[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: kernel panic with IPFilter 4.1.13 on FreeBSD-5.4-RELEASE-p13
From: "Simon A. Boggis" <s.a.boggis () qmul ! ac ! uk>
Date: 2006-04-24 21:51:37
Message-ID: 444D4869.7080300 () qmul ! ac ! uk
[Download RAW message or body]
Hi All,
I've found a reproducible kernel panic with IPFilter 4.1.13 on
FreeBSD-5.4-RELEASE-p13 if I do 'ipf -Fa' and then
send some kind of packet (tried with TCP, UDP and ICMP).
For example, using the qemu emulator (I do get the same results on a
real systems):
# ipf -Fa
# ipfstat -hio
0 # Builtin: call /0 out call function at 0xc16fdd40 scan *
10 # Builtin: pass out all
0 # Builtin: call /0 in call function at 0xc16fdba0 scan *
5 # Builtin: pass in all
# ping -c1 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
kernel trap 12 with interrupts disabled
Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address = 0x104
fault code = supervisor read, page not present
instruction pointer = 0x8:0xc051dbcd
stack pointer = 0x10:0xcd10d9c4
frame pointer = 0x10:0xcd10d9d0
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = IOPL = 0
current process = 746 (ping)
trap number = 12
panic: page fault
cpuid = 0
Uptime: 2m19s
Dumping 256 MB
16 32 48 ...
Running the the generated crash dump through kgdb with a debugging
version of the same kernel yields:
# kgdb kernel.debug vmcore.1
[GDB will not be able to debug user-mode threads:
/usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i386-marcel-freebsd".
#0 doadump () at pcpu.h:159
159 pcpu.h: No such file or directory.
in pcpu.h
(kgdb) bt
#0 doadump () at pcpu.h:159
#1 0xc05265cb in boot (howto=260) at
/usr/src/sys/kern/kern_shutdown.c:410
#2 0xc05268f1 in panic (fmt=0xc06c1b86 "%s")
at /usr/src/sys/kern/kern_shutdown.c:566
#3 0xc0690cb4 in trap_fatal (frame=0xcd10d984, eva=260)
at /usr/src/sys/i386/i386/trap.c:817
#4 0xc0690471 in trap (frame=
{tf_fs = 24, tf_es = 16, tf_ds = 16, tf_edi = -1046402816, tf_esi =
-1049633472, tf_ebp = -854533680, tf_isp = -854533712, tf_ebx = 0,
tf_edx = 0, tf_ecx = 0, tf_eax = 1, tf_trapno = 12, tf_err = 0, tf_eip =
-1068377139, tf_cs = 8, tf_eflags = 2, tf_esp = -1050312192, tf_ss =
-854533612})
at /usr/src/sys/i386/i386/trap.c:255
#5 0xc067ecea in calltrap () at /usr/src/sys/i386/i386/exception.s:140
#6 0x00000018 in ?? ()
#7 0x00000010 in ?? ()
#8 0x00000010 in ?? ()
#9 0xc1a12900 in ?? ()
#10 0xc16fdd40 in ?? ()
#11 0xcd10d9d0 in ?? ()
#12 0xcd10d9b0 in ?? ()
#13 0x00000000 in ?? ()
#14 0x00000000 in ?? ()
#15 0x00000000 in ?? ()
---Type <return> to continue, or q <return> to quit---
#16 0x00000001 in ?? ()
#17 0x0000000c in ?? ()
#18 0x00000000 in ?? ()
#19 0xc051dbcd in _mtx_lock_sleep (m=0xc16fdd40, td=0xc1a12900, opts=0,
file=0xc16fb56f
"/usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/fil.c",
line=2542) at /usr/src/sys/kern/kern_mutex.c:519
#20 0xc051da29 in _mtx_lock_flags (m=0x0, opts=0,
file=0xc16fb56f
"/usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/fil.c",
line=2542) at /usr/src/sys/kern/kern_mutex.c:273
