ipfilter/ipnat panics when vimage feature is enabled and need for rework or should be marked as incompatible options with vimage. root@acerbsd:/usr/obj/usr/src/sys/G # kgdb kernel.debug /var/crash/vmcore.last GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-marcel-freebsd"... Unread portion of the kernel message buffer: Fatal trap 12: page fault while in kernel mode cpuid = 3; apic id = 03 fault virtual address = 0x28 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff809aa3da stack pointer = 0x28:0xffffff810e7b8650 frame pointer = 0x28:0xffffff810e7b8670 code segment = base rx0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 1927 (ipnat) trap number = 12 panic: page fault cpuid = 3 Uptime: 1m21s Dumping 305 out of 3926 MB:..6%..11%..21%..32%..42%..53%..63%..74%..84%..95% Reading symbols from /boot/kernel/tmpfs.ko...Reading symbols from /boot/kernel/tmpfs.ko.symbols...done. done. Loaded symbols for /boot/kernel/tmpfs.ko Reading symbols from /boot/kernel/linprocfs.ko...Reading symbols from /boot/kernel/linprocfs.ko.symbols...done. done. Loaded symbols for /boot/kernel/linprocfs.ko Reading symbols from /boot/kernel/linux.ko...Reading symbols from /boot/kernel/linux.ko.symbols...done. done. Loaded symbols for /boot/kernel/linux.ko Reading symbols from /boot/kernel/linsysfs.ko...Reading symbols from /boot/kernel/linsysfs.ko.symbols...done. done. Loaded symbols for /boot/kernel/linsysfs.ko Reading symbols from /boot/kernel/fdescfs.ko...Reading symbols from /boot/kernel/fdescfs.ko.symbols...done. done. Loaded symbols for /boot/kernel/fdescfs.ko Reading symbols from /boot/kernel/nullfs.ko...Reading symbols from /boot/kernel/nullfs.ko.symbols...done. done. Loaded symbols for /boot/kernel/nullfs.ko Reading symbols from /boot/kernel/pf.ko...Reading symbols from /boot/kernel/pf.ko.symbols...done. done. Loaded symbols for /boot/kernel/pf.ko Reading symbols from /boot/kernel/ipl.ko...Reading symbols from /boot/kernel/ipl.ko.symbols...done. done. Loaded symbols for /boot/kernel/ipl.ko #0 doadump (textdump=<value optimized out>) at pcpu.h:229 229 __asm("movq %%gs:%1,%0" : "=r" (td) (kgdb) bt full #0 doadump (textdump=<value optimized out>) at pcpu.h:229 No locals. #1 0xffffffff808eef24 in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:447 _ep = (struct eventhandler_entry *) 0x0 _el = <value optimized out> first_buf_printf = 1 #2 0xffffffff808ef382 in panic (fmt=0x104 <Address 0x104 out of bounds>) at /usr/src/sys/kern/kern_shutdown.c:754 ap = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0xffffff810e7b82b0, reg_save_area = 0xffffff810e7b81e0}} #3 0xffffffff80c97b3d in trap_fatal (frame=0xfffffe0006c754b8, eva=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:872 code = <value optimized out> ss = 40 type = 12 esp = <value optimized out> softseg = {ssd_base = 0, ssd_limit = 1048575, ssd_type = 27, ssd_dpl = 0, ssd_p = 1, ssd_long = 1, ssd_def32 = 0, ssd_gran = 1} msg = <value optimized out> #4 0xffffffff80c97e91 in trap_pfault (frame=0xffffff810e7b85a0, usermode=0) at /usr/src/sys/amd64/amd64/trap.c:789 id = <value optimized out> va = 0 vm = <value optimized out> map = 0xfffffe000628e7a8 rv = <value optimized out> ftype = 0 '\0' td = (struct thread *) 0xfffffe0006c81490 p = (struct proc *) 0xfffffe0006c754b8 eva = 40 #5 0xffffffff80c982f6 in trap (frame=0xffffff810e7b85a0) at /usr/src/sys/amd64/amd64/trap.c:463 regs = {r_r15 = 0, r_r14 = 0, r_r13 = 0, r_r12 = 0, r_r11 = 0, r_r10 = 0, r_r9 = 0, r_r8 = 0, r_rdi = 0, r_rsi = 0, r_rbp = 0, r_rbx = 0, r_rdx = 0, r_rcx = 0, r_rax = 4196000, r_trapno = 6414336, r_fs = 8, r_gs = 0, r_err = 0, r_es = 0, r_ds = 0, r_rip = 0, r_cs = 0, r_rflags = 0, r_rsp = 0, r_ss = 0} td = (struct thread *) 0xfffffe0006c81490 p = <value optimized out> i = <value optimized out> ucode = <value optimized out> code = 0 type = 12 addr = <value optimized out> ksi = {ksi_link = {tqe_next = 0x0, tqe_prev = 0x0}, ksi_info = {si_signo = 8613312, si_errno = 8, si_code = 6415360, si_pid = 8, si_uid = 0, si_status = 0, si_addr = 0x0, si_value = {sival_int = 0, sival_ptr = 0x0, sigval_int = 0, sigval_ptr = 0x0}, _reason = {_fault = {_trapno = 0}, _timer = {_timerid = 0, _overrun = 0}, _mesgq = {_mqd = 0}, _poll = {_band = 0}, __spare__ = {__spare1__ = 0, __spare2__ = {0, 0, 0, 0, 0, 0, 0}}}}, ksi_flags = 0, ksi_sigq = 0x0} #6 0xffffffff80c81c33 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:228 No locals. #7 0xffffffff809aa3da in ifunit (name=0xfffffe0006b7c944 "wlan0") at /usr/src/sys/net/if.c:2016 ifp = <value optimized out> #8 0xffffffff818dfa3a in fr_resolvenic (name=<value optimized out>, v=<value optimized out>) at /usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/fil.c:6565 nic = <value optimized out> #9 0xffffffff818c8a25 in nat_resolverule (n=0xfffffe0006b7c800) at /usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_nat.c:1108 No locals. #10 0xffffffff818c99b3 in fr_nat_ioctl (data=0xfffffe0006049780 "", cmd=2151182908, mode=2, uid=0, ctx=0xfffffe0006c81490) at /usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_nat.c:976 ptr = <value optimized out> nl = {nl_inip = {s_addr = 0}, nl_outip = {s_addr = 0}, nl_realip = {s_addr = 0}, nl_flags = 0, nl_inport = 0, nl_outport = 0, nl_realport = 0} nat = <value optimized out> nt = (ipnat_t *) 0xfffffe0006b7c800 n = (ipnat_t *) 0x0 np = (ipnat_t **) 0xffffffff818ec558 error = 17 ret = <value optimized out> arg = <value optimized out> getlock = 1 natd = {in_lock = {ipf_lkun_s = {ipf_slk = {lock_object = {lo_name = 0x0, lo_flags = 0, lo_data = 0, lo_witness = 0x0}, mtx_lock = 0}, ipf_lname = 0x0}, ipf_emu = {eMm_owner = 0x0, eMm_heldin = 0x0, eMm_magic = 0, eMm_held = 0, eMm_heldat = 0}}, in_next = 0x0, in_rnext = 0x0, in_prnext = 0x0, in_mnext = 0x0, in_pmnext = 0x0, in_tqehead = {0x0, 0x0}, in_ifps = {0x0, 0x0}, in_apr = 0x0, in_comment = 0x0, in_next6 = {i6 = {0, 0, 0, 0}, in4 = {s_addr = 0}, in6 = {__u6_addr = {__u6_addr8 = '\0' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, vptr = {0x0, 0x0}, lptr = {0, 0}, i6un = {type = 0, subtype = 0, label = '\0' <repeats 11 times>}}, in_space = 0, in_hits = 0, in_use = 0, in_hv = 0, in_flineno = 0, in_pnext = 0, in_v = 4 '\004', in_xxx = 0 '\0', in_flags = 32832, in_mssclamp = 0, in_age = {0, 0}, in_redir = 1, in_p = 0, in_in = {{i6 = {10, 0, 0, 0}, in4 = {s_addr = 10}, in6 = {__u6_addr = {__u6_addr8 = "\n", '\0' <repeats 14 times>, __u6_addr16 = {10, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {10, 0, 0, 0}}}, vptr = { 0xa, 0x0}, lptr = {0xa, 0}, i6un = {type = 10, subtype = 0, label = '\0' <repeats 11 times>}}, {i6 = {255, 0, 0, 0}, in4 = {s_addr = 255}, in6 = {__u6_addr = {__u6_addr8 = "�", '\0' <repeats 14 times>, __u6_addr16 = {255, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {255, 0, 0, 0}}}, vptr = {0xff, 0x0}, lptr = {0xff, 0}, i6un = {type = 255, subtype = 0, label = '\0' <repeats 11 times>}}}, in_out = {{i6 = {83994816, 0, 0, 0}, in4 = {s_addr = 83994816}, in6 = {__u6_addr = {__u6_addr8 = "�\001\005", '\0' <repeats 11 times>, __u6_addr16 = {43200, 1281, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {83994816, 0, 0, 0}}}, vptr = {0x501a8c0, 0x0}, lptr = {0x501a8c0, 0}, i6un = {type = 43200, subtype = 1281, label = '\0' <repeats 11 times>}}, {i6 = {4294967295, 0, 0, 0}, in4 = {s_addr = 4294967295}, in6 = {__u6_addr = { __u6_addr8 = "����", '\0' <repeats 11 times>, __u6_addr16 = {65535, 65535, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {4294967295, 0, 0, 0}}}, vptr = {0xffffffff, 0x0}, lptr = {0xffffffff, 0}, i6un = {type = 65535, subtype = 65535, label = '\0' <repeats 11 times>}}}, in_src = {{i6 = {10, 0, 0, 0}, in4 = {s_addr = 10}, in6 = {__u6_addr = {__u6_addr8 = "\n", '\0' <repeats 14 times>, __u6_addr16 = {10, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {10, 0, 0, 0}}}, vptr = {0xa, 0x0}, lptr = {0xa, 0}, i6un = {type = 10, subtype = 0, label = '\0' <repeats 11 times>}}, {i6 = {255, 0, 0, 0}, in4 = {s_addr = 255}, in6 = {__u6_addr = { __u6_addr8 = "�", '\0' <repeats 14 times>, __u6_addr16 = {255, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {255, 0, 0, 0}}}, vptr = {0xff, 0x0}, lptr = {0xff, 0}, i6un = {type = 255, subtype = 0, label = '\0' <repeats 11 times>}}}, in_tuc = {ftu_tcpfm = 0 '\0', ftu_tcpf = 0 '\0', ftu_src = {frp_cmp = 0, frp_port = 0, frp_top = 0}, ftu_dst = {frp_cmp = 0, frp_port = 0, frp_top = 0}}, in_port = {0, 0}, in_ppip = 0, in_ippip = 0, in_ifnames = {"wlan0\000\000\000\000\000\000\000\000\000\000", "wlan0\000\000\000\000\000\000\000\000\000\000"}, in_plabel = '\0' <repeats 15 times>, in_tag = {ipt_un = {iptu_num = {0, 0, 0, 0}, iptu_tag = '\0' <repeats 15 times>}, ipt_not = 0}} #11 0xffffffff807c6bbb in devfs_ioctl_f (fp=0xfffffe0006c1aaa0, com=2151182908, data=<value optimized out>, cred=<value optimized out>, td=0xfffffe0006c81490) at /usr/src/sys/fs/devfs/devfs_vnops.c:757 dev = (struct cdev *) 0xfffffe0006b7b200 dsw = (struct cdevsw *) 0xffffffff818ea900 vp = <value optimized out> vpold = <value optimized out> error = 0 ---Type <return> to continue, or q <return> to quit--- i = <value optimized out> ref = <value optimized out> p = <value