Date: Thu, 24 May 2012 10:58:54 +0200 (CEST) From: Joerg Pulz <Joerg.Pulz@frm2.tum.de> To: Daniel Hartmeier <daniel@benzedrine.cx> Cc: bug-followup@FreeBSD.org, freebsd-pf@FreeBSD.org Subject: Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad fragment handling?) Message-ID: <alpine.BSF.2.00.1205241046360.89783@unqrf.nqzva.sez2> In-Reply-To: <20120524062835.GI29536@insomnia.benzedrine.cx> References: <201205232210.q4NMA4PF058452@freefall.freebsd.org> <20120524062835.GI29536@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--3469798045-664628730-1337849937=:89783
Content-Type: TEXT/PLAIN; format=flowed; charset=ISO-8859-15
Content-Transfer-Encoding: 8BIT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 24 May 2012, Daniel Hartmeier wrote:
> On Wed, May 23, 2012 at 10:10:04PM +0000, Joerg Pulz wrote:
>
>> here is what i could get out.
>> I was unable to print *pfh and pfh->pfil_func, but i printed the other
>> two and *ph, maybe this helps.
>
> That looks corrupted: ph_type = 92404512, ph_nhooks = -512 makes no
> sense to me.
>
> Can you go up one stack frame (to #11), which should be ip_output()
>
> 509 /* Run through list of hooks for output packets. */
> 510 odst.s_addr = ip->ip_dst.s_addr;
> 511 ASSERT_HOST_BYTE_ORDER(m);
> 512 error = pfil_run_hooks(&V_inet_pfil_hook, &m, ifp, PFIL_OUT, inp);
> 513 if (error != 0 || m == NULL)
> 514 goto done;
>
> and there print V_inet_pfil_hook?
Daniel,
i can't print V_inet_pfil_hook: No symbol "V_inet_pfil_hook" in current
context.
Meanwhile, the system was running over night with your second patch and
panic'ed in the morning, about 3 hours ago.
I was able to print *ifp, *pfh, pfh->pfil_func, pf_check_out,
fr_check_wrapper and ipfw_check_hook.
I couldn't print:
*ph: Variable "ph" is not available.
*m0: Cannot access memory at address 0xb000b0
Below is the output.
Kind regards
Joerg
#### kgdb.out_assert_new
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...
Unread portion of the kernel message buffer:
panic: ipfw_check_hook:281 ASSERT_HOST_BYTE_ORDER 45056 176
cpuid = 1
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2a
kdb_backtrace() at kdb_backtrace+0x37
panic() at panic+0x182
ipfw_check_hook() at ipfw_check_hook+0x511
pfil_run_hooks() at pfil_run_hooks+0xf1
ip_output() at ip_output+0x6de
ip_forward() at ip_forward+0x19e
ip_input() at ip_input+0x680
swi_net() at swi_net+0x15a
intr_event_execute_handlers() at intr_event_execute_handlers+0x66
ithread_loop() at ithread_loop+0xaf
fork_exit() at fork_exit+0x12a
fork_trampoline() at fork_trampoline+0xe
- --- trap 0, rip = 0, rsp = 0xffffff8000241d00, rbp = 0 ---
KDB: enter: panic
Dumping 559 out of 4077 MB:..3%..12%..21%..32%..41%..52%..61%..72%..81%..92%
Reading symbols from /boot/kernel/geom_mirror.ko...Reading symbols from /boot/kernel/geom_mirror.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/geom_mirror.ko
