Date: Thu, 21 Oct 2010 17:43:56 -0700 From: "Ricky Charlet" <RCharlet@adaranet.com> To: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: crashing problem I cant figure related to IF_ADDR_LOCK, BSD 8.0 Message-ID: <32AB5C9615CC494997D9ABB1DB12783C024C9C16CC@SJ-EXCH-1.adaranet.com>
next in thread | raw e-mail | index | archive | help
Howdy,
FreeBSD 8.0-RELEASE running on an 8 core amd64
I'm writing a packet filter hook. It is an outbound hook at=
tached with :
pfil_add_hook(chkoutput, NULL, PFIL_OUT | PFIL_WAITOK, pfh_=
inet);
Inside the hook (chkoutput) I have the following code snipi=
t (where I happen to know that ifp already points to an interface I specifi=
cally don't want to process packets for):
IF_ADDR_LOCK(ifp);
TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_l=
ink) {
if (ifa->ifa_addr->sa_family =3D=3D AF_INET=
) {
struct sockaddr_in *sa =3D =
(struct sockaddr_in*)ifa->ifa_addr;
if(sa->sin_addr.s_addr =3D=
=3D ip->ip_src.s_addr) {
/* nevermin=
d */
IF_ADDR_UNL=
OCK(ifp);
return 0;
}
}
}
IF_ADDR_UNLOCK(ifp);
Well, it runs fine / logically sound / does exactly what I =
want. However, in later processing, on packets I am receiving (*not* traver=
sing the output hook) I crash with various stack traces but all culminating=
in sbdrop_internal. In that function, I have a pointer to an mbuf which i=
s garbage (unreferencable) memory.
- If I take the above code snipit out of my output hook, the syste=
m remains stable. (though, of course, the hook is not doing all I want)
- If I remove the LOCK and UNLOCK macros, the same crash happens.
- If I take IFNET_RLOCK_NOSLEEP or IFNET_RLOCK, same crash happens=
.
I'm fairly convinced that my output hook at the IP layer is somehow corrupt=
ing the receive socket layer. But I see no relationship. Even if I were run=
ning beyond loop bounds here, I'm not really writing any memory. On the oth=
er hand, I don't truly know my way around dealing with kernel locks and I'm=
just mimicking code I saw in ip_input (the "Check for broadcast addresses=
" bits). Any Ideas?
Thanks in advance
---
Ricky Charlet
Adara Networks<http://www.adaranet.com/welcome.html>;
USA 408-433-4942
PS Some kgdb output here:
#10 0xffffffff80860183 in calltrap () at /usr/src/sys/amd64/amd64/exception=
.S:224
#11 0xffffffff805ec873 in sbdrop_internal (sb=3D0xffffff0001b976d0, len=3D0=
)
at /usr/src/sys/kern/uipc_sockbuf.c:891
#12 0xffffffff806ff187 in tcp_do_segment (m=3D0xffffff000185f200,
th=3D0xffffff00018f0024, so=3D0xffffff0001b97550, tp=3D0xffffff0001b24a=
50,
drop_hdrlen=3D40, tlen=3D0, iptos=3D0 '\0', ti_locked=3D2)
at /usr/src/sys/netinet/tcp_input.c:2357
#13 0xffffffff80700f72 in tcp_input (m=3D0xffffff000185f200, off0=3DVariabl=
e "off0" is not available.
)
at /usr/src/sys/netinet/tcp_input.c:1020
#14 0xffffffff806984ba in ip_input (m=3D0xffffff000185f200)
---Type <return> to continue, or q <return> to quit---
at /usr/src/sys/netinet/ip_input.c:775
#15 0xffffffff806423ee in netisr_dispatch_src (proto=3D1, source=3DVariable=
"source" is not available.
)
at /usr/src/sys/net/netisr.c:917
#16 0xffffffff8063ab2d in ether_demux (ifp=3D0xffffff0001579000, m=3D0xffff=
ff000185f200)
at /usr/src/sys/net/if_ethersubr.c:895
(kgdb) frame 11
#11 0xffffffff805ec873 in sbdrop_internal (sb=3D0xffffff0001b976d0, len=3D0=
)
at /usr/src/sys/kern/uipc_sockbuf.c:891
891 if (m =3D=3D NULL) {
(kgdb) print *sb
$1 =3D {sb_sel =3D {si_tdlist =3D {tqh_first =3D 0x0, tqh_last =3D 0x0}, si=
_note =3D {kl_list =3D {
slh_first =3D 0x0}, kl_lock =3D 0xffffffff8055bf00 <knlist_mtx_lock=
>,
kl_unlock =3D 0xffffffff8055bed0 <knlist_mtx_unlock>,
kl_assert_locked =3D 0xffffffff80559220 <knlist_mtx_assert_locked>,
kl_assert_unlocked =3D 0xffffffff80559230 <knlist_mtx_assert_unlocked=
>,
kl_lockarg =3D 0xffffff0001b97718}, si_mtx =3D 0x0}, sb_mtx =3D {lock=
_object =3D {
lo_name =3D 0xffffffff8096f9d5 "so_snd", lo_flags =3D 16973824, lo_da=
ta =3D 0,
lo_witness =3D 0x0}, mtx_lock =3D 18446742974221313824}, sb_sx =3D {l=
ock_object =3D {
lo_name =3D 0xffffffff8096ff95 "so_snd_sx", lo_flags =3D 36896768, lo=
_data =3D 0,
lo_witness =3D 0x0}, sx_lock =3D 1}, sb_state =3D 0, sb_mb =3D 0x8c46=
00000000,
sb_mbtail =3D 0xffffff0001901900, sb_lastrecord =3D 0xffffff0001901900,
sb_sndptr =3D 0x0, sb_sndptroff =3D 0, sb_cc =3D 0, sb_hiwat =3D 33580, s=
b_mbcnt =3D 0,
sb_mcnt =3D 0, sb_ccnt =3D 0, sb_mbmax =3D 262144, sb_ctl =3D 0, sb_lowat=
=3D 2048,
sb_timeo =3D 0, sb_flags =3D 2048, sb_upcall =3D 0, sb_upcallarg =3D 0x0}
(kgdb) print *sb->sb_mb
Cannot access memory at address 0x8c4600000000
(kgdb)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?32AB5C9615CC494997D9ABB1DB12783C024C9C16CC>