From nobody@FreeBSD.org  Mon May 21 15:06:46 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E7A731065674
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 21 May 2012 15:06:46 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id B9DD78FC12
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 21 May 2012 15:06:46 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q4LF6kTa013902
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 21 May 2012 15:06:46 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q4LF6kJM013878;
	Mon, 21 May 2012 15:06:46 GMT
	(envelope-from nobody)
Message-Id: <201205211506.q4LF6kJM013878@red.freebsd.org>
Date: Mon, 21 May 2012 15:06:46 GMT
From: Hugo Silva <hugo@barafranca.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: pf crashes when receiving packets from an address in a table
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         168200
>Category:       kern
>Synopsis:       [pf] pf crashes when receiving packets from an address in a table
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-pf
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 21 15:10:02 UTC 2012
>Closed-Date:    Fri Jun 29 12:11:58 UTC 2012
>Last-Modified:  Fri Jun 29 12:20:09 UTC 2012
>Originator:     Hugo Silva
>Release:        9.0-RELEASE
>Organization:
>Environment:
FreeBSD xxx.ext1.xxx.local 9.0-RELEASE FreeBSD 9.0-RELEASE #1: Wed May  2 11:55:06 UTC 2012     root@xxx.ext1.xxx.local:/usr/obj/usr/src/sys/XXX  amd64

>Description:
pf.conf snippet:

table <blacklist> persist
block in quick on $ext_if inet from <blacklist> 


When connecting from a host that has been added to the table (and only from such a host), the kernel will crash.


Please note that this is a HVM+PV Xen installation, perhaps it only occurs when running virtualized (seems to obvious to have been missed otherwise)
>How-To-Repeat:
# pfctl -Tadd -tblacklist ${your_source_address}
No ALTQ support in kernel
ALTQ related functions disabled
1/1 addresses added.

At this point the machine is still alive:
# echo yay
yay


Now open a TCP connection:
laptop$ telnet ${fbsd_server} 6667
Trying ${fbsd_server}...


Meanwhile, at the hypervisor console.. [xm console ${domain_name}]

Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x108
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff8061bd38
stack pointer           = 0x28:0xffffff80002c6510
frame pointer           = 0x28:0xffffff80002c65d0
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 12 (irq28: xenpci0)
[ thread pid 12 tid 100025 ]
Stopped at      uma_zalloc_arg+0x88:    movq    0x8(%rbx),%rdx
db> bt
Tracing pid 12 tid 100025 td 0xfffffe0001281000
uma_zalloc_arg() at uma_zalloc_arg+0x88
pfr_update_stats() at pfr_update_stats+0x1c4
pf_test() at pf_test+0x8bf
pf_check_in() at pf_check_in+0x2b
pfil_run_hooks() at pfil_run_hooks+0x9e
ip_input() at ip_input+0x287
netisr_dispatch_src() at netisr_dispatch_src+0x20b
ether_demux() at ether_demux+0x14d
ether_nh_input() at ether_nh_input+0x1f4
netisr_dispatch_src() at netisr_dispatch_src+0x20b
xn_intr() at xn_intr+0x6b8
evtchn_interrupt() at evtchn_interrupt+0x2ed
intr_event_execute_handlers() at intr_event_execute_handlers+0xfb
ithread_loop() at ithread_loop+0xa6
fork_exit() at fork_exit+0x11f
fork_trampoline() at fork_trampoline+0xe
--- trap 0, rip = 0, rsp = 0xffffff80002c6d00, rbp = 0 ---
db> 

>Fix:
Don't use pf tables :)

>Release-Note:
>Audit-Trail:

From: Hugo Silva <hugo@barafranca.com>
To: FreeBSD-gnats-submit@FreeBSD.org, freebsd-bugs@FreeBSD.org
Cc:  
Subject: Re: misc/168200: pf crashes when receiving packets from an address
 in a table
Date: Mon, 21 May 2012 17:15:34 +0100

 On 05/21/12 16:10, FreeBSD-gnats-submit@FreeBSD.org wrote:
 > Thank you very much for your problem report.
 > It has the internal identification `misc/168200'.
 > The individual assigned to look at your
 > report is: freebsd-bugs.
 >
 > You can access the state of your problem report at any time
 > via this link:
 >
 > http://www.freebsd.org/cgi/query-pr.cgi?pr=168200
 >
 >> Category:       misc
 >> Responsible:    freebsd-bugs
 >> Synopsis:       pf crashes when receiving packets from an address in a table
 >> Arrival-Date:   Mon May 21 15:10:02 UTC 2012
 
 
 Furthermore, this seems to be related to the usage of the "counters" 
 option in the table definition.
 
 Since the table I was testing this on was defined as being persistant, 
 the bug would be triggered even after changing the definition and 
 reloading pf.
 
 
 Killing the table and then recreating it without "counters", or just 
 rebooting the machine after fixing pf.conf make the issue disappear.
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon May 21 18:31:25 UTC 2012 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=168200 

From: Theodor-Iulian Ciobanu <thciobanu@nth.ro>
To: bug-followup@FreeBSD.org, hugo@barafranca.com
Cc:  
Subject: Re: kern/168200: [pf] pf crashes when receiving packets from an
 address in a table
Date: Tue, 22 May 2012 13:57:34 +0300

 Hello,
 
 I've hit this same issue about a month ago. See the patch here
 (unfortunately, it doesn't seem to have been comitted yet):
 http://lists.freebsd.org/pipermail/freebsd-pf/2012-April/006534.html
 
 Since I applied it the system hasn't crashed once.
 
 -- 
 Theo

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/168200: commit references a PR
Date: Thu, 31 May 2012 20:10:15 +0000 (UTC)

 Author: eri
 Date: Thu May 31 20:10:05 2012
 New Revision: 236364
 URL: http://svn.freebsd.org/changeset/base/236364
 
 Log:
   Correct table counter functionality to not  panic.
   This was caused by not proper initialization of necessary parameters.
   
   PR: 168200
   Reviewed by:	bz@, glebius@
   MFC after:	1 week
 
 Modified:
   head/sys/contrib/pf/net/pf_ioctl.c
   head/sys/contrib/pf/net/pf_table.c
   head/sys/contrib/pf/net/pfvar.h
 
 Modified: head/sys/contrib/pf/net/pf_ioctl.c
 ==============================================================================
 --- head/sys/contrib/pf/net/pf_ioctl.c	Thu May 31 19:34:53 2012	(r236363)
 +++ head/sys/contrib/pf/net/pf_ioctl.c	Thu May 31 20:10:05 2012	(r236364)
 @@ -298,7 +298,7 @@ init_zone_var(void)
  	V_pf_altq_pl = V_pf_pooladdr_pl = NULL;
  	V_pf_frent_pl = V_pf_frag_pl = V_pf_cache_pl = V_pf_cent_pl = NULL;
  	V_pf_state_scrub_pl = NULL;
 -	V_pfr_ktable_pl = V_pfr_kentry_pl = NULL;
 +	V_pfr_ktable_pl = V_pfr_kentry_pl = V_pfr_kcounters_pl = NULL;
  }
  
  void
 @@ -317,6 +317,7 @@ cleanup_pf_zone(void)
  	UMA_DESTROY(V_pf_cent_pl);
  	UMA_DESTROY(V_pfr_ktable_pl);
  	UMA_DESTROY(V_pfr_kentry_pl);
 +	UMA_DESTROY(V_pfr_kcounters_pl);
  	UMA_DESTROY(V_pf_state_scrub_pl);
  	UMA_DESTROY(V_pfi_addr_pl);
  }
 @@ -337,6 +338,7 @@ pfattach(void)
  		UMA_CREATE(V_pf_pooladdr_pl,	struct pf_pooladdr, "pfpooladdrpl");
  		UMA_CREATE(V_pfr_ktable_pl,	struct pfr_ktable, "pfrktable");
  		UMA_CREATE(V_pfr_kentry_pl,	struct pfr_kentry, "pfrkentry");
 +		UMA_CREATE(V_pfr_kcounters_pl,	struct pfr_kcounters, "pfrkcounters");
  		UMA_CREATE(V_pf_frent_pl,	struct pf_frent, "pffrent");
  		UMA_CREATE(V_pf_frag_pl,	struct pf_fragment, "pffrag");
  		UMA_CREATE(V_pf_cache_pl,	struct pf_fragment, "pffrcache");
 
 Modified: head/sys/contrib/pf/net/pf_table.c
 ==============================================================================
 --- head/sys/contrib/pf/net/pf_table.c	Thu May 31 19:34:53 2012	(r236363)
 +++ head/sys/contrib/pf/net/pf_table.c	Thu May 31 20:10:05 2012	(r236364)
 @@ -179,7 +179,6 @@ struct pfr_walktree {
  VNET_DEFINE(uma_zone_t,			pfr_ktable_pl);
  VNET_DEFINE(uma_zone_t,			pfr_kentry_pl);
  VNET_DEFINE(uma_zone_t,			pfr_kcounters_pl);
 -#define	V_pfr_kcounters_pl		VNET(pfr_kcounters_pl)
  VNET_DEFINE(struct sockaddr_in,		pfr_sin);
  #define	V_pfr_sin			VNET(pfr_sin)
  VNET_DEFINE(struct sockaddr_in6,	pfr_sin6);
 
 Modified: head/sys/contrib/pf/net/pfvar.h
 ==============================================================================
 --- head/sys/contrib/pf/net/pfvar.h	Thu May 31 19:34:53 2012	(r236363)
 +++ head/sys/contrib/pf/net/pfvar.h	Thu May 31 20:10:05 2012	(r236364)
 @@ -1868,6 +1868,8 @@ VNET_DECLARE(uma_zone_t,		 pfr_ktable_pl
  #define	V_pfr_ktable_pl			 VNET(pfr_ktable_pl)
  VNET_DECLARE(uma_zone_t,		 pfr_kentry_pl);
  #define	V_pfr_kentry_pl			 VNET(pfr_kentry_pl)
 +VNET_DECLARE(uma_zone_t,		 pfr_kcounters_pl);
 +#define	V_pfr_kcounters_pl		 VNET(pfr_kcounters_pl)
  VNET_DECLARE(uma_zone_t,		 pf_cache_pl);
  #define	V_pf_cache_pl			 VNET(pf_cache_pl)
  VNET_DECLARE(uma_zone_t,		 pf_cent_pl);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: glebius 
State-Changed-When: Fri Jun 29 12:11:37 UTC 2012 
State-Changed-Why:  
Fixed in head & stable/9. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=168200 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/168200: commit references a PR
Date: Fri, 29 Jun 2012 12:11:53 +0000 (UTC)

 Author: glebius
 Date: Fri Jun 29 12:11:31 2012
 New Revision: 237776
 URL: http://svn.freebsd.org/changeset/base/237776
 
 Log:
   Merge r236364 from head by eri@:
     Correct table counter functionality to not panic.
     This was caused by not proper initialization of necessary parameters.
   
     PR:		168200
     Reviewed by:	bz@, glebius@
     MFC after:	1 week
 
 Modified:
   stable/9/sys/contrib/pf/net/pf_ioctl.c
   stable/9/sys/contrib/pf/net/pf_table.c
   stable/9/sys/contrib/pf/net/pfvar.h
 Directory Properties:
   stable/9/sys/   (props changed)
   stable/9/sys/contrib/pf/   (props changed)
 
 Modified: stable/9/sys/contrib/pf/net/pf_ioctl.c
 ==============================================================================
 --- stable/9/sys/contrib/pf/net/pf_ioctl.c	Fri Jun 29 12:08:26 2012	(r237775)
 +++ stable/9/sys/contrib/pf/net/pf_ioctl.c	Fri Jun 29 12:11:31 2012	(r237776)
 @@ -298,7 +298,7 @@ init_zone_var(void)
  	V_pf_altq_pl = V_pf_pooladdr_pl = NULL;
  	V_pf_frent_pl = V_pf_frag_pl = V_pf_cache_pl = V_pf_cent_pl = NULL;
  	V_pf_state_scrub_pl = NULL;
 -	V_pfr_ktable_pl = V_pfr_kentry_pl = NULL;
 +	V_pfr_ktable_pl = V_pfr_kentry_pl = V_pfr_kcounters_pl = NULL;
  }
  
  void
 @@ -317,6 +317,7 @@ cleanup_pf_zone(void)
  	UMA_DESTROY(V_pf_cent_pl);
  	UMA_DESTROY(V_pfr_ktable_pl);
  	UMA_DESTROY(V_pfr_kentry_pl);
 +	UMA_DESTROY(V_pfr_kcounters_pl);
  	UMA_DESTROY(V_pf_state_scrub_pl);
  	UMA_DESTROY(V_pfi_addr_pl);
  }
 @@ -337,6 +338,7 @@ pfattach(void)
  		UMA_CREATE(V_pf_pooladdr_pl,	struct pf_pooladdr, "pfpooladdrpl");
  		UMA_CREATE(V_pfr_ktable_pl,	struct pfr_ktable, "pfrktable");
  		UMA_CREATE(V_pfr_kentry_pl,	struct pfr_kentry, "pfrkentry");
 +		UMA_CREATE(V_pfr_kcounters_pl,	struct pfr_kcounters, "pfrkcounters");
  		UMA_CREATE(V_pf_frent_pl,	struct pf_frent, "pffrent");
  		UMA_CREATE(V_pf_frag_pl,	struct pf_fragment, "pffrag");
  		UMA_CREATE(V_pf_cache_pl,	struct pf_fragment, "pffrcache");
 
 Modified: stable/9/sys/contrib/pf/net/pf_table.c
 ==============================================================================
 --- stable/9/sys/contrib/pf/net/pf_table.c	Fri Jun 29 12:08:26 2012	(r237775)
 +++ stable/9/sys/contrib/pf/net/pf_table.c	Fri Jun 29 12:11:31 2012	(r237776)
 @@ -179,7 +179,6 @@ struct pfr_walktree {
  VNET_DEFINE(uma_zone_t,			pfr_ktable_pl);
  VNET_DEFINE(uma_zone_t,			pfr_kentry_pl);
  VNET_DEFINE(uma_zone_t,			pfr_kcounters_pl);
 -#define	V_pfr_kcounters_pl		VNET(pfr_kcounters_pl)
  VNET_DEFINE(struct sockaddr_in,		pfr_sin);
  #define	V_pfr_sin			VNET(pfr_sin)
  VNET_DEFINE(struct sockaddr_in6,	pfr_sin6);
 
 Modified: stable/9/sys/contrib/pf/net/pfvar.h
 ==============================================================================
 --- stable/9/sys/contrib/pf/net/pfvar.h	Fri Jun 29 12:08:26 2012	(r237775)
 +++ stable/9/sys/contrib/pf/net/pfvar.h	Fri Jun 29 12:11:31 2012	(r237776)
 @@ -1868,6 +1868,8 @@ VNET_DECLARE(uma_zone_t,		 pfr_ktable_pl
  #define	V_pfr_ktable_pl			 VNET(pfr_ktable_pl)
  VNET_DECLARE(uma_zone_t,		 pfr_kentry_pl);
  #define	V_pfr_kentry_pl			 VNET(pfr_kentry_pl)
 +VNET_DECLARE(uma_zone_t,		 pfr_kcounters_pl);
 +#define	V_pfr_kcounters_pl		 VNET(pfr_kcounters_pl)
  VNET_DECLARE(uma_zone_t,		 pf_cache_pl);
  #define	V_pf_cache_pl			 VNET(pf_cache_pl)
  VNET_DECLARE(uma_zone_t,		 pf_cent_pl);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
