[Bug 263078] kernel core generated from ipfw_chk() function

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 263078] kernel core generated from ipfw_chk() function"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 06 Apr 2022 08:07:36 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263078

            Bug ID: 263078
           Summary: kernel core generated from ipfw_chk() function
           Product: Base System
           Version: Unspecified
          Hardware: arm64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: aadhya@cisco.com

We have observed kernel crash from ipfw_chk() function.

Environment :
===================
hw.model: Intel(R) Xeon(R) Gold 5118 CPU @ 2.30GHz
hw.machine: amd64
hw.ncpu: 24
FreeBSD 11.2-RELEASE

Here is the BT :
===========================

(kgdb) bt
#0  doadump (textdump=1) at pcpu.h:229
#1  0xffffffff80610f5b in kern_reboot (howto=260) at
../../../kern/kern_shutdown.c:395
#2  0xffffffff80611459 in vpanic (fmt=<value optimized out>, ap=<value
optimized out>)
    at ../../../kern/kern_shutdown.c:799
#3  0xffffffff80611193 in panic (fmt=<value optimized out>) at
../../../kern/kern_shutdown.c:719
#4  0xffffffff808967df in trap_fatal (frame=0xfffffe1049161250, eva=2) at
../../../amd64/amd64/trap.c:875
#5  0xffffffff80896839 in trap_pfault (frame=0xfffffe1049161250, usermode=0) at
pcpu.h:229
#6  0xffffffff80896028 in trap (frame=0xfffffe1049161250) at
../../../amd64/amd64/trap.c:415
#7  0xffffffff8087534e in calltrap () at ../../../amd64/amd64/exception.S:199
#8  0xffffffff807a431f in ipfw_chk (args=<value optimized out>) at
../../../netpfil/ipfw/ip_fw2.c:1287
#9  0xffffffff807ac22f in ipfw_check_packet (arg=<value optimized out>,
m0=0xfffffe10491616d0,
    ifp=<value optimized out>, dir=1, inp=0x0) at
../../../netpfil/ipfw/ip_fw_pfil.c:149
#10 0xffffffff8071f9d4 in pfil_run_hooks (ph=0xffffffff8100e478, mp=<value
optimized out>, ifp=0xfffff8000becf000,
    dir=1, flags=0, inp=0x0) at ../../../net/pfil.c:116
#11 0xffffffff80742a99 in ip_input (m=0xfffff802dfad9600) at
../../../netinet/ip_input.c:601
#12 0xffffffff8071ea21 in netisr_dispatch_src (proto=1, source=<value optimized
out>, m=<value optimized out>)
    at ../../../net/netisr.c:1120
#13 0xffffffff80707132 in ether_demux (ifp=0xfffff8000becf000, m=<value
optimized out>)
    at ../../../net/if_ethersubr.c:884
#14 0xffffffff80708237 in ether_nh_input (m=<value optimized out>) at
../../../net/if_ethersubr.c:660
#15 0xffffffff8071ea21 in netisr_dispatch_src (proto=5, source=<value optimized
out>, m=<value optimized out>)
    at ../../../net/netisr.c:1120
#16 0xffffffff807074b6 in ether_input (ifp=<value optimized out>, m=0x0) at
../../../net/if_ethersubr.c:780
#17 0xffffffff803f2ecc in ixgbe_rxeof (que=0xfffff8000becac00) at
../../../dev/ixgbe/ix_txrx.c:1597
#18 0xffffffff803e72b6 in ixgbe_msix_que (arg=0xfffff8000becac00) at
../../../dev/ixgbe/if_ix.c:1960
#19 0xffffffff805e1d1f in intr_event_execute_handlers (p=<value optimized out>,
ie=0xfffff8000baf8a00)
    at ../../../kern/kern_intr.c:1336
#20 0xffffffff805e23b7 in ithread_loop (arg=0xfffff8000bec3ac0) at
../../../kern/kern_intr.c:1349
#21 0xffffffff805df396 in fork_exit (callout=0xffffffff805e2300 <ithread_loop>,
arg=0xfffff8000bec3ac0,
    frame=0xfffffe1049161ac0) at ../../../kern/kern_fork.c:1054
#22 0xffffffff808761ee in fork_trampoline () at
../../../amd64/amd64/exception.S:951
#23 0x0000000000000000 in ?? ()
(kgdb)

===============================================

After more investigation we observed that probably crash was happening due to
line 2706 (f = chain->map[f_pos];) in function ipfw_chk() of file
"netpfil/ipfw/ip_fw2.c".

--------------- code snippet below ---------------------------
                                case O_SKIPTO:
2692                                IPFW_INC_RULE_COUNTER(f, pktlen);
2693                                f_pos = JUMP(chain, f, cmd->arg1, tablearg,
0);
2694                                /*
2695                                 * Skip disabled rules, and re-enter
2696                                 * the inner loop with the correct
2697                                 * f_pos, f, l and cmd.
2698                                 * Also clear cmdlen and skip_or
2699                                 */
2700                                for (; f_pos < chain->n_rules - 1 &&
2701                                        (V_set_disable &
2702                                         (1 << chain->map[f_pos]->set));
2703                                        f_pos++)
2704                                    ;
2705                                /* Re-enter the inner loop at the skipto
rule. */
2706                                f = chain->map[f_pos];
2707                                l = f->cmd_len;
2708                                cmd = f->cmd;
2709                                match = 1;
2710                                cmdlen = 0;
2711                                skip_or = 0;
2712                                continue;
2713                                break;      /* not reached */
------------------------------------------------------

What could be the possible fix for this ?
I will update if similar crash is found in later version of FreeBSD.

-- 
You are receiving this mail because:
You are the assignee for the bug.