svn commit: r339554 - head/sys/net
Kristof Provost
kp at FreeBSD.org
Tue Oct 23 00:51:35 UTC 2018
On 21 Oct 2018, at 11:24, Andrey V. Elsukov wrote:
> Author: ae
> Date: Sun Oct 21 18:24:20 2018
> New Revision: 339554
> URL: https://svnweb.freebsd.org/changeset/base/339554
>
> Log:
> Rework if_ipsec(4) to use epoch(9) instead of rmlock.
>
> * use CK_LIST and FNV hash to keep chains of softc;
> * read access to softc is protected by epoch();
> * write access is protected by ipsec_ioctl_sx. Changing of softc
> fields
> is allowed only when softc is unlinked from CK_LIST chains.
> * linking/unlinking of softc is allowed only when ipsec_ioctl_sx is
> exclusive locked.
> * the plain LIST of all softc is replaced by hash table that uses
> ingress
> address of tunnels as a key.
> * added support for appearing/disappearing of ingress address
> handling.
> Now it is allowed configure non-local ingress IP address, and thus
> the
> problem with if_ipsec(4) configuration that happens on boot, when
> ingress address is not yet configured, is solved.
>
> MFC after: 1 month
> Sponsored by: Yandex LLC
> Differential Revision: https://reviews.freebsd.org/D17190
>
This panics during the pf tests.
To reproduce:
pkg install scapy
kldload pf
cd /usr/tests/sys/netpfil
kyua test
Fatal trap 9: general protection fault while in kernel mode
cpuid = 3; apic id = 03
instruction pointer = 0x20:0xffffffff80ca7260
stack pointer = 0x28:0xfffffe00954c4650
frame pointer = 0x28:0xfffffe00954c4660
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 3204 (jail)
[ thread pid 3204 tid 101409 ]
Stopped at ipsec_srcaddr+0x40: cmpl $0,ll+0xb(%rbx)
db> bt
Tracing pid 3204 tid 101409 td 0xfffff80084239580
ipsec_srcaddr() at ipsec_srcaddr+0x40/frame 0xfffffe00954c4660
srcaddr_change_event() at srcaddr_change_event+0x14d/frame
0xfffffe00954c46c0
in_difaddr_ioctl() at in_difaddr_ioctl+0x41f/frame 0xfffffe00954c4720
in_ifscrub_all() at in_ifscrub_all+0x13d/frame 0xfffffe00954c47a0
ip_destroy() at ip_destroy+0xbd/frame 0xfffffe00954c47c0
vnet_destroy() at vnet_destroy+0x124/frame 0xfffffe00954c47f0
prison_deref() at prison_deref+0x29d/frame 0xfffffe00954c4830
sys_jail_remove() at sys_jail_remove+0x28a/frame 0xfffffe00954c4880
amd64_syscall() at amd64_syscall+0x278/frame 0xfffffe00954c49b0
fast_syscall_common() at fast_syscall_common+0x101/frame
0xfffffe00954c49b0
--- syscall (508, FreeBSD ELF64, sys_jail_remove), rip = 0x8003131ba,
rsp = 0x7fffffffe828, rbp = 0x7fffffffe8b0 ---
At that point %rbx is 0xdeadc0dedeadc0de, so presumably we’re trying
to dereference something that’s been freed already.
kgdb agrees. The softc has been freed:
#0 __curthread () at ./machine/pcpu.h:230
#1 doadump (textdump=0) at /usr/src/sys/kern/kern_shutdown.c:366
#2 0xffffffff804645db in db_dump (dummy=<optimized out>,
dummy2=<unavailable>, dummy3=<unavailable>, dummy4=<unavailable>) at
/usr/src/sys/ddb/db_command.c:574
#3 0xffffffff804643a9 in db_command (last_cmdp=<optimized out>,
cmd_table=<optimized out>, dopager=<optimized out>) at
/usr/src/sys/ddb/db_command.c:481
#4 0xffffffff80464124 in db_command_loop () at
/usr/src/sys/ddb/db_command.c:534
#5 0xffffffff8046733f in db_trap (type=<optimized out>,
code=<optimized out>) at /usr/src/sys/ddb/db_main.c:252
#6 0xffffffff80be5987 in kdb_trap (type=9, code=0,
tf=0xfffffe00954c4590) at /usr/src/sys/kern/subr_kdb.c:693
#7 0xffffffff81072f51 in trap_fatal (frame=0xfffffe00954c4590, eva=0)
at /usr/src/sys/amd64/amd64/trap.c:921
#8 0xffffffff8107244d in trap (frame=0xfffffe00954c4590) at
/usr/src/sys/amd64/amd64/trap.c:217
#9 <signal handler called>
#10 ipsec_srcaddr (arg=<optimized out>, sa=0xfffff80023591298,
event=<optimized out>) at /usr/src/sys/net/if_ipsec.c:784
#11 0xffffffff80d2de7d in srcaddr_change_event (arg=<optimized out>,
ifp=0xfffff80057864800, ifa=0xfffff80023591200, event=1) at
/usr/src/sys/netinet/ip_encap.c:181
#12 0xffffffff80d1ec4f in in_difaddr_ioctl (cmd=2149607705,
data=<optimized out>, ifp=0xfffff80057864800, td=<optimized out>) at
/usr/src/sys/netinet/in.c:651
#13 0xffffffff80d1f4cd in in_control (cmd=2149607705, ifp=<optimized
out>, td=0xffffffff81b98600 <vnet_entry_ipsec4_srchtbl>, so=<optimized
out>, data=<optimized out>)
at /usr/src/sys/netinet/in.c:250
#14 in_ifscrub_all () at /usr/src/sys/netinet/in.c:935
#15 0xffffffff80d32dfd in ip_destroy (unused=<optimized out>) at
/usr/src/sys/netinet/ip_input.c:398
#16 0xffffffff80ccd734 in vnet_sysuninit () at
/usr/src/sys/net/vnet.c:597
#17 vnet_destroy (vnet=0xfffff80005d9c0c0) at
/usr/src/sys/net/vnet.c:284
#18 0xffffffff80b64c0d in prison_deref (pr=0xffffffff81b0cc30
<prison0>, flags=23) at /usr/src/sys/kern/kern_jail.c:2634
#19 0xffffffff80b6620a in sys_jail_remove (td=<optimized out>,
uap=<optimized out>) at /usr/src/sys/kern/kern_jail.c:2257
#20 0xffffffff81073b28 in syscallenter (td=0xfffff80084239580) at
/usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:135
#21 amd64_syscall (td=0xfffff80084239580, traced=0) at
/usr/src/sys/amd64/amd64/trap.c:1154
#22 <signal handler called>
#23 0x00000008003131ba in ?? ()
Backtrace stopped: Cannot access memory at address 0x7fffffffe828
(kgdb) fr 10
#10 ipsec_srcaddr (arg=<optimized out>, sa=0xfffff80023591298,
event=<optimized out>) at /usr/src/sys/net/if_ipsec.c:784
784 if (sc->family == 0)
(kgdb) p sc
$1 = (struct ipsec_softc *) 0xdeadc0dedeadc0de
(kgdb)
Best regards,
Kristof
More information about the svn-src-all
mailing list