Summary: | Panic with ipfw/nat under 13.0-RELEASE amd64 | ||||||
---|---|---|---|---|---|---|---|
Product: | Base System | Reporter: | 0xcdcdcdcd | ||||
Component: | kern | Assignee: | Mark Johnston <markj> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Only Me | CC: | ae, chris, freebsd, karabojkov, markj | ||||
Priority: | --- | Keywords: | crash, regression | ||||
Version: | 13.0-STABLE | ||||||
Hardware: | amd64 | ||||||
OS: | Any | ||||||
See Also: | https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271991 | ||||||
Attachments: |
|
Description
0xcdcdcdcd
2021-04-18 01:21:43 UTC
Did you try to disable sendfile for nginx? I think this can be related to lack of mb_unmapped_to_ext() call in ip_divert() code. ipfw_nat and ipfw_nat64 also seems need to be modified. Do you have saved core dump from this panic? Created attachment 224248 [details]
proposed patch (untested)
This might be related to the issue I reported in Bug #255104, where I get random crashes/panics shortly after activating a divert(4) rule in my IPFW firewall to route packets to Snort for inline inspection. WLAN traffic seems to more easily trigger it than wired LAN traffic. I'll look at trying to test this patch in the next few days to see if it resolves the issue somewhat (or makes it less likely to happen). Thanks for your advices. I disabled the sendfile for nginx and confirmed that it works stably. I'm building a kernel with the patch you provided, so I'm going to apply it and check it out. I installed the patched ipdivert.ko and enabled the sendfile for nginx. A few hours passed, but still no panic. I will report it if it occurs. A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=652908599b6fa7285ee60cb567b97e70b648ac29 commit 652908599b6fa7285ee60cb567b97e70b648ac29 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-04-21 19:38:01 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-04-21 19:47:05 +0000 Add required checks for unmapped mbufs in ipdivert and ipfw Also add an M_ASSERTMAPPED() macro to verify that all mbufs in the chain are mapped. Use it in ipfw_nat, which operates on a chain returned by m_megapullup(). PR: 255164 Reviewed by: ae, gallatin MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29838 sys/netinet/ip_divert.c | 6 ++++++ sys/netpfil/ipfw/ip_fw_nat.c | 1 + sys/netpfil/ipfw/nat64/nat64_translate.c | 10 ++++++++++ sys/sys/mbuf.h | 11 +++++++++++ 4 files changed, 28 insertions(+) A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=2b826286c3b951df0bb3b4250eecbb7adc5c860b commit 2b826286c3b951df0bb3b4250eecbb7adc5c860b Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-04-21 19:38:01 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-04-28 14:00:13 +0000 Add required checks for unmapped mbufs in ipdivert and ipfw Also add an M_ASSERTMAPPED() macro to verify that all mbufs in the chain are mapped. Use it in ipfw_nat, which operates on a chain returned by m_megapullup(). PR: 255164 Reviewed by: ae, gallatin Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29838 (cherry picked from commit 652908599b6fa7285ee60cb567b97e70b648ac29) sys/netinet/ip_divert.c | 6 ++++++ sys/netpfil/ipfw/ip_fw_nat.c | 1 + sys/netpfil/ipfw/nat64/nat64_translate.c | 10 ++++++++++ sys/sys/mbuf.h | 11 +++++++++++ 4 files changed, 28 insertions(+) |