optimized out> fpop = (struct file *) 0x0 #12 0xffffffff8093fbe4 in kern_ioctl (td=<value optimized out>, fd=<value optimized out>, com=2151182908, data=0xfffffe0006049780 "") at file.h:306 fp = (struct file *) 0xfffffe0006c1aaa0 fdp = (struct filedesc *) 0xfffffe000627b800 error = 0 tmp = -127 locked = <value optimized out> #13 0xffffffff8093fd5d in sys_ioctl (td=0xfffffe0006c81490, uap=0xffffff810e7b9a30) at /usr/src/sys/kern/sys_generic.c:693 arg = 0 error = 0 size = 56 data = 0xfffffe0006049780 "" #14 0xffffffff80c9730b in amd64_syscall (td=0xfffffe0006c81490, traced=0) at subr_syscall.c:134 sa = {code = 54, callp = 0xffffffff81271c60, args = {3, 2151182908, 140737488345424, 0, -34374477104, 0, -545217865040, -2138341345}, narg = 3} error = 0 ksi = {ksi_link = {tqe_next = 0xffffff810e7b9a00, tqe_prev = 0xffffffff80d0a8fd}, ksi_info = {si_signo = 242981376, si_errno = 1, si_code = -2138062933, si_pid = -1, si_uid = 2129757952, si_status = -128, si_addr = 0xffffff800021ddb8, si_value = {sival_int = 2219392, sival_ptr = 0xffffff800021dd80, sigval_int = 2219392, sigval_ptr = 0xffffff800021dd80}, _reason = {_fault = {_trapno = -2126377920}, _timer = { _timerid = -2126377920, _overrun = -1}, _mesgq = {_mqd = -2126377920}, _poll = {_band = -2126377920}, __spare__ = {__spare1__ = -2126377920, __spare2__ = {2128191524, 37, 113726648, -512, 242981424, -127, -2137812303}}}}, ksi_flags = 0, ksi_sigq = 0x0} #15 0xffffffff80c81f17 in Xfast_syscall () at /usr/src/sys/amd64/amd64/exception.S:387 No locals. #16 0x0000000800b5604a in ?? () No symbol table info available. Previous frame inner to this frame (corrupt stack?) (kgdb) fr 11 #11 0xffffffff807c6bbb in devfs_ioctl_f (fp=0xfffffe0006c1aaa0, com=2151182908, data=<value optimized out>, cred=<value optimized out>, td=0xfffffe0006c81490) at /usr/src/sys/fs/devfs/devfs_vnops.c:757 757 error = dsw->d_ioctl(dev, com, data, fp->f_flag, td); (kgdb) l 752 error = copyout(p, fgn->buf, i); 753 td->td_fpop = fpop; 754 dev_relthread(dev, ref); 755 return (error); 756 } 757 error = dsw->d_ioctl(dev, com, data, fp->f_flag, td); 758 td->td_fpop = NULL; 759 dev_relthread(dev, ref); 760 if (error == ENOIOCTL) 761 error = ENOTTY; (kgdb) fr 10 #10 0xffffffff818c99b3 in fr_nat_ioctl (data=0xfffffe0006049780 "", cmd=2151182908, mode=2, uid=0, ctx=0xfffffe0006c81490) at /usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_nat.c:976 976 if (nat_resolverule(n) != 0) (kgdb) l 971 ipnat_t *n, **np; 972 int getlock; 973 { 974 int error = 0, i, j; 975 976 if (nat_resolverule(n) != 0) 977 return ENOENT; 978 979 if ((n->in_age[0] == 0) && (n->in_age[1] != 0)) 980 return EINVAL; (kgdb) Fix: ipfilter must learn CURVNET_SET and CURVNET_RESTORE macros How-To-Repeat: recompile kernel with "options VIMAGE" and try to start ipnat.
Responsible Changed From-To: freebsd-bugs->darrenr Assign to author of ipfilter.
State Changed From-To: open->open commit bit has been taken in for safekeeping.
Responsible Changed From-To: darrenr->freebsd-net
Responsible Changed From-To: freebsd-net->cy Mine.
From this e-mail: https://lists.freebsd.org/pipermail/freebsd-virtualization/2011-November/000778.html This can crash the kernel inside ipfilter. I did this at SVN revision 273243: (1) Boot kernel with "options VIMAGE" enabled (2) echo "map lo0 from 10.0.0.0/24 to ! 10.0.0.0/24 -> 127.0.0.1/32" > /etc/ipnat.rules ; service ipnat onerestart Kernel page fault with the following non-sleepable locks held: shared rw ifnet_rw (ifnet_rw) r = 0 (0xffffffff81851080) locked @ /opt2/branches/head-vimage/sys/net/if.c:2245 exclusive sleep mutex ipf nat io mutex (ipf nat io mutex) r = 0 (0xfffffe00015f6038) locked @ /opt2/branches/head-vimage/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_nat.c:1109 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0097562b20 kdb_backtrace() at kdb_backtrace+0x39/frame 0xfffffe0097562bd0 witness_warn() at witness_warn+0x4b5/frame 0xfffffe0097562c90 trap_pfault() at trap_pfault+0x59/frame 0xfffffe0097562d30 trap() at trap+0x4b9/frame 0xfffffe0097562f40 calltrap() at calltrap+0x8/frame 0xfffffe0097562f40 --- trap 0xc, rip = 0xffffffff809f77f5, rsp = 0xfffffe0097563000, rbp = 0xfffffe0097563030 --- ifunit() at ifunit+0x35/frame 0xfffffe0097563030 ipf_resolvenic() at ipf_resolvenic+0x26/frame 0xfffffe0097563040 ipf_nat_resolverule() at ipf_nat_resolverule+0x28/frame 0xfffffe0097563060 ipf_nat_ioctl() at ipf_nat_ioctl+0xeee/frame 0xfffffe0097564850 ipfioctl() at ipfioctl+0x10e/frame 0xfffffe0097564890 devfs_ioctl_f() at devfs_ioctl_f+0x121/frame 0xfffffe00975648f0 kern_ioctl() at kern_ioctl+0x22b/frame 0xfffffe0097564950 sys_ioctl() at sys_ioctl+0x13c/frame 0xfffffe00975649a0 amd64_syscall() at amd64_syscall+0x25a/frame 0xfffffe0097564ab0 Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe0097564ab0 --- syscall (54, FreeBSD ELF64, sys_ioctl), rip = 0x800b86e0a, rsp = 0x7fffffffdba8, rbp = 0x7fffffffdc80 --- Fatal trap 12: page fault while in kernel mode cpuid = 1; apic id = 01 fault virtual address = 0x28 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff809f77f5 stack pointer = 0x28:0xfffffe0097563000 frame pointer = 0x28:0xfffffe0097563030 code segment = base rx0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 728 (ipnat) [ thread pid 728 tid 100067 ] Stopped at ifunit+0x35: movq 0x28(%rax),%rax db>
A commit references this bug: Author: rodrigc Date: Thu Nov 20 08:11:55 UTC 2014 New revision: 274744 URL: https://svnweb.freebsd.org/changeset/base/274744 Log: Set the current vnet inside the ioctl handler for ipfilter. Without this fix, the vnet was NULL and would crash. This fix is similar to what was done inside the ioctl handler for PF. Tested by: (1) Boot a kernel with "options VIMAGE" enabled (2) Type: echo "map lo0 from 10.0.0.0/24 to ! 10.0.0.0/24 -> 127.0.0.1/32" > /etc/ipnat.rules ; service ipnat onerestart PR: 176992 Differential Revision: https://reviews.freebsd.org/D1191 Reviewed by: cy Changes: head/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
A commit references this bug: Author: cy Date: Fri Nov 28 20:39:35 UTC 2014 New revision: 275213 URL: https://svnweb.freebsd.org/changeset/base/275213 Log: MFC r274744. Set the current vnet inside the ioctl handler for ipfilter. Without this fix, the vnet was NULL and would crash. This fix is similar to what was done inside the ioctl handler for PF. Tested by: (1) Boot a kernel with "options VIMAGE" enabled (2) Type: echo "map lo0 from 10.0.0.0/24 to ! 10.0.0.0/24 -> 127.0.0.1/32" > /etc/ipnat.rules ; service ipnat onerestart PR: 176992 Differential Revision: https://reviews.freebsd.org/D1191 Changes: _U stable/10/ stable/10/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
A commit references this bug: Author: rodrigc Date: Sat Dec 13 04:50:15 UTC 2014 New revision: 275741 URL: https://svnweb.freebsd.org/changeset/base/275741 Log: Merge r275213. Set the current vnet inside the ioctl handler for ipfilter. Without this fix, the vnet was NULL and would crash. This fix is similar to what was done inside the ioctl handler for PF. Tested by: (1) Boot a kernel with "options VIMAGE" enabled (2) Type: echo "map lo0 from 10.0.0.0/24 to ! 10.0.0.0/24 -> 127.0.0.1/32" > /etc/ipnat.rules ; service ipnat onerestart PR: 176992 Differential Revision: https://reviews.freebsd.org/D1191 Changes: _U stable/9/ _U stable/9/sys/ stable/9/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c