Reading symbols from /boot/kernel/ipmi.ko...Reading symbols from /boot/kernel/ipmi.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ipmi.ko
#0 doadump (textdump=0) at pcpu.h:224
224 __asm("movq %%gs:0,%0" : "=r" (td));
(kgdb) up 10
#10 0xffffffff8077a144 in ipfw_check_hook (arg=)
at /usr/src/sys/netinet/ipfw/ip_fw_pfil.c:281
281 ASSERT_HOST_BYTE_ORDER(*m0);
(kgdb) list
276 FREE_PKT(*m0);
277 *m0 = NULL;
278 }
279 if (*m0 && mtod(*m0, struct ip *)->ip_v == 4) {
280 SET_HOST_IPLEN(mtod(*m0, struct ip *));
281 ASSERT_HOST_BYTE_ORDER(*m0);
282 }
283 return ret;
284 }
285
(kgdb) p *ifp
$1 = {if_softc = 0xffffff80007a9000, if_l2com = 0xfffffe000300b200,
if_vnet = 0x0, if_link = {tqe_next = 0xfffffe0003002000,
tqe_prev = 0xfffffe0003003818},
if_xname = "bge0", '\0' <repeats 11 times>,
if_dname = 0xfffffe00028f07d8 "bge", if_dunit = 0, if_refcount = 1,
if_addrhead = {tqh_first = 0xfffffe000300a000,
tqh_last = 0xfffffe000591a0b8}, if_pcount = 0, if_carp = 0x0,
if_bpf = 0xfffffe00050d4680, if_index = 5, if_index_reserved = 0,
if_vlantrunk = 0x0, if_flags = 34819, if_capabilities = 524443,
if_capenable = 524443, if_linkmib = 0x0, if_linkmiblen = 0, if_data = {
ifi_type = 6 '\006', ifi_physical = 0 '\0', ifi_addrlen = 6 '\006',
ifi_hdrlen = 18 '\022', ifi_link_state = 2 '\002',
ifi_spare_char1 = 0 '\0', ifi_spare_char2 = 0 '\0',
ifi_datalen = 152 '\230', ifi_mtu = 1500, ifi_metric = 0,
ifi_baudrate = 1000000000, ifi_ipackets = 221591, ifi_ierrors = 0,
ifi_opackets = 3800, ifi_oerrors = 0, ifi_collisions = 0,
ifi_ibytes = 18564820, ifi_obytes = 2351574, ifi_imcasts = 205582,
ifi_omcasts = 0, ifi_iqdrops = 0, ifi_noproto = 0, ifi_hwassist = 3,
ifi_epoch = 1, ifi_lastchange = {tv_sec = 1337811753, tv_usec = 642476}},
if_multiaddrs = {tqh_first = 0xfffffe0005915300,
tqh_last = 0xfffffe00058d10c0}, if_amcount = 0,
if_output = 0xffffffff8073da85 <ether_output>,
if_input = 0xffffffff8073d05b <ether_input>,
if_start = 0xffffffff803c32f7 <bge_start>,
if_ioctl = 0xffffffff803c952a <bge_ioctl>,
if_init = 0xffffffff803c94e4 <bge_init>,
if_resolvemulti = 0xffffffff8073ca1d <ether_resolvemulti>,
if_qflush = 0xffffffff80735842 <if_qflush>,
if_transmit = 0xffffffff8073570e <if_transmit>, if_reassign = 0,
if_home_vnet = 0x0, if_addr = 0xfffffe000300a000, if_llsoftc = 0x0,
if_drv_flags = 64, if_snd = {ifq_head = 0x0, ifq_tail = 0x0, ifq_len = 0,
ifq_maxlen = 511, ifq_drops = 0, ifq_mtx = {lock_object = {
lo_name = 0xfffffe0003001828 "bge0", lo_flags = 16973824, lo_data = 0,
lo_witness = 0xffffff80006cf480}, mtx_lock = 4}, ifq_drv_head = 0x0,
ifq_drv_tail = 0x0, ifq_drv_len = 0, ifq_drv_maxlen = 511, altq_type = 0,
altq_flags = 1, altq_disc = 0x0, altq_ifp = 0xfffffe0003001800,
