Bug 156877 - [dummynet] [panic] dummynet move_pkt() null ptr dereference
Summary: [dummynet] [panic] dummynet move_pkt() null ptr dereference
Status: Closed Overcome By Events
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 7.3-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: Tom Jones
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-08 10:00 UTC by Przemyslaw Frasunek
Modified: 2020-09-19 14:48 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Przemyslaw Frasunek 2011-05-08 10:00:20 UTC 
	NULL pointer dereference in dummynet move_pkt() due to empty
	m_pkthdr.tags:

GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...

Unread portion of the kernel message buffer:
frame pointer	        = 0x28:0xc523ac18
code segment		= base rx0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 45 (dummynet)
trap number		= 12
panic: page fault
cpuid = 0
Uptime: 67d12h9m20s
Physical memory: 2000 MB
Dumping 232 MB: 217 201 185 169 153 137 121 105 89 73 57 41 25 9

Reading symbols from /boot/kernel/coretemp.ko...Reading symbols from /boot/kernel/coretemp.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/coretemp.ko
Reading symbols from /boot/kernel/smbus.ko...Reading symbols from /boot/kernel/smbus.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/smbus.ko
Reading symbols from /boot/kernel/smb.ko...Reading symbols from /boot/kernel/smb.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/smb.ko
Reading symbols from /boot/kernel/ichsmb.ko...Reading symbols from /boot/kernel/ichsmb.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ichsmb.ko
Reading symbols from /boot/kernel/ipmi.ko...Reading symbols from /boot/kernel/ipmi.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ipmi.ko
Reading symbols from /boot/kernel/acpi.ko...Reading symbols from /boot/kernel/acpi.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/acpi.ko
Reading symbols from /boot/kernel/ng_socket.ko...Reading symbols from /boot/kernel/ng_socket.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_socket.ko
Reading symbols from /boot/kernel/netgraph.ko...Reading symbols from /boot/kernel/netgraph.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/netgraph.ko
Reading symbols from /boot/kernel/ng_mppc.ko...Reading symbols from /boot/kernel/ng_mppc.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_mppc.ko
Reading symbols from /boot/kernel/rc4.ko...Reading symbols from /boot/kernel/rc4.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/rc4.ko
Reading symbols from /boot/kernel/ng_ether.ko...Reading symbols from /boot/kernel/ng_ether.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_ether.ko
Reading symbols from /boot/kernel/ng_pppoe.ko...Reading symbols from /boot/kernel/ng_pppoe.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_pppoe.ko
Reading symbols from /boot/kernel/if_tap.ko...Reading symbols from /boot/kernel/if_tap.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/if_tap.ko
Reading symbols from /boot/kernel/ng_tee.ko...Reading symbols from /boot/kernel/ng_tee.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_tee.ko
Reading symbols from /boot/kernel/ng_iface.ko...Reading symbols from /boot/kernel/ng_iface.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_iface.ko
Reading symbols from /boot/kernel/ng_ppp.ko...Reading symbols from /boot/kernel/ng_ppp.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_ppp.ko
Reading symbols from /boot/kernel/ng_tcpmss.ko...Reading symbols from /boot/kernel/ng_tcpmss.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_tcpmss.ko
Reading symbols from /boot/kernel/ng_bpf.ko...Reading symbols from /boot/kernel/ng_bpf.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_bpf.ko
Reading symbols from /boot/kernel/ng_car.ko...Reading symbols from /boot/kernel/ng_car.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_car.ko
