>Synopsis: PF crash with -current
>Category: network
>Environment:
System : OpenBSD 6.9
Details : OpenBSD 6.9-current (GENERIC) #787: Wed Apr 28 10:12:43
MDT 2021
[email protected]:/usr/src/sys/arch/i386/compile/GENERIC
Architecture: OpenBSD.i386
Machine : i386
>Description:
After some minutes with PF enabled, the kernel is crashing.
I use this machine as Wifi AP.
>How-To-Repeat:
ddb>
ddb> trace
db_enter() at db_enter+0x4
panic(d0c23085) at panic+0xd3
kpageflttrap(f397ef40,efffab77) at kpageflttrap+0x137
trap(f397ef40) at trap+0x240
calltrap() at calltrap+0xc
pf_state_key_detach(d176b574,1) at pf_state_key_detach+0xc3
pf_remove_state(d176b574) at pf_remove_state+0x1ae
pf_purge_expired_states(7) at pf_purge_expired_states+0x20e
pf_purge(d0f34040) at pf_purge+0x28
taskq_thread(d19e0040) at taskq_thread+0x51
ddb>
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
91680 102503 86353 0 3 0x90 netio perl
84928 487950 1 0 3 0x100083 ttyin getty
50357 420093 1 0 3 0x100098 poll cron
86353 444402 1 0 3 0x90 select perl
26805 471539 1 110 3 0x100090 poll sndiod
44815 194553 1 99 3 0x100090 poll sndiod
92894 38657 39396 95 3 0x100092 kqread smtpd
61491 332672 39396 103 3 0x100092 kqread smtpd
24366 349089 39396 95 3 0x100092 kqread smtpd
20583 221597 39396 95 3 0x100092 kqread smtpd
67163 132034 39396 95 3 0x100092 kqread smtpd
77706 254966 39396 95 3 0x100092 kqread smtpd
39396 386710 1 0 3 0x100080 kqread smtpd
50369 182299 1 0 3 0x80 select sshd
39209 467868 97466 83 3 0x100092 poll ntpd
97466 58794 48591 83 3 0x100092 poll ntpd
48591 467956 1 0 3 0x100080 poll ntpd
49544 87172 18811 74 3 0x100092 bpf pflogd
18811 89146 1 0 3 0x80 netio pflogd
31306 123062 57102 73 3 0x100090 kqread syslogd
57102 520337 1 0 3 0x100082 netio syslogd
--db_more-- 66513 416718 12345 115 3 0x100092
kqread slaacd
65901 456997 12345 115 3 0x100092 kqread slaacd
12345 236602 1 0 3 0x100080 kqread slaacd
85951 82815 1 0 3 0x80 mfsidl mount_mfs
50282 504359 0 0 3 0x14200 bored smr
16344 105381 0 0 3 0x14200 pgzero zerothread
22682 490669 0 0 3 0x14200 aiodoned aiodoned
21005 275523 0 0 3 0x14200 syncer update
267 494740 0 0 3 0x14200 cleaner cleaner
16645 268424 0 0 3 0x14200 reaper reaper
91185 338378 0 0 3 0x14200 pgdaemon pagedaemon
40905 20775 0 0 3 0x14200 bored crynlk
3814 448551 0 0 3 0x14200 bored crypto
81885 332216 0 0 3 0x14200 usbtsk usbtask
77033 54567 0 0 3 0x14200 usbatsk usbatsk
68119 192458 0 0 3 0x14200 bored sensors
*73472 495669 0 0 7 0x14200 softnet
3192 480294 0 0 3 0x14200 bored systqmp
66611 471807 0 0 3 0x14200 bored systq
78985 518909 0 0 3 0x40014200 bored softclock
73474 63273 0 0 3 0x40014200 idle0
9405 333972 0 0 3 0x14200 kmalloc kmthread
1 352606 0 0 3 0x82 wait init
--db_more-- 0 0 -1 0 3 0x10200
scheduler swapper
ddb>
ddb> show panic
uvm_fault(0xd0f28590, 0xefffa000, 0, 1) -> d
ddb>
ddb> show pool
POOLpanic: uvm_fault(0xd0f28590, 0xf4bee000, 0, 1) -> e
Stopped at db_enter+0x4: popl %ebp
db_enter() at db_enter+0x4
panic(d0c23085) at panic+0xd3
kpageflttrap(f397ec18,f4bee856) at kpageflttrap+0x137
trap(f397ec18) at trap+0x240
calltrap() at calltrap+0xc
strlen(f4bee856) at strlen+0x10
kprintf() at kprintf+0xacf
db_printf(d0bcb2ce) at db_printf+0x37
pool_print1(d02bd7a4,f397ed54,d074a530) at pool_print1+0x4c
db_pool_print_cmd(d02bd7a4,0,ffffffff,f397ed54) at
db_pool_print_cmd+0x13
db_command(d0e22ed8,d0de1480) at db_command+0x2ac
db_command_loop() at db_command_loop+0x7b
db_trap(1,0) at db_trap+0x10f
db_ktrap(1,0,f397ee78) at db_ktrap+0xcd
ddb>
ddb> show mbuf
mbuf 0xd02bd7a4
m_type: 22103 m_flags:
ec83<M_EXT,M_PKTHDR,M_CONF,M_AUTH,M_ZEROIZE,M_COMP,M_L
INK0>
m_next: 0xccccc35d m_nextpkt: 0xcccccccc
m_data: 0xcccccccc m_len: 1407551829
m_dat: 0xd02bd7bc m_pktdat: 0xd02bd7f8
m_ptkhdr.ph_ifidx: 79987456 m_pkthdr.len: 585984
m_ptkhdr.ph_tags: 0xf04589d0 m_pkthdr.ph_tagsset:
c483<IPSEC_IN_DONE,IPSEC_O
UT_DONE,GRE,CARP_BAL_IP>
m_pkthdr.ph_flowid: 32772 m_pkthdr.ph_loopcnt: 83
m_pkthdr.csum_flags:
404e<TCP_CSUM_OUT,UDP_CSUM_OUT,IPV4_CSUM_IN_OK,TCP_CSUM_IN
_BAD,FLOWID>
m_pkthdr.ether_vtag: 22023 m_ptkhdr.ph_rtableid: 82920
m_pkthdr.pf.statekey: 0xc4830008 m_pkthdr.pf.inp 0xa0558d04
m_pkthdr.pf.qid: 347717681 m_pkthdr.pf.tag: 0
m_pkthdr.pf.flags:
d7<GENERATED,SYNCOOKIE_RECREATED,TRANSLATE_LOCALHOST,DIVERTE
D_PACKET,REFRAGMENTED,PROCESSED>
m_pkthdr.pf.routed: 243 m_pkthdr.pf.prio: 171
m_ext.ext_buf: 0x5b845c7 m_ext.ext_size: 820004295
m_ext.ext_free_fn: 0 m_ext.ext_arg: 0xbc45c700
m_ext.ext_nextref: 0x52000010 m_ext.ext_prevref: 0xf4bee856
ddb>
ddb> show proc
PROC (softnet) pid=495669 stat=onproc
flags process=14000<NOZOMBIE,SYSTEM> proc=200<SYSTEM>
pri=32, usrpri=51, nice=20
forw=0xffffffff, list=0xd19cb194,0xd19cb330
process=0xff7fe9e0 user=0xf397d000, vmspace=0xd0f31518
estcpu=1, cpticks=2, pctcpu=0.0
user=0, sys=2, intr=0
ddb>
ddb> show registers
ds 0x10
es 0x10
fs 0x20
gs 0
edi 0xd0c23085 apollo_pio_rec+0x2824
esi 0x104
ebp 0xf397eb90
ebx 0xf397ebb8
edx 0x3fd
ecx 0
eax 0x1
eip 0xd02bd7a4 db_enter+0x4
cs 0x8
eflags 0x202
esp 0xf397eb90
ss 0x10
db_enter+0x4: popl %ebp
ddb>
ds 0x10
es 0x10
fs 0x20
gs 0
edi 0xd0c23085 apollo_pio_rec+0x2824
esi 0x104
ebp 0xf397eb90
ebx 0xf397ebb8
edx 0x3fd
ecx 0
eax 0x1
eip 0xd02bd7a4 db_enter+0x4
cs 0x8
eflags 0x202
esp 0xf397eb90
ss 0x10
db_enter+0x4: popl %ebp
ddb>
ddb> show socket
socket 0xd02bd7a4
so_type: -30379
so_options: 0x53e5
so_linger: 22103
so_state: 0xcccccccc
so_pcb: 0xcccccccc
so_proto: 0xccccc35d
so_sigio: 0x8004c483
so_head: 0x8758b54
so_onq: 0xddf400a1
so_q0: @0xd02bd7c0 first: 0xf04589d0
so_q: @0xd02bd7c8 first: 0xe8530000
so_eq: next: 0x5607404e
so_q0len: -32000
so_qlen: 1220
so_qlimit: -6061
so_timeo: -3862
so_obmark: 3296919560
so_sp: 0x14b9c031
panic: uvm_fault(0xd0f31518, 0x14b9c000, 0, 1) -> e
Stopped at db_enter+0x4: popl %ebp
db_enter() at db_enter+0x4
panic(d0c23085) at panic+0xd3
--db_more-- kpageflttrap(f397e9ac,14b9c031) at
kpageflttrap+0x137
trap(f397e9ac) at trap+0x240
calltrap() at calltrap+0xc
so_print(d02bd7a4,d074a530) at so_print+0x181
db_socket_print_cmd(d02bd7a4,0,ffffffff,f397ea2c) at
db_socket_print_cmd+0x10
db_command(d0e22ed8,d0de1480) at db_command+0x2ac
db_command_loop() at db_command_loop+0x7b
db_trap(1,0) at db_trap+0x10f
db_ktrap(1,0,f397eb50) at db_ktrap+0xcd
trap(f397eb50) at trap+0x46d
calltrap() at calltrap+0xc
db_enter() at db_enter+0x4
ddb>
[EOT]
>Fix:
Disabling PF prevents the crash. The crash seems to be related to PF.
SENDBUG: Run sendbug as root if this is an ACPI report!
SENDBUG: dmesg and usbdevs are attached.
SENDBUG: Feel free to delete or use the -D flag if they contain sensitive
information.
dmesg:
OpenBSD 6.9-current (GENERIC) #787: Wed Apr 28 10:12:43 MDT 2021
[email protected]:/usr/src/sys/arch/i386/compile/GENERIC
real mem = 267931648 (255MB)
avail mem = 246702080 (235MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 11/05/08, BIOS32 rev. 0 @ 0xfd088
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xe0000/0xa800
cpu0 at mainbus0: (uniprocessor)
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 499
MHz, 05-0a-02
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
mtrr: K6-family MTRR support (2 registers)
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
vr0 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 10, address
00:0d:b9:2b:62:c8
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
vr1 at pci0 dev 10 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address
00:0d:b9:2b:62:c9
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
vr2 at pci0 dev 11 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 15, address
00:0d:b9:2b:62:ca
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
athn0 at pci0 dev 12 function 0 "Atheros AR9280" rev 0x01: irq 9
athn0: AR9280 rev 2 (2T2R), ROM rev 21, address 30:14:4a:15:ba:bb
glxpcib0 at pci0 dev 15 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit
3579545Hz timer, watchdog, gpio, i2c
gpio0 at glxpcib0: 32 pins
iic0 at glxpcib0
maxtmp0 at iic0 addr 0x4c: lm86
pciide0 at pci0 dev 15 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <CF 4GB>
wd0: 1-sector PIO, LBA, 3831MB, 7847280 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 12, version 1.0,
legacy support
ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02: irq 12
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "AMD EHCI root hub" rev 2.00/1.00
addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00
addr 1
nvram: invalid checksum
dt: 443 probes
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
root on wd0a (9a03e090a85ec7ef.a) swap on wd0b dump on wd0b
WARNING: / was not properly unmounted
clock: unknown CMOS layout
usbdevs:
Controller /dev/usb0:
addr 01: 1022:0000 AMD, EHCI root hub
high speed, self powered, config 1, rev 1.00
driver: uhub0
Controller /dev/usb1:
addr 01: 1022:0000 AMD, OHCI root hub
full speed, self powered, config 1, rev 1.00
driver: uhub1
10:07:30 root@alix $ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
index 6 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
inet 127.0.0.1 netmask 0xff000000
vr0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu
1500
lladdr 00:0d:b9:2b:62:c8
index 1 priority 0 llprio 3
trunk: trunkdev trunk0
media: Ethernet autoselect (10baseT half-duplex)
status: active
vr1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0d:b9:2b:62:c9
index 2 priority 0 llprio 3
media: Ethernet autoselect (none)
status: no carrier
vr2: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu
1500
lladdr 00:0d:b9:2b:62:c8
index 3 priority 0 llprio 3
trunk: trunkdev trunk0
media: Ethernet autoselect (none)
status: no carrier
athn0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 30:14:4a:15:ba:bb
index 4 priority 4 llprio 3
groups: wlan
media: IEEE802.11 autoselect hostap (autoselect mode 11n hostap)
status: active
ieee80211: nwid symacx chan 3 bssid 30:14:4a:15:ba:bb -84dBm wpakey
wpaprotos wpa2 wpaakms psk wpaciphers ccmp wpagroupcipher ccmp
enc0: flags=0<>
index 5 priority 0 llprio 3
groups: enc
status: active
bridge1: flags=41<UP,RUNNING>
index 7 llprio 3
groups: bridge
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
trunk0 flags=3<LEARNING,DISCOVER>
port 8 ifpriority 0 ifcost 0
athn0 flags=3<LEARNING,DISCOVER>
port 4 ifpriority 0 ifcost 0
trunk0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0d:b9:2b:62:c8
index 8 priority 0 llprio 3
trunk: trunkproto loadbalance
vr2 port
vr0 port master,active
groups: trunk egress
media: Ethernet autoselect
status: active
inet 192.168.1.17 netmask 0xffffff00 broadcast 192.168.1.255
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33172
index 9 priority 0 llprio 3
groups: pflog
10:07:31 root@alix $
10:08:15 root@alix $ cat /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
10:08:15 root@alix $
10:08:56 root@alix $ pfctl -sr
anchor "ftp-proxy/*" all
match on trunk0 all scrub (max-mss 1440)
block drop log all
pass in on trunk0 all flags S/SA
pass out all flags S/SA
pass log proto icmp all
pass log proto ipv6-icmp all
block drop quick from <blocked> to any
block drop quick from <dns4hells> to <dest_blocked>
pass in log quick on athn0 inet proto tcp from any to any port = 21 flags S/SA
divert-to 127.0.0.1 port 8021
pass out inet proto tcp from (self) to any port = 21 flags S/SA
pass in log on trunk0 inet proto udp from 192.168.1.3 to 192.168.1.255 port =
111
pass in log on trunk0 inet proto udp from any to 255.255.255.255 port = 67
pass in log on athn0 inet proto tcp from any to x.x.x.x flags S/SA
pass in log on athn0 inet proto tcp from 192.168.1.0/24 to any port = 443 flags
S/SA
pass in log on athn0 proto tcp from any os "OpenBSD" to any port = 22 flags S/SA
pass in log on wlan inet proto udp from any to 255.255.255.255 port = 67
pass in log on athn0 inet proto udp from any to 192.168.1.4 port = 53
pass in log on athn0 inet proto udp from any to 192.168.1.17 port = 123
pass in log on trunk0 inet proto udp from any to 255.255.255.255 port = 67
pass in log on athn0 inet proto udp from 192.168.1.0/24 to ! 192.168.1.17 port
= 123 rdr-to 192.168.1.17
pass in log on athn0 inet proto udp from 192.168.1.0/24 to any port = 3478
pass in log on athn0 all flags S/SA
10:09:00 root@alix $
--
Olivier Cherrier
Phone: +352691570680
mailto:[email protected]
