Date: Sun, 8 May 2011 10:51:14 +0200 (CEST) From: Przemyslaw Frasunek <venglin@freebsd.lublin.pl> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/156877: [panic] dummynet move_pkt() null ptr dereference Message-ID: <20110508085114.DDD8E239449@lagoon.freebsd.lublin.pl> Resent-Message-ID: <201105080900.p4890K3I016845@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 156877
>Category: kern
>Synopsis: [panic] dummynet move_pkt() null ptr dereference
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun May 08 09:00:20 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Przemyslaw Frasunek
>Release: FreeBSD 7.3-RELEASE-p4 i386
>Organization:
Nette sp. z o.o.
>Environment:
7.3-RELEASE-p4 running dummynet, pf and mpd5 with 200-300 PPPoE
sessions.
>Description:
NULL pointer dereference in dummynet move_pkt() due to empty
m_pkthdr.tags:
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...
Unread portion of the kernel message buffer:
frame pointer = 0x28:0xc523ac18
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 45 (dummynet)
trap number = 12
panic: page fault
cpuid = 0
Uptime: 67d12h9m20s
Physical memory: 2000 MB
Dumping 232 MB: 217 201 185 169 153 137 121 105 89 73 57 41 25 9
Reading symbols from /boot/kernel/coretemp.ko...Reading symbols from /boot/kernel/coretemp.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/coretemp.ko
Reading symbols from /boot/kernel/smbus.ko...Reading symbols from /boot/kernel/smbus.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/smbus.ko
Reading symbols from /boot/kernel/smb.ko...Reading symbols from /boot/kernel/smb.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/smb.ko
Reading symbols from /boot/kernel/ichsmb.ko...Reading symbols from /boot/kernel/ichsmb.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ichsmb.ko
Reading symbols from /boot/kernel/ipmi.ko...Reading symbols from /boot/kernel/ipmi.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ipmi.ko
Reading symbols from /boot/kernel/acpi.ko...Reading symbols from /boot/kernel/acpi.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/acpi.ko
Reading symbols from /boot/kernel/ng_socket.ko...Reading symbols from /boot/kernel/ng_socket.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_socket.ko
Reading symbols from /boot/kernel/netgraph.ko...Reading symbols from /boot/kernel/netgraph.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/netgraph.ko
Reading symbols from /boot/kernel/ng_mppc.ko...Reading symbols from /boot/kernel/ng_mppc.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_mppc.ko
Reading symbols from /boot/kernel/rc4.ko...Reading symbols from /boot/kernel/rc4.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/rc4.ko
Reading symbols from /boot/kernel/ng_ether.ko...Reading symbols from /boot/kernel/ng_ether.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_ether.ko
Reading symbols from /boot/kernel/ng_pppoe.ko...Reading symbols from /boot/kernel/ng_pppoe.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_pppoe.ko
Reading symbols from /boot/kernel/if_tap.ko...Reading symbols from /boot/kernel/if_tap.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/if_tap.ko
Reading symbols from /boot/kernel/ng_tee.ko...Reading symbols from /boot/kernel/ng_tee.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_tee.ko
Reading symbols from /boot/kernel/ng_iface.ko...Reading symbols from /boot/kernel/ng_iface.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_iface.ko
Reading symbols from /boot/kernel/ng_ppp.ko...Reading symbols from /boot/kernel/ng_ppp.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_ppp.ko
Reading symbols from /boot/kernel/ng_tcpmss.ko...Reading symbols from /boot/kernel/ng_tcpmss.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_tcpmss.ko
Reading symbols from /boot/kernel/ng_bpf.ko...Reading symbols from /boot/kernel/ng_bpf.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_bpf.ko
Reading symbols from /boot/kernel/ng_car.ko...Reading symbols from /boot/kernel/ng_car.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_car.ko
#0 doadump () at pcpu.h:196
196 __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) bt
#0 doadump () at pcpu.h:196
#1 0xc0836ac7 in boot (howto=260) at ../../../kern/kern_shutdown.c:418
#2 0xc0836d99 in panic (fmt=Variable "fmt" is not available.