#21 0xc16f4f08 in ?? ()
#22 0xc16fdd40 in ?? ()
#23 0x00000000 in ?? ()
#24 0xc16fb56f in ?? ()
#25 0x000009ee in ?? ()
#26 0x00000004 in ?? ()
#27 0xc16fdd40 in ?? ()
#28 0x00000000 in ?? ()
#29 0x00004002 in ?? ()
#30 0xc1663c00 in ?? ()
#31 0x01400004 in ?? ()
#32 0x00000000 in ?? ()
#33 0x0100007f in ?? ()
#34 0x00000000 in ?? ()
---Type <return> to continue, or q <return> to quit---
#35 0x00000000 in ?? ()
#36 0x00000000 in ?? ()
#37 0x0100007f in ?? ()
#38 0x00000000 in ?? ()
#39 0x00000000 in ?? ()
#40 0x00000000 in ?? ()
#41 0x00000000 in ?? ()
#42 0x00000000 in ?? ()
#43 0x00000000 in ?? ()
#44 0x00000000 in ?? ()
#45 0x02ea0008 in ?? ()
#46 0x00000001 in ?? ()
#47 0x00000000 in ?? ()
#48 0x00000014 in ?? ()
#49 0x00000000 in ?? ()
#50 0x00000000 in ?? ()
#51 0x00000000 in ?? ()
#52 0x00000000 in ?? ()
#53 0x00000000 in ?? ()
#54 0xc16fdd40 in ?? ()
#55 0xc16582c0 in ?? ()
#56 0x00000040 in ?? ()
#57 0x00000054 in ?? ()
---Type <return> to continue, or q <return> to quit---
#58 0x00000000 in ?? ()
#59 0x0000e602 in ?? ()
#60 0x00000000 in ?? ()
#61 0x00000033 in ?? ()
#62 0x00000000 in ?? ()
#63 0x00000000 in ?? ()
#64 0x00000000 in ?? ()
#65 0xc16582ac in ?? ()
#66 0xcd10dafc in ?? ()
#67 0xc1658200 in ?? ()
#68 0x00000000 in ?? ()
#69 0x00000000 in ?? ()
#70 0xc15c2860 in ?? ()
#71 0xc073a360 in ip_rsvpd ()
#72 0x00000002 in ?? ()
#73 0xcd10dadc in ?? ()
#74 0xc16f162a in ?? ()
#75 0xc16582ac in ?? ()
#76 0x00000014 in ?? ()
#77 0xc1663c00 in ?? ()
#78 0x00000001 in ?? ()
#79 0xcd10dafc in ?? ()
#80 0xcd10db0c in ?? ()
---Type <return> to continue, or q <return> to quit---
#81 0xc0599877 in pfil_run_hooks (ph=0xcd10da14, mp=0x14, ifp=0xc1663c00,
dir=-1050312020, inp=0xcd10dafc) at /usr/src/sys/net/pfil.c:137
Previous frame inner to this frame (corrupt stack?)
(kgdb) q
The system configuration is as follows:
# uname -ar
FreeBSD qemu 5.4-RELEASE-p13 FreeBSD 5.4-RELEASE-p13 #1: Thu Apr 6
11:58:10 UTC 2006 root@XXX:/usr/obj/usr/src/sys/CUSTOM_FWR_1-7 i386
# strings /boot/kernel/kernel | grep '^___[^_]' | sed 's/^___//' |
egrep -v '^#' | sed 's/#.*$//'
machine i386
cpu I686_CPU
ident CUSTOM_FWR_1-7
options SCHED_4BSD
options INET
options INET6
options FFS
options SOFTUPDATES
options UFS_ACL
options UFS_DIRHASH
options MD_ROOT
options MSDOSFS
options CD9660
options PROCFS
options PSEUDOFS
options GEOM_GPT
options COMPAT_43
options COMPAT_FREEBSD4
options SCSI_DELAY=5000
options KTRACE
options SYSVSHM
options SYSVMSG
options SYSVSEM
options _KPOSIX_PRIORITY_SCHEDULING
options KBD_INSTALL_CDEV
options AHC_REG_PRETTY_PRINT
options AHD_REG_PRETTY_PRINT
options ADAPTIVE_GIANT
device apic
options SMP
device isa
device pci
device fdc
device ata
device atadisk
device atapicd
options ATA_STATIC_ID
device ahc
device ahd
device mpt
device scbus
device ch
device da
device sa
device cd
device pass
device ses
device atkbdc
device atkbd
device psm
device vga
device splash
device sc
device agp
device npx
device pmtimer
device sio
device em
device ixgb
device miibus
device fxp
