On 21 Oct 2018, at 11:24, Andrey V. Elsukov wrote:
Author: ae
Date: Sun Oct 21 18:24:20 2018
New Revision: 339554
URL: https://svnweb.freebsd.org/changeset/base/339554
Log:
Rework if_ipsec(4) to use epoch(9) instead of rmlock.
* use CK_LIST and FNV hash to keep chains of softc;
* read access to softc is protected by epoch();
* write access is protected by ipsec_ioctl_sx. Changing of softc
fields
is allowed only when softc is unlinked from CK_LIST chains.
* linking/unlinking of softc is allowed only when ipsec_ioctl_sx is
exclusive locked.
* the plain LIST of all softc is replaced by hash table that uses
ingress
address of tunnels as a key.
* added support for appearing/disappearing of ingress address
handling.
Now it is allowed configure non-local ingress IP address, and thus
the
problem with if_ipsec(4) configuration that happens on boot, when
ingress address is not yet configured, is solved.
MFC after: 1 month
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D17190
This panics during the pf tests.
To reproduce:
pkg install scapy
kldload pf
cd /usr/tests/sys/netpfil
kyua test
Fatal trap 9: general protection fault while in kernel mode
cpuid = 3; apic id = 03
instruction pointer = 0x20:0xffffffff80ca7260
stack pointer = 0x28:0xfffffe00954c4650
frame pointer = 0x28:0xfffffe00954c4660
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 3204 (jail)
[ thread pid 3204 tid 101409 ]
Stopped at ipsec_srcaddr+0x40: cmpl $0,ll+0xb(%rbx)
db> bt
Tracing pid 3204 tid 101409 td 0xfffff80084239580
ipsec_srcaddr() at ipsec_srcaddr+0x40/frame 0xfffffe00954c4660
srcaddr_change_event() at srcaddr_change_event+0x14d/frame
0xfffffe00954c46c0
in_difaddr_ioctl() at in_difaddr_ioctl+0x41f/frame 0xfffffe00954c4720
in_ifscrub_all() at in_ifscrub_all+0x13d/frame 0xfffffe00954c47a0
ip_destroy() at ip_destroy+0xbd/frame 0xfffffe00954c47c0
vnet_destroy() at vnet_destroy+0x124/frame 0xfffffe00954c47f0
prison_deref() at prison_deref+0x29d/frame 0xfffffe00954c4830
sys_jail_remove() at sys_jail_remove+0x28a/frame 0xfffffe00954c4880
amd64_syscall() at amd64_syscall+0x278/frame 0xfffffe00954c49b0
fast_syscall_common() at fast_syscall_common+0x101/frame
0xfffffe00954c49b0
--- syscall (508, FreeBSD ELF64, sys_jail_remove), rip = 0x8003131ba,
rsp = 0x7fffffffe828, rbp = 0x7fffffffe8b0 ---
At that point %rbx is 0xdeadc0dedeadc0de, so presumably we’re trying
to dereference something that’s been freed already.
kgdb agrees. The softc has been freed:
#0 __curthread () at ./machine/pcpu.h:230
#1 doadump (textdump=0) at /usr/src/sys/kern/kern_shutdown.c:366
#2 0xffffffff804645db in db_dump (dummy=<optimized out>,
dummy2=<unavailable>, dummy3=<unavailable>, dummy4=<unavailable>) at
/usr/src/sys/ddb/db_command.c:574
#3 0xffffffff804643a9 in db_command (last_cmdp=<optimized out>,
cmd_table=<optimized out>, dopager=<optimized out>) at
/usr/src/sys/ddb/db_command.c:481
#4 0xffffffff80464124 in db_command_loop () at
/usr/src/sys/ddb/db_command.c:534
#5 0xffffffff8046733f in db_trap (type=<optimized out>,
code=<optimized out>) at /usr/src/sys/ddb/db_main.c:252
#6 0xffffffff80be5987 in kdb_trap (type=9, code=0,
tf=0xfffffe00954c4590) at /usr/src/sys/kern/subr_kdb.c:693
#7 0xffffffff81072f51 in trap_fatal (frame=0xfffffe00954c4590, eva=0)
at /usr/src/sys/amd64/amd64/trap.c:921
#8 0xffffffff8107244d in trap (frame=0xfffffe00954c4590) at
/usr/src/sys/amd64/amd64/trap.c:217
#9 <signal handler called>
#10 ipsec_srcaddr (arg=<optimized out>, sa=0xfffff80023591298,
event=<optimized out>) at /usr/src/sys/net/if_ipsec.c:784
#11 0xffffffff80d2de7d in srcaddr_change_event (arg=<optimized out>,
ifp=0xfffff80057864800, ifa=0xfffff80023591200, event=1) at
/usr/src/sys/netinet/ip_encap.c:181
#12 0xffffffff80d1ec4f in in_difaddr_ioctl (cmd=2149607705,
data=<optimized out>, ifp=0xfffff80057864800, td=<optimized out>) at
/usr/src/sys/netinet/in.c:651
#13 0xffffffff80d1f4cd in in_control (cmd=2149607705, ifp=<optimized
out>, td=0xffffffff81b98600 <vnet_entry_ipsec4_srchtbl>, so=<optimized
out>, data=<optimized out>)
at /usr/src/sys/netinet/in.c:250
#14 in_ifscrub_all () at /usr/src/sys/netinet/in.c:935
#15 0xffffffff80d32dfd in ip_destroy (unused=<optimized out>) at
/usr/src/sys/netinet/ip_input.c:398
#16 0xffffffff80ccd734 in vnet_sysuninit () at
/usr/src/sys/net/vnet.c:597
#17 vnet_destroy (vnet=0xfffff80005d9c0c0) at
/usr/src/sys/net/vnet.c:284
#18 0xffffffff80b64c0d in prison_deref (pr=0xffffffff81b0cc30
<prison0>, flags=23) at /usr/src/sys/kern/kern_jail.c:2634
#19 0xffffffff80b6620a in sys_jail_remove (td=<optimized out>,
uap=<optimized out>) at /usr/src/sys/kern/kern_jail.c:2257
#20 0xffffffff81073b28 in syscallenter (td=0xfffff80084239580) at
/usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:135
#21 amd64_syscall (td=0xfffff80084239580, traced=0) at
/usr/src/sys/amd64/amd64/trap.c:1154
#22 <signal handler called>
#23 0x00000008003131ba in ?? ()
Backtrace stopped: Cannot access memory at address 0x7fffffffe828
(kgdb) fr 10
#10 ipsec_srcaddr (arg=<optimized out>, sa=0xfffff80023591298,
event=<optimized out>) at /usr/src/sys/net/if_ipsec.c:784
784 if (sc->family == 0)
(kgdb) p sc
$1 = (struct ipsec_softc *) 0xdeadc0dedeadc0de
(kgdb)
Best regards,
Kristof
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
