56250/

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-pf mailing list