[DragonFlyBSD - Bug #2660] Use of IPDIVERT causes kernel crashes

bugtracker-admin at leaf.dragonflybsd.org bugtracker-admin at leaf.dragonflybsd.org
Thu Apr 10 05:25:33 PDT 2014


Issue #2660 has been updated by shamaz.


2014-04-09 11:05 GMT+04:00 <bugtracker-admin at leaf.dragonflybsd.org>:

> Issue #2660 has been updated by tuxillo.
>
> Category set to Networking
> Status changed from New to In Progress
> Assignee set to tuxillo
> Target version set to 3.8.0
>
> Hi Vasily,
>
> The panic is caused by a null-pointer dereference, see below:
>
> #12 0xffffffff80673d22 in ip_input (m=m at entry=0xffffffe0f49ce800) at
> /usr/src/sys/netinet/ip_input.c:684
> 684             if (m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) {
>
> But rcvif is NULL:
>
> (kgdb) p m->M_dat.MH.MH_pkthdr->rcvif
> $3 = (struct ifnet *) 0x0
>
> I'm going to try to reproduce your setup.
>
> Cheers,
> Antonio Huete
>
>
>
> ----------------------------------------
> Bug #2660: Use of IPDIVERT causes kernel crashes
> http://bugs.dragonflybsd.org/issues/2660#change-11913
>
> * Author: shamaz
> * Status: In Progress
> * Priority: Normal
> * Assignee: tuxillo
> * Category: Networking
> * Target version: 3.8.0
> ----------------------------------------
> Hello. I was trying to set up NAT on DragonFly machine and got a crash. I
> have a following configuration:
>
> 1) Machine A with DragonFlyBSD 3.4
> 2) Machine B (the one which crashes) with DragonFlyBSD
> 3.6.1.24.gd9a9-RELEASE x86_64 (from git branch DragonFly_RELEASE_3_6)
> 3) Machine C is a vkernel machine hosted by B
>
> Machine B kernel was compiled with  following lines in config:
>
> IPFIREWALL
> IPFIREWALL_VERBOSE
> IPFIREWALL_VERBOSE_LIMIT=100
> IPFIREWALL_DEFAULT_TO_ACCEPT
> IPDIVERT
>
> Machine B has 2 network interfaces: nfe0 (with connection to A) and tap0
> (with connection to C) configured as follows:
>
> $ ifconfig nfe0 192.168.10.1 netmask 255.255.255.0 up (A has an address
> 192.168.10.2 assigned to re0 which is the interface on the other side)
> $ ifconfig tap0 192.168.20.1 netmask 255.255.255.0 up (C has an address
> 192.168.20.2 assigned to vke0)
>
> So I do as follows:
>
> On machine A:
> $ route add default 192.168.10.1
>
> On machine B:
> $ sysctl net.inet.ip.forwarding=1
> $ ipfw -f flush (accept all because of line in config)
> $ natd -interface tap0
> $ ipfw add 100 divert natd ip from any to any in via tap0
> $ ipfw add 110 divert natd ip from any to any out via tap0
>
> Again, on machine A:
> $ ping 192.168.20.2
>
> Machine B crashes. 100% repeatable
>
> Here is a part of the backtrace:
>
> #11 0xffffffff8092429f in calltrap ()
>     at /usr/src/sys/platform/pc64/x86_64/exception.S:188
> #12 0xffffffff80673d22 in ip_input (m=m at entry=0xffffffe0f49ce800)
>     at /usr/src/sys/netinet/ip_input.c:684
> #13 0xffffffff8066813a in div_output (control=<optimized out>,
>     sin=0xffffffe0f605a130, m=0xffffffe0f49ce800, so=0xffffffe0bf0ff7c0)
>     at /usr/src/sys/netinet/ip_divert.c:373
> #14 div_send (msg=0xffffffe0f54896a0) at
> /usr/src/sys/netinet/ip_divert.c:514
> #15 0xffffffff8061be6a in netmsg_service_loop (arg=<optimized out>)
>     at /usr/src/sys/net/netisr.c:319
> #16 0xffffffff80571c57 in lwkt_deschedule_self (td=<optimized out>)
>     at /usr/src/sys/kern/lwkt_thread.c:327
>
> Crash dump (129 Mb) is here:
> https://drive.google.com/uc?id=0B1NArWn4pLpxazAxYjJOQVRMeGM&export=download
>
>                  Vasily
>
>
>
> --
> You have received this notification because you have either subscribed to
> it, or are involved in it.
> To change your notification preferences, please click here:
> http://bugs.dragonflybsd.org/my/account
>

I've just found out in my little investigation, that this is an old bug
fixed in FreeBSD in 2004. Look at this commit:

https://github.com/freebsd/freebsd/commit/66acd3ba6eb9d3017cc3cdf36d1268749512dd82

So it is OK, that m->m_pkthdr.rcvif == NULL, all we need is just to check
it explicitly. I'll write if this solution works for me (it should)

----------------------------------------
Bug #2660: Use of IPDIVERT causes kernel crashes
http://bugs.dragonflybsd.org/issues/2660#change-11918

* Author: shamaz
* Status: In Progress
* Priority: Normal
* Assignee: tuxillo
* Category: Networking
* Target version: 3.8.0
----------------------------------------
Hello. I was trying to set up NAT on DragonFly machine and got a crash. I
have a following configuration:

1) Machine A with DragonFlyBSD 3.4
2) Machine B (the one which crashes) with DragonFlyBSD
3.6.1.24.gd9a9-RELEASE x86_64 (from git branch DragonFly_RELEASE_3_6)
3) Machine C is a vkernel machine hosted by B

Machine B kernel was compiled with  following lines in config:

IPFIREWALL
IPFIREWALL_VERBOSE
IPFIREWALL_VERBOSE_LIMIT=100
IPFIREWALL_DEFAULT_TO_ACCEPT
IPDIVERT

Machine B has 2 network interfaces: nfe0 (with connection to A) and tap0
(with connection to C) configured as follows:

$ ifconfig nfe0 192.168.10.1 netmask 255.255.255.0 up (A has an address
192.168.10.2 assigned to re0 which is the interface on the other side)
$ ifconfig tap0 192.168.20.1 netmask 255.255.255.0 up (C has an address
192.168.20.2 assigned to vke0)

So I do as follows:

On machine A:
$ route add default 192.168.10.1

On machine B:
$ sysctl net.inet.ip.forwarding=1
$ ipfw -f flush (accept all because of line in config)
$ natd -interface tap0
$ ipfw add 100 divert natd ip from any to any in via tap0
$ ipfw add 110 divert natd ip from any to any out via tap0

Again, on machine A:
$ ping 192.168.20.2

Machine B crashes. 100% repeatable

Here is a part of the backtrace:

#11 0xffffffff8092429f in calltrap ()
    at /usr/src/sys/platform/pc64/x86_64/exception.S:188
#12 0xffffffff80673d22 in ip_input (m=m at entry=0xffffffe0f49ce800)
    at /usr/src/sys/netinet/ip_input.c:684
#13 0xffffffff8066813a in div_output (control=<optimized out>,
    sin=0xffffffe0f605a130, m=0xffffffe0f49ce800, so=0xffffffe0bf0ff7c0)
    at /usr/src/sys/netinet/ip_divert.c:373
#14 div_send (msg=0xffffffe0f54896a0) at
/usr/src/sys/netinet/ip_divert.c:514
#15 0xffffffff8061be6a in netmsg_service_loop (arg=<optimized out>)
    at /usr/src/sys/net/netisr.c:319
#16 0xffffffff80571c57 in lwkt_deschedule_self (td=<optimized out>)
    at /usr/src/sys/kern/lwkt_thread.c:327

Crash dump (129 Mb) is here:
https://drive.google.com/uc?id=0B1NArWn4pLpxazAxYjJOQVRMeGM&export=download

                 Vasily



-- 
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://bugs.dragonflybsd.org/my/account



More information about the Bugs mailing list