RPI2 12.0-CURRENT r305028 bootup crash in pf

Fri Sep 16 19:18:41 UTC 2016

> Stopped at pf_purge_expired_fragments+0x44: ldr r0, [r0, #0x004]

It looks as if this is a null pointer dereference in TAILQ_LAST.

1. The console message indicates stop at pf_purge_expired_fragments+0x44,
   which is 0x24848 + 0x44 = 8x2488c

2. The various LDRs at 24884 - 24890 are the dereferences in the
   TAILQ_LAST macro (definition included below).

3. 24894 is the NULL test called out in the C code at line 225, but it's
   too late by then.

So, maybe pf_purge_expired_fragments() is called before V_pf_fragqueue
is initialized? I am not familiar enough with the pf code to know
how this should be fixed, but I'll have a look around and try to make
some guess.

---- from objdump output start ----
00024848 <pf_purge_expired_fragments>:
pf_purge_expired_fragments():
/v2/Source/public/freebsd/pi/crochet/src/sys/modules/pf/../../netpfil/pf/pf_norm
.c:219
        return (0);
}

void
pf_purge_expired_fragments(void)
{
        struct pf_fragment      *frag;
        u_int32_t                expire = time_uptime -
   24864:       e5904000        ldr     r4, [r0]
   24868:       e5900004        ldr     r0, [r0, #4]
/v2/Source/public/freebsd/pi/crochet/src/sys/modules/pf/../../netpfil/pf/pf_norm.c:222
                                    V_pf_default_rule.timeout[PFTM_FRAG];
   2486c:       e59f00ac        ldr     r0, [pc, #172]  ; 24920 <pf_purge_expired_fragments+0xd8>
   24870:       e59072a4        ldr     r7, [r0, #676]
/v2/Source/public/freebsd/pi/crochet/src/sys/modules/pf/../../netpfil/pf/pf_norm.c:224

        PF_FRAG_LOCK();
   24874:       e59f00a8        ldr     r0, [pc, #168]  ; 24924 <pf_purge_expired_fragments+0xdc>
   24878:       e2800010        add     r0, r0, #16     ; 0x10
   2487c:       e58d0000        str     r0, [sp]
   24880:       ebff810d        bl      4cbc <pf_addr_cmp-0x228>
/v2/Source/public/freebsd/pi/crochet/src/sys/modules/pf/../../netpfil/pf/pf_norm.c:225
        while ((frag = TAILQ_LAST(&V_pf_fragqueue, pf_fragqueue)) != NULL) {
   24884:       e59f60a0        ldr     r6, [pc, #160]  ; 2492c <pf_purge_expired_fragments+0xe4>
   24888:       e5960004        ldr     r0, [r6, #4]
   2488c:       e5900004        ldr     r0, [r0, #4]
   24890:       e5905000        ldr     r5, [r0]
   24894:       e3550000        cmp     r5, #0  ; 0x0
   24898:       0a000018        beq     24900 <pf_purge_expired_fragments+0xb8>
/v2/Source/public/freebsd/pi/crochet/src/sys/modules/pf/../../netpfil/pf/pf_norm.c:221
---- from objdump output end ----

---- from sys/queue.h start ----
#define TAILQ_LAST(head, headname)                                      \
        (*(((struct headname *)((head)->tqh_last))->tqh_last))
---- from sys/queue.h end ----
-- 
G. Paul Ziemba
FreeBSD unix:
12:16PM  up 26 days, 14:55, 12 users, load averages: 1.51, 1.98, 1.86