Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 22 May 2003 20:23:25 +0300 (EEST)
From:      "Kostik I. Belousov" <kostik@kib.kiev.ua>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   kern/52585: Kernel panic with ipfw2 and syncookies
Message-ID:  <200305221723.h4MHNPiP000431@little.home>
Resent-Message-ID: <200305221730.h4MHU6xR073045@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         52585
>Category:       kern
>Synopsis:       Kernel panic with ipfw2 and syncookies
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 22 10:30:03 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Kostik I. Belousov
>Release:        FreeBSD 4.8-RELEASE i386
>Organization:
none
>Environment:
System: FreeBSD little.home 4.8-RELEASE FreeBSD 4.8-RELEASE #1: Fri May 2 18:08:25 EEST 2003 root@little.home:/usr/obj/usr/src/sys/LITTLE i386

sysctl
hw.machine: i386
hw.model: Pentium II/Pentium II Xeon/Celeron
hw.ncpu: 2
hw.byteorder: 1234
hw.physmem: 533917696
hw.usermem: 491724800
hw.pagesize: 4096
hw.floatingpoint: 1
hw.machine_arch: i386
hw.ata.ata_dma: 1
hw.ata.wc: 1
hw.ata.tags: 0
hw.ata.atapi_dma: 0
hw.instruction_sse: 0
hw.availpages: 130185

net.inet.tcp.syncookies: 1
net.inet.tcp.syncache.bucketlimit: 30
net.inet.tcp.syncache.cachelimit: 15359
net.inet.tcp.syncache.count: 0
net.inet.tcp.syncache.hashsize: 512
net.inet.tcp.syncache.rexmtlimit: 3

Kernel compiled with ipfw2.

>Description:
	By adding/removing aliases and manipulating ipfw rules
(I caused the panic using ipfw fwd, see below), the kernel could
be paniced. The trace:
(kgdb) bt
#0  dumpsys () at /usr/src/sys/kern/kern_shutdown.c:487
#1  0xc0158847 in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:316
#2  0xc0158cb9 in panic (fmt=0xc0291b19 "%s")
    at /usr/src/sys/kern/kern_shutdown.c:595
#3  0xc024b459 in trap_fatal (frame=0xd3933cc0, eva=8)
    at /usr/src/sys/i386/i386/trap.c:974
#4  0xc024b0c5 in trap_pfault (frame=0xd3933cc0, usermode=0, eva=8)
    at /usr/src/sys/i386/i386/trap.c:867
#5  0xc024ac1f in trap (frame={tf_fs = 1644167192, tf_es = -1072234480,
      tf_ds = -745340912, tf_edi = 1644167168, tf_esi = -1054094552,
      tf_ebp = -745325300, tf_isp = -745325332, tf_ebx = -761024704,
      tf_edx = -1070824920, tf_ecx = 0, tf_eax = -1, tf_trapno = 12,
      tf_err = 0, tf_eip = -1071929334, tf_cs = 8, tf_eflags = 66198,
      tf_esp = -761024704, tf_ss = -1050054796})
    at /usr/src/sys/i386/i386/trap.c:466
#6  0xc01ba80a in syncache_insert (sc=0xd2a3af40, sch=0xc12bcb28)
    at /usr/src/sys/netinet/tcp_syncache.c:302
#7  0xc01bb67c in syncache_add (inc=0xd3933db4, to=0xd3933e20, th=0xc1051950,
    sop=0xd3933db0, m=0xc1051900) at /usr/src/sys/netinet/tcp_syncache.c:1021
#8  0xc01b5809 in tcp_input (m=0xc1051900, off0=20, proto=6)
    at /usr/src/sys/netinet/tcp_input.c:826
#9  0xc01b026c in ip_input (m=0xc1051900)
    at /usr/src/sys/netinet/ip_input.c:927
#10 0xc01b02cb in ipintr () at /usr/src/sys/netinet/ip_input.c:948
#11 0xc023c051 in swi_net_next ()
#12 0xc017a835 in connect (p=0xd3876be0, uap=0xd3933f80)
    at /usr/src/sys/kern/uipc_syscalls.c:394
#13 0xc024b795 in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47,
      tf_edi = 135174508, tf_esi = -1077953148, tf_ebp = -1077953136,
      tf_isp = -745324588, tf_ebx = 0, tf_edx = 134570369, tf_ecx = 135112576,
      tf_eax = 98, tf_trapno = 22, tf_err = 2, tf_eip = 673579312, tf_cs = 31,
      tf_eflags = 659, tf_esp = -1077953564, tf_ss = 47})
    at /usr/src/sys/i386/i386/trap.c:1175
#14 0xc0237f5b in Xint0x80_syscall ()
#15 0x805b4b5 in ?? ()
#16 0x8059c0e in ?? ()
#17 0x805985f in ?? ()
#18 0x806e639 in ?? ()
#19 0x804c03a in ?? ()
(kgdb) frame 6
#6  0xc01ba80a in syncache_insert (sc=0xd2a3af40, sch=0xc12bcb28)
    at /usr/src/sys/netinet/tcp_syncache.c:302
302                             if (sc2 != NULL)
(kgdb) list
297                      * first non-empty timer queue with the largest
298                      * timeout value.
299                      */
300                     for (i = SYNCACHE_MAXREXMTS; i >= 0; i--) {
301                             sc2 = TAILQ_FIRST(&tcp_syncache.timerq[i]);
302                             if (sc2 != NULL)
303                                     break;
304                     }
305                     sc2->sc_tp->ts_recent = ticks;
306                     syncache_drop(sc2, NULL);

>How-To-Repeat:
	ifconfig lo0 192.168.2.1 alias
	ipfw 50 add fwd 192.168.2.1,23 tcp from any to 192.168.2.1
some time ...
	ipfw del 50
	ifconfig lo0 192.168.2.1 remove
some more time ...
attempt to make tcp connection to the machine panics the kernel


>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200305221723.h4MHNPiP000431>