svn commit: r339554 - head/sys/net

Kristof Provost kp at FreeBSD.org
Tue Oct 23 00:51:35 UTC 2018 

On 21 Oct 2018, at 11:24, Andrey V. Elsukov wrote:
> Author: ae
> Date: Sun Oct 21 18:24:20 2018
> New Revision: 339554
> URL: https://svnweb.freebsd.org/changeset/base/339554
>
> Log:
>   Rework if_ipsec(4) to use epoch(9) instead of rmlock.
>
>   * use CK_LIST and FNV hash to keep chains of softc;
>   * read access to softc is protected by epoch();
>   * write access is protected by ipsec_ioctl_sx. Changing of softc 
> fields
>     is allowed only when softc is unlinked from CK_LIST chains.
>   * linking/unlinking of softc is allowed only when ipsec_ioctl_sx is
>     exclusive locked.
>   * the plain LIST of all softc is replaced by hash table that uses 
> ingress
>     address of tunnels as a key.
>   * added support for appearing/disappearing of ingress address 
> handling.
>     Now it is allowed configure non-local ingress IP address, and thus 
> the
>     problem with if_ipsec(4) configuration that happens on boot, when
>     ingress address is not yet configured, is solved.
>
>   MFC after:	1 month
>   Sponsored by:	Yandex LLC
>   Differential Revision:	https://reviews.freebsd.org/D17190
>
This panics during the pf tests.
To reproduce:

pkg install scapy
kldload pf
cd /usr/tests/sys/netpfil
kyua test

	Fatal trap 9: general protection fault while in kernel mode
	cpuid = 3; apic id = 03
	instruction pointer     = 0x20:0xffffffff80ca7260
	stack pointer           = 0x28:0xfffffe00954c4650
	frame pointer           = 0x28:0xfffffe00954c4660
	code segment            = base 0x0, limit 0xfffff, type 0x1b
	                        = DPL 0, pres 1, long 1, def32 0, gran 1
	processor eflags        = interrupt enabled, resume, IOPL = 0
	current process         = 3204 (jail)
	[ thread pid 3204 tid 101409 ]
	Stopped at      ipsec_srcaddr+0x40:     cmpl    $0,ll+0xb(%rbx)
	db> bt
	Tracing pid 3204 tid 101409 td 0xfffff80084239580
	ipsec_srcaddr() at ipsec_srcaddr+0x40/frame 0xfffffe00954c4660
	srcaddr_change_event() at srcaddr_change_event+0x14d/frame 
0xfffffe00954c46c0
	in_difaddr_ioctl() at in_difaddr_ioctl+0x41f/frame 0xfffffe00954c4720
	in_ifscrub_all() at in_ifscrub_all+0x13d/frame 0xfffffe00954c47a0
	ip_destroy() at ip_destroy+0xbd/frame 0xfffffe00954c47c0
	vnet_destroy() at vnet_destroy+0x124/frame 0xfffffe00954c47f0
	prison_deref() at prison_deref+0x29d/frame 0xfffffe00954c4830
	sys_jail_remove() at sys_jail_remove+0x28a/frame 0xfffffe00954c4880
	amd64_syscall() at amd64_syscall+0x278/frame 0xfffffe00954c49b0
	fast_syscall_common() at fast_syscall_common+0x101/frame 
0xfffffe00954c49b0
	--- syscall (508, FreeBSD ELF64, sys_jail_remove), rip = 0x8003131ba, 
rsp = 0x7fffffffe828, rbp = 0x7fffffffe8b0 ---


At that point %rbx is 0xdeadc0dedeadc0de, so presumably we’re trying 
to dereference something that’s been freed already.

kgdb agrees. The softc has been freed:

	#0  __curthread () at ./machine/pcpu.h:230
	#1  doadump (textdump=0) at /usr/src/sys/kern/kern_shutdown.c:366
	#2  0xffffffff804645db in db_dump (dummy=<optimized out>, 
dummy2=<unavailable>, dummy3=<unavailable>, dummy4=<unavailable>) at 
/usr/src/sys/ddb/db_command.c:574
	#3  0xffffffff804643a9 in db_command (last_cmdp=<optimized out>, 
cmd_table=<optimized out>, dopager=<optimized out>) at 
/usr/src/sys/ddb/db_command.c:481
	#4  0xffffffff80464124 in db_command_loop () at 
/usr/src/sys/ddb/db_command.c:534
	#5  0xffffffff8046733f in db_trap (type=<optimized out>, 
code=<optimized out>) at /usr/src/sys/ddb/db_main.c:252
	#6  0xffffffff80be5987 in kdb_trap (type=9, code=0, 
tf=0xfffffe00954c4590) at /usr/src/sys/kern/subr_kdb.c:693
	#7  0xffffffff81072f51 in trap_fatal (frame=0xfffffe00954c4590, eva=0) 
at /usr/src/sys/amd64/amd64/trap.c:921
	#8  0xffffffff8107244d in trap (frame=0xfffffe00954c4590) at 
/usr/src/sys/amd64/amd64/trap.c:217
	#9  <signal handler called>
	#10 ipsec_srcaddr (arg=<optimized out>, sa=0xfffff80023591298, 
event=<optimized out>) at /usr/src/sys/net/if_ipsec.c:784
	#11 0xffffffff80d2de7d in srcaddr_change_event (arg=<optimized out>, 
ifp=0xfffff80057864800, ifa=0xfffff80023591200, event=1) at 
/usr/src/sys/netinet/ip_encap.c:181
	#12 0xffffffff80d1ec4f in in_difaddr_ioctl (cmd=2149607705, 
data=<optimized out>, ifp=0xfffff80057864800, td=<optimized out>) at 
/usr/src/sys/netinet/in.c:651
	#13 0xffffffff80d1f4cd in in_control (cmd=2149607705, ifp=<optimized 
out>, td=0xffffffff81b98600 <vnet_entry_ipsec4_srchtbl>, so=<optimized 
out>, data=<optimized out>)
	    at /usr/src/sys/netinet/in.c:250
	#14 in_ifscrub_all () at /usr/src/sys/netinet/in.c:935
	#15 0xffffffff80d32dfd in ip_destroy (unused=<optimized out>) at 
/usr/src/sys/netinet/ip_input.c:398
	#16 0xffffffff80ccd734 in vnet_sysuninit () at 
/usr/src/sys/net/vnet.c:597
	#17 vnet_destroy (vnet=0xfffff80005d9c0c0) at 
/usr/src/sys/net/vnet.c:284
	#18 0xffffffff80b64c0d in prison_deref (pr=0xffffffff81b0cc30 
<prison0>, flags=23) at /usr/src/sys/kern/kern_jail.c:2634
	#19 0xffffffff80b6620a in sys_jail_remove (td=<optimized out>, 
uap=<optimized out>) at /usr/src/sys/kern/kern_jail.c:2257
	#20 0xffffffff81073b28 in syscallenter (td=0xfffff80084239580) at 
/usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:135
	#21 amd64_syscall (td=0xfffff80084239580, traced=0) at 
/usr/src/sys/amd64/amd64/trap.c:1154
	#22 <signal handler called>
	#23 0x00000008003131ba in ?? ()
	Backtrace stopped: Cannot access memory at address 0x7fffffffe828
	(kgdb) fr 10
	#10 ipsec_srcaddr (arg=<optimized out>, sa=0xfffff80023591298, 
event=<optimized out>) at /usr/src/sys/net/if_ipsec.c:784
	784			if (sc->family == 0)
	(kgdb) p sc
	$1 = (struct ipsec_softc *) 0xdeadc0dedeadc0de
	(kgdb)

Best regards,
Kristof

More information about the svn-src-all mailing list