) at ../../../kern/kern_shutdown.c:574
#3 0xc0b5ef1c in trap_fatal (frame=0xc523abcc, eva=24)
at ../../../i386/i386/trap.c:950
#4 0xc0b5f1a0 in trap_pfault (frame=0xc523abcc, usermode=0, eva=24)
at ../../../i386/i386/trap.c:863
#5 0xc0b5fb95 in trap (frame=0xc523abcc) at ../../../i386/i386/trap.c:541
#6 0xc0b42e7b in calltrap () at ../../../i386/i386/exception.s:166
#7 0xc0923b80 in move_pkt (pkt=0xd1060700, q=0xcbbcc600, p=0xc6922800,
len=1494) at ../../../netinet/ip_dummynet.c:545
#8 0xc0924630 in ready_event (q=0xcbbcc600, head=0xc523ac8c, tail=0xc523ac88)
at ../../../netinet/ip_dummynet.c:593
#9 0xc0926445 in dummynet_task (context=0x0, pending=1)
at ../../../netinet/ip_dummynet.c:847
#10 0xc086e135 in taskqueue_run (queue=0xc56e7480)
at ../../../kern/subr_taskqueue.c:282
#11 0xc086e348 in taskqueue_thread_loop (arg=0xc0d4dc08)
at ../../../kern/subr_taskqueue.c:401
#12 0xc080e9f9 in fork_exit (callout=0xc086e280 <taskqueue_thread_loop>,
arg=0xc0d4dc08, frame=0xc523ad38) at ../../../kern/kern_fork.c:811
#13 0xc0b42ef0 in fork_trampoline () at ../../../i386/i386/exception.s:271
(kgdb) frame 7
#7 0xc0923b80 in move_pkt (pkt=0xd1060700, q=0xcbbcc600, p=0xc6922800,
len=1494) at ../../../netinet/ip_dummynet.c:545
545 dt->output_time = curr_time + p->delay ;
(kgdb) list -
535 static void
536 move_pkt(struct mbuf *pkt, struct dn_flow_queue *q, struct dn_pipe *p,
537 int len)
538 {
539 struct dn_pkt_tag *dt = dn_tag_get(pkt);
540
541 q->head = pkt->m_nextpkt ;
542 q->len-- ;
543 q->len_bytes -= len ;
544
(kgdb) print *pkt
$1 = {m_hdr = {mh_next = 0x0, mh_nextpkt = 0xd60e7b00,
mh_data = 0xc6bb2810 "E", mh_len = 1494, mh_flags = 1027, mh_type = 1,
pad = "\000"}, M_dat = {MH = {MH_pkthdr = {rcvif = 0xc56e8000,
header = 0x0, len = 1494, csum_flags = 3840, csum_data = 65535,
tso_segsz = 0, ether_vtag = 5, tags = {slh_first = 0x0}}, MH_dat = {
MH_ext = {ext_buf = 0xc6bb2800 "!í", ext_free = 0, ext_args = 0x0,
ext_size = 2048, ref_cnt = 0xc6c4e294, ext_type = 6},
MH_databuf = "\000(»Æ\000\000\000\000\000\000\000\000\000\b\000\000\224âÄÆ\006\000\000\000\000Úæjó\001\002j\200\020ÿÿ\024¥\000\000\001\001\005\nó\001\rÂó\001Fz\220jÉÛÈwå¬-<²\r\001í#\034ü\217C\210'£fÌDÑiVÀ\003\0204ô\003:Çí\211þ\207\f\215@3\000\t\0020\006P|\225\030\027¼ôQ\024\r¼ÜËó\033C\206±\tQíA\034x£\036¿üû~Ê\000ØØà7E\016¨i%>\206©\210/ã\231awÊÚ:ðdK\230B!+\234\025Y\000[Eb_$\005D#÷\\Öm\024@Që>\202op*Y-Âò Ã`Ì\0323.(\221\227"...}},
M_databuf = "\000\200nÅ\000\000\000\000Ö\005\000\000\000\017\000\000ÿÿ\000\000\000\000\005\000\000\000\000\000\000(»Æ\000\000\000\000\000\000\000\000\000\b\000\000\224âÄÆ\006\000\000\000\000Úæjó\001\002j\200\020ÿÿ\024¥\000\000\001\001\005\nó\001\rÂó\001Fz\220jÉÛÈwå¬-<²\r\001í#\034ü\217C\210'£fÌDÑiVÀ\003\0204ô\003:Çí\211þ\207\f\215@3\000\t\0020\006P|\225\030\027¼ôQ\024\r¼ÜËó\033C\206±\tQíA\034x£\036¿üû~Ê\000ØØà7E\016¨i%>\206©\210/ã\231awÊÚ:ðdK\230B!+\234\025Y\000[Eb_$\005D"...}}
(kgdb) x/i $eip
0xc0923b80 <move_pkt+64>: mov %edx,0x8(%eax)
(kgdb) info reg eax
eax 0x10 16
>How-To-Repeat:
Unknown. Happened after 67 days of uptime, without any changes
in dummynet rules.
>Fix:
Unknown.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110508085114.DDD8E239449>