altq_enqueue = 0, altq_dequeue = 0, altq_request = 0, altq_clfier = 0x0,
altq_classify = 0, altq_tbr = 0x0, altq_cdnr = 0x0},
if_broadcastaddr = 0xffffffff80adb860 "ÿÿÿÿÿÿ", if_bridge = 0x0,
if_label = 0x0, if_prefixhead = {tqh_first = 0x0,
tqh_last = 0xfffffe0003001a78}, if_afdata = {0x0, 0x0, 0xfffffe0005821a20,
0x0 <repeats 25 times>, 0xfffffe00058168c0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, if_afdata_initialized = 2, if_afdata_lock = {
lock_object = {lo_name = 0xffffffff80adaafa "if_afdata",
lo_flags = 69402624, lo_data = 0, lo_witness = 0xffffff80006cf400},
rw_lock = 1}, if_linktask = {ta_link = {stqe_next = 0x0}, ta_pending = 0,
ta_priority = 0, ta_func = 0xffffffff80737ce9 <do_link_state_change>,
ta_context = 0xfffffe0003001800}, if_addr_mtx = {lock_object = {
lo_name = 0xffffffff80accbc0 "if_addr_mtx", lo_flags = 16973824,
lo_data = 0, lo_witness = 0xffffff80006c8b80}, mtx_lock = 4},
if_clones = {le_next = 0x0, le_prev = 0x0}, if_groups = {
tqh_first = 0xfffffe0003007b20, tqh_last = 0xfffffe0003007b28},
if_pf_kif = 0xfffffe000588b400, if_lagg = 0x0, if_description = 0x0,
if_fib = 0, if_alloctype = 6 '\006', if_cspare = "\000\000", if_ispare = {0,
0, 0, 0}, if_pspare = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
(kgdb) up
#11 0xffffffff8074b53d in pfil_run_hooks (ph=) at /usr/src/sys/net/pfil.c:85
85 rv = (*pfh->pfil_func)(pfh->pfil_arg, &m, ifp, dir,
(kgdb) list
80 KASSERT(ph->ph_nhooks >= 0, ("Pfil hook count dropped < 0"));
81 for (pfh = pfil_hook_get(dir, ph); pfh != NULL;
82 pfh = TAILQ_NEXT(pfh, pfil_link)) {
83 if (pfh->pfil_func != NULL) {
84 ASSERT_HOST_BYTE_ORDER(m);
85 rv = (*pfh->pfil_func)(pfh->pfil_arg, &m, ifp, dir,
86 inp);
87 if (rv != 0 || m == NULL)
88 break;
89 ASSERT_HOST_BYTE_ORDER(m);
(kgdb) p *pfh
$2 = {pfil_link = {tqe_next = 0xfffffe00058c5980,
tqe_prev = 0xfffffe0005821b00},
pfil_func = 0xffffffff80779c33 <ipfw_check_hook>, pfil_arg = 0x0}
(kgdb) p pfh->pfil_func
$3 = (int (*)(void *, struct mbuf **, struct ifnet *, int, struct inpcb
*)) 0xffffffff80779c33 <ipfw_check_hook>
(kgdb) p pf_check_out
$4 = {int (void *, struct mbuf **, struct ifnet *, int, struct inpcb
*)} 0xffffffff8032d39a <pf_check_out>
(kgdb) p fr_check_wrapper
$5 = {int (void *, struct mbuf **, struct ifnet *,
int)} 0xffffffff802fc303 <fr_check_wrapper>
(kgdb) p ipfw_check_hook
$6 = {int (void *, struct mbuf **, struct ifnet *, int, struct inpcb
*)} 0xffffffff80779c33 <ipfw_check_hook>
(kgdb)
#### kgdb.out_assert_new
- --
The beginning is the most important part of the work.
-Plato
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iD8DBQFPvfhRSPOsGF+KA+MRAlM/AKClrSdzDyqSgechCL/RKRtj6KHpVQCfQtCL
PQk+XB5xpajaVmaGba7wD7s=
=J22z
-----END PGP SIGNATURE-----
--3469798045-664628730-1337849937=:89783--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1205241046360.89783>