device ed
device loop
device mem
device io
device random
device ether
device sl
device ppp
device tun
device pty
device md
device gif
device faith
device bpf
options PANIC_REBOOT_WAIT_TIME=30
options INCLUDE_CONFIG_FILE
options IPSEC_FILTERGIF
options FAST_IPSEC
device crypto
options TCP_SIGNATURE
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_CDNR
options ALTQ_PRIQ
options ALTQ_NOPCC
device carp
options HZ=1000
options IPX
options MROUTING
options PIM
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_FORWARD
options IPFIREWALL_FORWARD_EXTENDED
options IPV6FIREWALL
options IPV6FIREWALL_VERBOSE
options IPV6FIREWALL_VERBOSE_LIMIT=100
options IPDIVERT
options IPSTEALTH
options TCPDEBUG
makeoptions DEBUG=-g
# ipf -V
ipf: IP Filter: v4.1.13 (416)
Kernel: IP Filter: v4.1.13
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x11f
# sysctl net.inet.ipf
net.inet.ipf.fr_flags: 0
net.inet.ipf.fr_pass: 134217730
net.inet.ipf.fr_active: 0
net.inet.ipf.fr_tcpidletimeout: 86400
net.inet.ipf.fr_tcphalfclosed: 14400
net.inet.ipf.fr_tcpclosewait: 480
net.inet.ipf.fr_tcplastack: 480
net.inet.ipf.fr_tcptimeout: 480
net.inet.ipf.fr_tcpclosed: 120
net.inet.ipf.fr_udptimeout: 240
net.inet.ipf.fr_udpacktimeout: 24
net.inet.ipf.fr_icmptimeout: 120
net.inet.ipf.fr_defnatage: 1200
net.inet.ipf.fr_ipfrttl: 120
net.inet.ipf.fr_running: 1
net.inet.ipf.fr_statesize: 5737
net.inet.ipf.fr_statemax: 4013
net.inet.ipf.ipf_nattable_sz: 2047
net.inet.ipf.ipf_natrules_sz: 127
net.inet.ipf.ipf_rdrrules_sz: 127
net.inet.ipf.ipf_hostmap_sz: 2047
net.inet.ipf.fr_authsize: 32
net.inet.ipf.fr_authused: 0
net.inet.ipf.fr_defaultauthage: 600
net.inet.ipf.fr_chksrc: 0
net.inet.ipf.fr_minttl: 4
# ipfstat -hio
0 # Builtin: call /0 out call function at 0xc16fdd40 scan *
10 # Builtin: pass out all
2 pass out quick on lo0 all
0 pass out quick proto icmp from any to any keep state
8 pass out quick proto udp from any to any keep state
0 pass out quick proto tcp from any to any flags S/FSRA keep state
0 block out all
0 # Builtin: call /0 in call function at 0xc16fdba0 scan *
5 # Builtin: pass in all
2 pass in quick on lo0 all
3 skip 1 in from any to 10.0.2.15/32
0 block in quick all
0 pass in quick proto icmp from 10.0.0.0/24 to any icmp-type echo keep
state
0 pass in quick proto tcp from 10.0.0.0/24 to any port = ssh flags
S/FSRA keep state
0 pass in quick proto tcp from 10.0.0.0/24 to any port = 22222 flags
S/FSRA keep state
3 pass in quick proto tcp from any to any port = ssh flags S/FSRA keep
state
0 block in log all
# ipfstat -6 -hio
empty list for ipfilter(out)
empty list for ipfilter(in)
# ipnat -l
List of active MAP/Redirect filters:
map ebr3 0.0.0.0/0 -> 0.0.0.0/0 proxy port ftp ftp/tcp
map ebr3 0.0.0.0/0 -> 0.0.0.0/0 proxy port shell rcmd/tcp
Simon
--
----------------------------------------------------------------------
Dr Simon A. Boggis Senior Network Analyst
Computing Services, Tel. 020 7882 7078
Queen Mary, University of London, London E1 4NS UK.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic