Re: pf fragment lock

Mon, 22 Aug 2022 13:04:17 -0700 

Hello,

On Mon, Aug 22, 2022 at 08:45:29PM +0200, Alexander Bluhm wrote:
> Hi,
> 
> Hrvoje managed to crash the kernel in pf fragment reassembly.
> 
> > r620-1# pfctl -e
> > pf enabled
> > r620-1# pfctl -f /etc/pf.conf
> > uvm_fault(0xffffffff824b9278, 0xb7, 0, 2) -> e
> > kernel: page fault trap, code=0
> > Stopped at      pf_free_fragment+0x77:  movq    %rax,0xb8(%rcx)
> >     TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
> >  350110  79921      0    0x100003          0    2K tcpbench
> > *301306  98239      0     0x14000      0x200    4  softnet
> >   55791   2358      0     0x14000      0x200    3  softnet
> >  176238  13130      0     0x14000      0x200    1  softnet
> >   66977  54316      0     0x14000      0x200    5  systq
> >  165986  42679      0     0x14000 0x40000200    0  softclock
> > pf_free_fragment(fffffd83a5022010) at pf_free_fragment+0x77
> > pf_create_fragment(ffff800022d717ce) at pf_create_fragment+0xc8
> > pf_reassemble6(ffff800022d71708,ffff800022d71648,30,0,1,ffff800022d717ce) at
> > pf_reassemble6+0x51
> > pf_normalize_ip6(ffff800022d716c8,ffff800022d717ce) at pf_normalize_ip6+0x8a
> > pf_test(18,1,ffff800000095048,ffff800022d71978) at pf_test+0x30d
> > ip6_input_if(ffff800022d71978,ffff800022d71984,29,0,ffff800000095048) at
> > ip6_input_if+0x1ae
> > ipv6_input(ffff800000095048,fffffd80a3f1dc00) at ipv6_input+0x39
> > ether_input(ffff800000095048,fffffd80a3f1dc00) at ether_input+0x3b1
> > if_input_process(ffff800000095048,ffff800022d71a68) at if_input_process+0x6f
> > ifiq_process(ffff800000099900) at ifiq_process+0x69
> > taskq_thread(ffff800000032200) at taskq_thread+0x11a
> > end trace frame: 0x0, count: 4
> > https://urldefense.com/v3/__https://www.openbsd.org/ddb.html__;!!ACWV5N9M2RV99hQ!Lp6PoTOkfwK6l_zUKCzgqp4LJWQKYlUZuOU7xnK4oGjI-tUtS1PjKwdJGLAXwJ8_jO2zCf0RZnVm5js3tfsTgQDDz5JAmCqmOQ$
> >    describes the minimum info required in
> > bug reports.  Insufficient info makes it difficult to find and fix bugs.
> > ddb{4}>
> 
> It crashes here in pf_free_fragment()
>    266          TAILQ_REMOVE(&pf_fragqueue, frag, frag_next);
> 
> Putting a pf frag lock into pf_create_fragment() around
> pf_flush_fragments() does not look sufficient.  The pf_nfrents++
> also needs protection.  So I moved the lock around pf_reassemble().
> 
> ok?
> 

    fix looks good to me.
    thanks for taking care of it.

OK sashan

Reply via email to