Page fault in pf_find_state

YONETANI Tomokazu qhwt.dfly at les.ath.cx
Fri Jan 7 18:03:01 PST 2011


Hi.
Apparently `m->m_pkthdr.pf.statekey = NULL' is missing in a few places
for IPv6 paths (I'm not actively using IPv6, but it's enabled on this
machine and the address is configured anyway):

diff --git a/sys/net/pf/pf.c b/sys/net/pf/pf.c
index 770f5f8..74e7c65 100644
--- a/sys/net/pf/pf.c
+++ b/sys/net/pf/pf.c
@@ -5605,6 +5605,8 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
 	if (r->rt == PF_FASTROUTE) {
 		m0->m_pkthdr.fw_flags |= PF_MBUF_TAGGED;
 		m0->m_pkthdr.pf.flags = 0;
+		/* XXX Re-Check when Upgrading to > 4.4 */
+		m0->m_pkthdr.pf.statekey = NULL;
 		ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL);
 		return;
 	}
@@ -6187,6 +6189,8 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
 	if (m->m_pkthdr.fw_flags & PF_MBUF_TAGGED)
 		return (PF_PASS);
 	m->m_pkthdr.pf.flags = 0;
+	/* Re-Check when updating to > 4.4 */
+	m->m_pkthdr.pf.statekey = NULL;
 
 	/* We do IP header normalization and packet reassembly here */
 	if (pf_normalize_ip6(m0, dir, kif, &reason, &pd) != PF_PASS) {

My /etc/pf.conf looks like this:
  ext_if="re0"
  nat log on $ext_if inet from 127.1/16 to !($ext_if) -> ($ext_if)

Here's the backtrace:
  #9  0xffffffff80c814c2 in pf_find_state (kif=0xffffffe035c022a8,
      key=0xffffffe030d597d0, dir=2, m=0xffffffe05c2b3000)
      at /usr/src/sys/net/pf/pf.c:883
  #10 0xffffffff80c81a26 in pf_test_state_icmp (state=0xffffffe030d59940,
      direction=2, kif=0xffffffe035c022a8, m=0xffffffe05c2b3000, off=48,
      h=<value optimized out>, pd=0xffffffe030d598c0, reason=0xffffffe030d5995c)
      at /usr/src/sys/net/pf/pf.c:4570
  #11 0xffffffff80c8798f in pf_test6 (dir=2, ifp=<value optimized out>,
      m0=0xffffffe030d599d0, eh=<value optimized out>, inp=0x0)
      at /usr/src/sys/net/pf/pf.c:6361
  #12 0xffffffff80c8ba4c in pf_check6_out (arg=<value optimized out>,
      m=0xffffffe030d599d0, ifp=0xffffffe035b70e70, dir=<value optimized out>)
      at /usr/src/sys/net/pf/pf_ioctl.c:3158
  #13 0xffffffff8033489c in pfil_run_hooks (ph=<value optimized out>,
      mp=0xffffffe030d59b60, ifp=0xffffffe035b70e70, dir=2)
      at /usr/src/sys/net/pfil.c:116
  #14 0xffffffff80373b64 in ip6_output (m0=<value optimized out>,
      opt=0xffffffff80834e40, ro=0xffffffe030d59b30, flags=0,
      im6o=0xffffffe030d59be0, ifpp=0xffffffe030d59bd8, inp=0x0)
      at /usr/src/sys/netinet6/ip6_output.c:884
  #15 0xffffffff80379101 in mld6_sendpkt (in6m=0xffffffe035dd7ec0, type=131,
      dst=0x0) at /usr/src/sys/netinet6/mld6.c:452
  #16 0xffffffff8037933c in mld6_fasttimeo () at /usr/src/sys/netinet6/mld6.c:362
  #17 0xffffffff80363e5c in icmp6_fasttimo ()
      at /usr/src/sys/netinet6/icmp6.c:2122
  #18 0xffffffff802e4b24 in pffasttimo (arg=0xffffffe035c022a8)
      at /usr/src/sys/kern/uipc_domain.c:268

(kgdb) fr 9
#9  0xffffffff80c814c2 in pf_find_state (kif=0xffffffe035c022a8,
    key=0xffffffe030d597d0, dir=2, m=0xffffffe05c2b3000)
    at /usr/src/sys/net/pf/pf.c:883
883             if (dir == PF_OUT && m->m_pkthdr.pf.statekey &&
(kgdb) l
878             struct pf_state_key     *sk;
879             struct pf_state_item    *si;
880
881             pf_status.fcounters[FCNT_STATE_SEARCH]++;
882
883             if (dir == PF_OUT && m->m_pkthdr.pf.statekey &&
884                 ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->reverse)
885                     sk = ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->reverse;
886             else {
887                     if ((sk = RB_FIND(pf_state_tree, &pf_statetbl,
(kgdb) p m->m_pkthdr
There is no member named m_pkthdr.
(kgdb) shell grep m_pkthdr /sys/sys/mbuf.h
#define m_pkthdr        M_dat.MH.MH_pkthdr
 * Flags copied when copying m_pkthdr.
#define PF_MBUF_STRUCTURE       0x00000002      /* m_pkthdr.pf valid */
                _mm->m_pkthdr.len += _mplen;                            \
(kgdb) p m->M_dat.MH.MH_pkthdr
$1 = {rcvif = 0x0, len = 72, tags = {slh_first = 0x0}, header = 0x0,
  csum_flags = 0, csum_data = 0, fw_flags = 0, pf = {hdr = 0x0,
    statekey = 0x17, rtableid = 0, qid = 0, tag = 0, flags = 0 '\000',
    routed = 0 '\000', state_hash = 0, ecn_af = 0 '\000', unused01 = 0 '\000',
    unused02 = 0 '\000', unused03 = 0 '\000'}, ether_vlantag = 0, hash = 0,
  wlan_seqno = 0}

Cheers.





More information about the Bugs mailing list