Hi
While testing pfsync over IPsec I have spotted a bug. While it is
documented in man pfsync that enc0 should be used as syncdev when using
pfsync over ipsec IMHO the system should not crash when the physical
interface is used.
This bug can be spotted on 4.8/i386, 4.9/i386 and Current/i386. I have
not tested any other architectures.
I have noticed it when I tried to secure (with IPSEC) already configured
pfsync environment.
It is very easy to reproduce. You need to have two physical interfaces.
One with some traffic and on the second you need to configure pfsync
over ipsec like this:
FW1:
ifconfig xl0 10.0.0.2/24
ping 10.0.0.1 (in background)
ifconfig bge0 192.168.1.1/24 up
/etc/ipsec.conf:
ike esp from 192.168.1.1 to 192.168.1.2 peer 192.168.1.2 psk test
isakmpd -4 -v -K
ipsecctl -f /etc/ipsec.conf
ifconfig pfsync0 create
ifconfig pfsync0 syncpeer 192.168.1.2 syncdev bge0 up
ifconfig pfsync0 down
ifconfig pfsync0 up
crash within seconds
On the second machine you need:
ifconfig em0 192.168.1.2/24 up
/etc/ipsec.conf:
ike esp from 192.168.1.2 to 192.168.1.1 peer 192.168.1.1 psk test
isakmpd -4 -v -K
ipsecctl -f /etc/ipsec.conf
Sometimes my system freezes sometimes it crashes sometimes kernel panics.
uvm_fault(0xd0a34340, 0x1000000, 0,1) -> e
kernel: page fault trap, code=0
Stopped at m_cluncount+0x1a: movzwl 0x12(%edx),%eax
ddb> trace
m_cluncount(d6d75600,1,d6d59d00,dc006e74,d0400252) at m_cluncount_0x1a
ether_input(d1dc904c,0,d6d75600,200,a) at ether_input+0x2b
xl_rxeof(d1dc9000,9000,e,6c01,d0202490) at xl_rxeof+0x121
xl_intr(d1dc9000) at xl_intr+0xd5
Xintr_ioapic0() at Xintr_ioapic0+0x70
--- interrupt ---
cpu_idle_cycle(d0af0e20) at cpu_idle_cycle+0xf
Bad frame pointer: 0xd0ba8e48
Dmesg below:
OpenBSD 4.9-current (GENERIC) #2: Sun May 22 22:31:55 MDT 2011
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) D CPU 2.80GHz ("GenuineIntel" 686-class) 2.82 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR
real mem = 1064824832 (1015MB)
avail mem = 1036578816 (988MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 09/26/05, BIOS32 rev. 0 @ 0xfb390,
SMBIOS rev. 2.3 @ 0xf0100 (39 entries)
bios0: vendor Award Software International, Inc. version "F8" date
09/26/2005
bios0: Gigabyte Technology Co., Ltd. 8I945G Pro
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP MCFG APIC
acpi0: wakeup devices PEX0(S5) PEX1(S5) PEX2(S5) PEX3(S5) PEX4(S5)
PEX5(S5) HUB0(S5) USB0(S1) USB1(S1) USB2(S1) USB3(S1) USBE(S1) AC97(S5)
MC97(S5) AZAL(S5) PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0 addr 0xf0000000, bus 0-255
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 200MHz
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 2
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PEX0)
acpiprt2 at acpi0: bus -1 (PEX1)
acpiprt3 at acpi0: bus 2 (PEX2)
acpiprt4 at acpi0: bus -1 (PEX3)
acpiprt5 at acpi0: bus -1 (PEX4)
acpiprt6 at acpi0: bus -1 (PEX5)
acpiprt7 at acpi0: bus 3 (HUB0)
acpicpu0 at acpi0
acpibtn0 at acpi0: PWRB
bios0: ROM list: 0xc0000/0xa800! 0xcc000/0x8000!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82945G Host" rev 0x02
vga1 at pci0 dev 2 function 0 "Intel 82945G Video" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0xd0000000, size 0x10000000
inteldrm0 at vga1: apic 2 int 16
drm0 at inteldrm0
ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01: apic 2 int 16
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 2 "Intel 82801GB PCIE" rev 0x01: apic 2 int 18
pci2 at ppb1 bus 2
bge0 at pci2 dev 0 function 0 "Broadcom BCM5789" rev 0x11, BCM5750 B1
(0x4101): apic 2 int 18, address 00:14:85:e1:d7:51
brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: apic 2 int 23
uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: apic 2 int 19
uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: apic 2 int 18
uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: apic 2 int 16
ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: apic 2 int 23
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb2 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xe1
pci3 at ppb2 bus 3
xl0 at pci3 dev 0 function 0 "3Com 3c905C 100Base-TX" rev 0x78: apic 2
int 20, address 00:04:75:dc:57:48
exphy0 at xl0 phy 24: 3Com internal media interface
"Creative Labs SoundBlaster Audigy LS" rev 0x00 at pci3 dev 1 function 0
not configured
pciide0 at pci3 dev 6 function 0 "ITExpress IT8212F" rev 0x13: DMA,
channel 0 wired to native-PCI, channel 1 wired to native-PCI
pciide0: using apic 2 int 22 for native-PCI interrupt
"TI TSB82AA2 FireWire" rev 0x01 at pci3 dev 7 function 0 not configured
ichpcib0 at pci0 dev 31 function 0 "Intel 82801GB LPC" rev 0x01: PM disabled
pciide1 at pci0 dev 31 function 1 "Intel 82801GB IDE" rev 0x01: DMA,
channel 0 configured to compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide1 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <TSSTcorp, CD/DVDW SH-S162L, TS01> ATAPI
5/cdrom removable
cd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide1: channel 1 disabled (no drives)
ahci0 at pci0 dev 31 function 2 "Intel 82801GR AHCI" rev 0x01: apic 2
int 19, AHCI 1.1
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0: <ATA, ST3250824AS, 3.AA> SCSI3 0/direct
fixed t10.ATA_ST3250824AS_5ND391NT
sd0: 238475MB, 512 bytes/sec, 488397168 sec total
ichiic0 at pci0 dev 31 function 3 "Intel 82801GB SMBus" rev 0x01: apic 2
int 19
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 512MB DDR2 SDRAM non-parity PC2-5300CL5
spdmem1 at iic0 addr 0x52: 512MB DDR2 SDRAM non-parity PC2-5300CL5
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
it0 at isa0 port 0x2e/2: IT8712F rev 7, EC port 0x290
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
mtrr: Pentium Pro MTRR support
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
root on sd0a (8144d37557e33107.a) swap on sd0b dump on sd0b
this is from 4.9/mp/i386:
uvm_fault(0xd0a10120, 0xd6e6f000, 0, 3) -> e
kernel: page fault trap, code=0
Stopped at pfsync_out_del+0xf: movl %eax,0(%ebx)
ddb{0}> trace
pfsync_out_del(d6dbb000,d6e6f004,10,0dc840f1c) at pfsync_out_del+0xf
pfsync_sendout(40,d1f40000,dc840ef4,d03e39a5,d1f40000) at
pfsync_sendout+0x319
pfsync_timeout(d1f40000,dc840f00,d03ccbf4,dc840ef4,d1e94680) at
pfsync_timeout0x1a
sotfclock(0,282,0,0,d02021ae) at softclock+0x225
sotintr_dispatch(0) at sotintr_dispatch+0x4f
Xsoftclock() at Xsoftclock+0x17
---interrupt ---
cpu_idle_cycle(d0aee4e0) at cpu_idle_cycle+0xf
Bad frame pointer: 0xd0ba6e48
The same on current/i386/sp:
panic: pool_do_get(mbpl): free list modified: page 0xd6e5a000; item ddr
0xd6e5ad; offset 0x0=0x1000307
Stopped at Debugger+0x4: popl %ebp
or diffrent:
uvm_fault(0xd0a34340, 0x1000000, 0,1) -> e
kernel: page fault trap, code=0
Stopped at m_cluncount+0x1a: movzwl 0x12(%edx),%eax