#0  doadump () at pcpu.h:196
196		__asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) bt
#0  doadump () at pcpu.h:196
#1  0xc0836ac7 in boot (howto=260) at ../../../kern/kern_shutdown.c:418
#2  0xc0836d99 in panic (fmt=Variable "fmt" is not available.
) at ../../../kern/kern_shutdown.c:574
#3  0xc0b5ef1c in trap_fatal (frame=0xc523abcc, eva=24)
    at ../../../i386/i386/trap.c:950
#4  0xc0b5f1a0 in trap_pfault (frame=0xc523abcc, usermode=0, eva=24)
    at ../../../i386/i386/trap.c:863
#5  0xc0b5fb95 in trap (frame=0xc523abcc) at ../../../i386/i386/trap.c:541
#6  0xc0b42e7b in calltrap () at ../../../i386/i386/exception.s:166
#7  0xc0923b80 in move_pkt (pkt=0xd1060700, q=0xcbbcc600, p=0xc6922800, 
    len=1494) at ../../../netinet/ip_dummynet.c:545
#8  0xc0924630 in ready_event (q=0xcbbcc600, head=0xc523ac8c, tail=0xc523ac88)
    at ../../../netinet/ip_dummynet.c:593
#9  0xc0926445 in dummynet_task (context=0x0, pending=1)
    at ../../../netinet/ip_dummynet.c:847
#10 0xc086e135 in taskqueue_run (queue=0xc56e7480)
    at ../../../kern/subr_taskqueue.c:282
#11 0xc086e348 in taskqueue_thread_loop (arg=0xc0d4dc08)
    at ../../../kern/subr_taskqueue.c:401
#12 0xc080e9f9 in fork_exit (callout=0xc086e280 <taskqueue_thread_loop>, 
    arg=0xc0d4dc08, frame=0xc523ad38) at ../../../kern/kern_fork.c:811
#13 0xc0b42ef0 in fork_trampoline () at ../../../i386/i386/exception.s:271
(kgdb) frame 7
#7  0xc0923b80 in move_pkt (pkt=0xd1060700, q=0xcbbcc600, p=0xc6922800, 
    len=1494) at ../../../netinet/ip_dummynet.c:545
545	    dt->output_time = curr_time + p->delay ;
(kgdb) list -
535	static void
536	move_pkt(struct mbuf *pkt, struct dn_flow_queue *q, struct dn_pipe *p,
537	    int len)
538	{
539	    struct dn_pkt_tag *dt = dn_tag_get(pkt);
540	
541	    q->head = pkt->m_nextpkt ;
542	    q->len-- ;
543	    q->len_bytes -= len ;
544	
(kgdb) print *pkt
$1 = {m_hdr = {mh_next = 0x0, mh_nextpkt = 0xd60e7b00, 
    mh_data = 0xc6bb2810 "E", mh_len = 1494, mh_flags = 1027, mh_type = 1, 
    pad = "\000"}, M_dat = {MH = {MH_pkthdr = {rcvif = 0xc56e8000, 
        header = 0x0, len = 1494, csum_flags = 3840, csum_data = 65535, 
        tso_segsz = 0, ether_vtag = 5, tags = {slh_first = 0x0}}, MH_dat = {
        MH_ext = {ext_buf = 0xc6bb2800 "!í", ext_free = 0, ext_args = 0x0, 
          ext_size = 2048, ref_cnt = 0xc6c4e294, ext_type = 6}, 
        MH_databuf = "\000(»Æ\000\000\000\000\000\000\000\000\000\b\000\000\224âÄÆ\006\000\000\000\000Úæjó\001\002j\200\020ÿÿ\024¥\000\000\001\001\005\nó\001\rÂó\001Fz\220jÉÛÈwå¬-<²\r\001í#\034ü\217C\210'£fÌDÑiVÀ\003\0204ô\003:Çí\211þ\207\f\215@3\000\t\0020\006P|\225\030\027¼ôQ\024\r¼ÜËó\033C\206±\tQíA\034x£\036¿üû~Ê\000ØØà7E\016¨i%>\206©\210/ã\231awÊÚ:ðdK\230B!+\234\025Y\000[Eb_$\005D#÷\\Öm\024@Që>\202op*Y-Âò Ã`Ì\0323.(\221\227"...}}, 
    M_databuf = "\000\200nÅ\000\000\000\000Ö\005\000\000\000\017\000\000ÿÿ\000\000\000\000\005\000\000\000\000\000\000(»Æ\000\000\000\000\000\000\000\000\000\b\000\000\224âÄÆ\006\000\000\000\000Úæjó\001\002j\200\020ÿÿ\024¥\000\000\001\001\005\nó\001\rÂó\001Fz\220jÉÛÈwå¬-<²\r\001í#\034ü\217C\210'£fÌDÑiVÀ\003\0204ô\003:Çí\211þ\207\f\215@3\000\t\0020\006P|\225\030\027¼ôQ\024\r¼ÜËó\033C\206±\tQíA\034x£\036¿üû~Ê\000ØØà7E\016¨i%>\206©\210/ã\231awÊÚ:ðdK\230B!+\234\025Y\000[Eb_$\005D"...}}
(kgdb) x/i $eip
0xc0923b80 <move_pkt+64>:	mov    %edx,0x8(%eax)
(kgdb) info reg eax
eax            0x10	16

Fix: 

Unknown.
How-To-Repeat: 	Unknown. Happened after 67 days of uptime, without any changes
	in dummynet rules.
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2011-05-10 20:13:03 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-net

reclassify.
Comment 2 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:59:29 UTC 
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped