From nobody Wed Apr 06 08:07:36 2022
X-Original-To: bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id F32D51A9AF87
	for <bugs@mlmmj.nyi.freebsd.org>; Wed,  6 Apr 2022 08:07:36 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4KYHDm46V7z3PWW
	for <bugs@FreeBSD.org>; Wed,  6 Apr 2022 08:07:36 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 68FA61784E
	for <bugs@FreeBSD.org>; Wed,  6 Apr 2022 08:07:36 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 23687av0079623
	for <bugs@FreeBSD.org>; Wed, 6 Apr 2022 08:07:36 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 23687aD9079622
	for bugs@FreeBSD.org; Wed, 6 Apr 2022 08:07:36 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 263078] kernel core generated from ipfw_chk() function
Date: Wed, 06 Apr 2022 08:07:36 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: Unspecified
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: aadhya@cisco.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-263078-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-bugs
List-Help: <mailto:freebsd-bugs+help@freebsd.org>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Subscribe: <mailto:freebsd-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-bugs@freebsd.org
MIME-Version: 1.0
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1649232456;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=sfyLpgeU40gNHKKnvEWuhirJW5StfuGj2nWWfguoIvQ=;
	b=tZckRpEMv4AAspx6h+3bqvumv4iSoLY5H9S5DguV1iUgAlZogP1hQtc+mqBENqqrb9DhyI
	XTWRtDz5lFmj8Rpu42MATMm7IIPRsHMdPMQk5Afp+2OOmrAetRQuLvToTALtqUDeJZKhQm
	L3QACH3bbjnRhmEGgoLN4IVN+ThVMJr31xRL2O7HdyMJSFf9QrwXow80+e7WhiKuAYDw4/
	1GT+HdnRcObd1WLvG+foyjwI6ZjWPDwRyMU2dBar4k4bNWCAeUSJ1IQqrPFATmgs1ZzKeU
	KSKefQRlRuY6/9o9cJnvBegxsvttibOMFeCCxXhjVt2ooK4SpD3u2i+lfpv8Aw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1649232456; a=rsa-sha256; cv=none;
	b=h51fvBreIn+3Oy1mtUQwLoyWhUHY2z1cN6CCwqXNmrUd3Iq/KdjL67WyjHfT1vKzkkWwzI
	1DR5XunYpJ6mllIKpBfeRgrplHaswh/VZwtRzX/b+XZEleBSQlXtdCxbqOBgXh9iUTi0GX
	zkcw8kJoH477Hlore2LGZSgyarjQ8xXwyW/rLm9jH0GgbKdNmPYDaZi+yhqAYM8RsuwbJw
	VtC8DkbKvkIyP7SeEp5YtYkD/WMsL677sfDpYa2rpi3YhfDoJIjXZXTtMVw2nWCC6nxiwM
	6H8bBtyuZ6eMEJs7MPgFZDpzdFiXwXzkKVolWbDsuLeCybZkFh3IiFDiJTu6IA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263078

            Bug ID: 263078
           Summary: kernel core generated from ipfw_chk() function
           Product: Base System
           Version: Unspecified
          Hardware: arm64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: aadhya@cisco.com

We have observed kernel crash from ipfw_chk() function.

Environment :
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
hw.model: Intel(R) Xeon(R) Gold 5118 CPU @ 2.30GHz
hw.machine: amd64
hw.ncpu: 24
FreeBSD 11.2-RELEASE

Here is the BT :
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D

(kgdb) bt
#0  doadump (textdump=3D1) at pcpu.h:229
#1  0xffffffff80610f5b in kern_reboot (howto=3D260) at
../../../kern/kern_shutdown.c:395
#2  0xffffffff80611459 in vpanic (fmt=3D<value optimized out>, ap=3D<value
optimized out>)
    at ../../../kern/kern_shutdown.c:799
#3  0xffffffff80611193 in panic (fmt=3D<value optimized out>) at
../../../kern/kern_shutdown.c:719
#4  0xffffffff808967df in trap_fatal (frame=3D0xfffffe1049161250, eva=3D2) =
at
../../../amd64/amd64/trap.c:875
#5  0xffffffff80896839 in trap_pfault (frame=3D0xfffffe1049161250, usermode=
=3D0) at
pcpu.h:229
#6  0xffffffff80896028 in trap (frame=3D0xfffffe1049161250) at
../../../amd64/amd64/trap.c:415
#7  0xffffffff8087534e in calltrap () at ../../../amd64/amd64/exception.S:1=
99
#8  0xffffffff807a431f in ipfw_chk (args=3D<value optimized out>) at
../../../netpfil/ipfw/ip_fw2.c:1287
#9  0xffffffff807ac22f in ipfw_check_packet (arg=3D<value optimized out>,
m0=3D0xfffffe10491616d0,
    ifp=3D<value optimized out>, dir=3D1, inp=3D0x0) at
../../../netpfil/ipfw/ip_fw_pfil.c:149
#10 0xffffffff8071f9d4 in pfil_run_hooks (ph=3D0xffffffff8100e478, mp=3D<va=
lue
optimized out>, ifp=3D0xfffff8000becf000,
    dir=3D1, flags=3D0, inp=3D0x0) at ../../../net/pfil.c:116
#11 0xffffffff80742a99 in ip_input (m=3D0xfffff802dfad9600) at
../../../netinet/ip_input.c:601
#12 0xffffffff8071ea21 in netisr_dispatch_src (proto=3D1, source=3D<value o=
ptimized
out>, m=3D<value optimized out>)
    at ../../../net/netisr.c:1120
#13 0xffffffff80707132 in ether_demux (ifp=3D0xfffff8000becf000, m=3D<value
optimized out>)
    at ../../../net/if_ethersubr.c:884
#14 0xffffffff80708237 in ether_nh_input (m=3D<value optimized out>) at
../../../net/if_ethersubr.c:660
#15 0xffffffff8071ea21 in netisr_dispatch_src (proto=3D5, source=3D<value o=
ptimized
out>, m=3D<value optimized out>)
    at ../../../net/netisr.c:1120
#16 0xffffffff807074b6 in ether_input (ifp=3D<value optimized out>, m=3D0x0=
) at
../../../net/if_ethersubr.c:780
#17 0xffffffff803f2ecc in ixgbe_rxeof (que=3D0xfffff8000becac00) at
../../../dev/ixgbe/ix_txrx.c:1597
#18 0xffffffff803e72b6 in ixgbe_msix_que (arg=3D0xfffff8000becac00) at
../../../dev/ixgbe/if_ix.c:1960
#19 0xffffffff805e1d1f in intr_event_execute_handlers (p=3D<value optimized=
 out>,
ie=3D0xfffff8000baf8a00)
    at ../../../kern/kern_intr.c:1336
#20 0xffffffff805e23b7 in ithread_loop (arg=3D0xfffff8000bec3ac0) at
../../../kern/kern_intr.c:1349
#21 0xffffffff805df396 in fork_exit (callout=3D0xffffffff805e2300 <ithread_=
loop>,
arg=3D0xfffff8000bec3ac0,
    frame=3D0xfffffe1049161ac0) at ../../../kern/kern_fork.c:1054
#22 0xffffffff808761ee in fork_trampoline () at
../../../amd64/amd64/exception.S:951
#23 0x0000000000000000 in ?? ()
(kgdb)

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

After more investigation we observed that probably crash was happening due =
to
line 2706 (f =3D chain->map[f_pos];) in function ipfw_chk() of file
"netpfil/ipfw/ip_fw2.c".

--------------- code snippet below ---------------------------
                                case O_SKIPTO:
2692                                IPFW_INC_RULE_COUNTER(f, pktlen);
2693                                f_pos =3D JUMP(chain, f, cmd->arg1, tab=
learg,
0);
2694                                /*
2695                                 * Skip disabled rules, and re-enter
2696                                 * the inner loop with the correct
2697                                 * f_pos, f, l and cmd.
2698                                 * Also clear cmdlen and skip_or
2699                                 */
2700                                for (; f_pos < chain->n_rules - 1 &&
2701                                        (V_set_disable &
2702                                         (1 << chain->map[f_pos]->set));
2703                                        f_pos++)
2704                                    ;
2705                                /* Re-enter the inner loop at the skipto
rule. */
2706                                f =3D chain->map[f_pos];
2707                                l =3D f->cmd_len;
2708                                cmd =3D f->cmd;
2709                                match =3D 1;
2710                                cmdlen =3D 0;
2711                                skip_or =3D 0;
2712                                continue;
2713                                break;      /* not reached */
------------------------------------------------------

What could be the possible fix for this ?
I will update if similar crash is found in later version of FreeBSD.

--=20
You are receiving this mail because:
You are the assignee for the bug.=