4.9, set reassemble no + block log + fragments = panic

Tony Sarendal Tue, 20 Mar 2012 13:18:38 -0700

Good evening,

the last two days we have experienced panics sequentially across all of our
peering boxes.
After one day of coffee, thinking and reading, I found this in 4.9. (5.0+
looks good):


target49# ifconfig vlan69
vlan69: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:0c:29:38:f3:c5
        priority: 0
        vlan: 69 priority: 0 parent interface: em1
        groups: vlan
        status: active
        inet6 fe80::20c:29ff:fe38:f3c5%vlan69 prefixlen 64 scopeid 0x5
        inet 192.168.69.49 netmask 0xffffff00 broadcast 192.168.69.255
target49# cat /etc/pf.conf

set skip on lo
set reassemble no

block in log quick

target49#

sender51# tcpdump -n -i vlan69 -v
tcpdump: listening on vlan69, link-type EN10MB
tcpdump: WARNING: compensating for unaligned libpcap packets
20:55:58.958739 192.168.69.1.10562 > 192.168.69.49.1234: udp 2000 (frag
58745:1480@0+) (ttl 64, len 1500)
20:55:58.958745 192.168.69.1 > 192.168.69.49: (frag 58745:528@1480) (ttl
64, len 548)
^C

Mar 20 20:57:17 target49 /bsd: uvm_fault(0xffffffff80d1b0e0, 0x0, 0, 1) -> e
Mar 20 20:57:17 target49 /bsd: fatal page fault in supervisor mode
Mar 20 20:57:17 target49 /bsd: trap type 6 code 0 rip ffffffff80245557 cs 8
rflags 10246 cr2  0 cpl 5 rsp ffff80000bba0b40
Mar 20 20:57:17 target49 /bsd: panic: trap type 6, code=0,
pc=ffffffff80245557
Mar 20 20:57:17 target49 /bsd: Starting stack trace...
Mar 20 20:57:17 target49 /bsd: panic() at panic+0xf5
Mar 20 20:57:17 target49 /bsd: trap() at trap+0x6fd
Mar 20 20:57:17 target49 /bsd: --- trap (number 6) ---
Mar 20 20:57:17 target49 /bsd: pf_change_ap() at pf_change_ap+0x57
Mar 20 20:57:18 target49 /bsd: pf_translate() at pf_translate+0x27d
Mar 20 20:57:18 target49 /bsd: pflog_bpfcopy() at pflog_bpfcopy+0x233
Mar 20 20:57:18 target49 /bsd: bpf_catchpacket() at bpf_catchpacket+0xd8
Mar 20 20:57:18 target49 /bsd: bpf_mtap_pflog() at bpf_mtap_pflog+0x8f
Mar 20 20:57:18 target49 /bsd: pflog_packet() at pflog_packet+0x223
Mar 20 20:57:18 target49 /bsd: pf_test_fragment() at pf_test_fragment+0x502
Mar 20 20:57:18 target49 /bsd: pf_test() at pf_test+0x7ef
Mar 20 20:57:18 target49 /bsd: ipv4_input() at ipv4_input+0x22a
Mar 20 20:57:18 target49 /bsd: ipintr() at ipintr+0x51
Mar 20 20:57:18 target49 /bsd: netintr() at netintr+0xda
Mar 20 20:57:18 target49 /bsd: softintr_dispatch() at softintr_dispatch+0x5d
Mar 20 20:57:18 target49 /bsd: Xsoftnet() at Xsoftnet+0x28
Mar 20 20:57:18 target49 /bsd: --- interrupt ---
Mar 20 20:57:18 target49 /bsd: end of kernel
Mar 20 20:57:18 target49 /bsd: end trace frame: 0x6a7, count: 242
Mar 20 20:57:18 target49 /bsd: 0x8:
Mar 20 20:57:18 target49 /bsd: End of stack trace.
Mar 20 20:57:18 target49 /bsd: End of stack trace.
Mar 20 20:57:18 target49 /bsd: dump to dev 4,1 not possible
Mar 20 20:57:18 target49 /bsd: rebooting...

Ignore the timestamps, the box panics immediately after getting the
fragmented packet.
I could reproduce it on vmware 4.9-stable with GENERIC/GENERIC.MP, so no
dmesg attached.

Regards Tony

4.9, set reassemble no + block log + fragments = panic

Reply via email to