NetBSD Problem Report #53036
From alnsn@NetBSD.org Sun Feb 18 10:19:55 2018
Return-Path: <alnsn@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 8D55E7A262
for <gnats-bugs@gnats.NetBSD.org>; Sun, 18 Feb 2018 10:19:55 +0000 (UTC)
Message-Id: <20180218101954.6353A7A264@mollari.NetBSD.org>
Date: Sun, 18 Feb 2018 10:19:54 +0000 (UTC)
From: alnsn@NetBSD.org
Reply-To: alnsn@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: 'block user' in pf's ruleset panics 8.0_BETA
X-Send-Pr-Version: 3.95
>Number: 53036
>Category: kern
>Synopsis: 'block user' in pf's ruleset panics 8.0_BETA
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Feb 18 10:20:00 +0000 2018
>Closed-Date: Thu Feb 22 08:46:37 +0000 2018
>Last-Modified: Mon Feb 26 00:35:00 +0000 2018
>Originator: Alexander Nasonov
>Release: NetBSD 8.0_BETA
>Organization:
XMM Swap Ltd
>Environment:
NetBSD nebo 8.0_BETA NetBSD 8.0_BETA (TRIMMED) #0: Thu Feb 15 21:02:31 GMT 2018 alnsn@nebeda:/home/alnsn/netbsd-8/src/sys/arch/amd64/compile/obj/TRIMMED amd64
System: NetBSD nebo 8.0_BETA NetBSD 8.0_BETA (TRIMMED) #0: Thu Feb 15 21:02:31 GMT 2018 alnsn@nebeda:/home/alnsn/netbsd-8/src/sys/arch/amd64/compile/obj/TRIMMED amd64
Architecture: x86_64
Machine: amd64
>Description:
Starting pf with the following rules:
local_users="{ dnsmasq, privoxy, _tcpdump, _pflogd }"
block log user $local_users
pass on lo0 all
panics the system instanly when a tor relay process is running. When it's
not running, the box seems to work fine (for a couple of minutes) but it
panics when I start the relay.
The relay process doesn't use pf features but there is another tor process
on the box which has the following in the torrc file:
VirtualAddrNetworkIPv4 127.192.0.0/16
AutomapHostsOnResolve 1
AutomapHostsSuffixes .onion
ddb:
fatal breakpoint trap in supervisor mode
trap type 1 code 8 rip 0xff..80224d95 cs 0x8 rflags 0x246 cr2 0x7dc2c46f9600 ilevel 0x4 rsp 0xff..e8139920a0
curlwp 0xff..e88710a8420 pid 0.3 (system) at netbsd:breakpoint+0x5: leave
breakpoint() at netbsd:breakpoint+0x5
vpanic() at netbsd:vpanic+0x140
curlwp_bindx() at netbsd:curlwp_bindx+0x8da05
kauth_cred_geteuid() at netbsd:kauth_cred_geteuid+0x50
pf_socket_lookup() at netbsd:pf_socket_lookup+0x179
pf_test_rule() at netbsd:pf_test_rule+0x10d8
pf_test() at netbsd:pf_test+0xe43
pfil4_wrapper() at netbsd:pfil4_wrapper+0x4a
pfil_run_hooks() at netbsd:pfil-run_hooks+0x114
ipintr() at netbsd:ipintr+0x5b3
softint_dispatch() at netbsd:softint_dispatch+0xd3
DDB lost frame for netbsd:Xsoftintr+0x4f, trying 0xff..e8139920ff0
--- interrupt ---
0:
db{0}>
>How-To-Repeat:
Run tor relay and pf with the above mentioned rules.
>Fix:
Not known.
>Release-Note:
>Audit-Trail:
From: Alexander Nasonov <alnsn@yandex.ru>
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: Re: kern/53036: 'block user' in pf's ruleset panics 8.0_BETA
Date: Sun, 18 Feb 2018 21:14:47 +0000
alnsn@NetBSD.org wrote:
> >Description:
> Starting pf with the following rules:
>
> local_users="{ dnsmasq, privoxy, _tcpdump, _pflogd }"
> block log user $local_users
> pass on lo0 all
>
> panics the system instanly when a tor relay process is running. When it's
> not running, the box seems to work fine (for a couple of minutes) but it
> panics when I start the relay.
>
> The relay process doesn't use pf features but there is another tor process
> on the box which has the following in the torrc file:
>
> VirtualAddrNetworkIPv4 127.192.0.0/16
> AutomapHostsOnResolve 1
> AutomapHostsSuffixes .onion
I reproduced it on a different box which was configured with savecore=YES.
$ crash -M /home/crash/netbsd.43.core
Crash version 8.0_BETA, image version 8.0_BETA.
System panicked: kernel diagnostic assertion "cred != NULL" failed: file "/home/alnsn/netbsd-8/src/sys/kern/kern_auth.c", line 266
Backtrace from time of crash is available.
crash> bt
_KERNEL_OPT_NARCNET() at 0
?() at fffffe811cdc382c
vpanic() at vpanic+0x149
ch_voltag_convert_in() at ch_voltag_convert_in
kauth_cred_geteuid() at kauth_cred_geteuid+0x50
pf_socket_lookup() at pf_socket_lookup+0x179
pf_test_rule() at pf_test_rule+0x10d8
pf_test() at pf_test+0xe43
pfil4_wrapper() at pfil4_wrapper+0x4a
pfil_run_hooks() at pfil_run_hooks+0x114
ipintr() at ipintr+0x5b3
softint_dispatch() at softint_dispatch+0xd4
DDB lost frame for Xsoftintr+0x4f, trying 0xfffffe80daff6ff0
Xsoftintr() at Xsoftintr+0x4f
--- interrupt ---
0:
I modified fstat.c to print so.so_cred but I don't see any NULL values:
$ ./fstat -v -n -M /home/crash/netbsd.43.core
... nothing interesting in the output ...
--
Alex
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/53036 CVS commit: src/sys/dist/pf/net
Date: Sun, 18 Feb 2018 16:51:28 -0500
Module Name: src
Committed By: christos
Date: Sun Feb 18 21:51:28 UTC 2018
Modified Files:
src/sys/dist/pf/net: pf.c
Log Message:
PR/53036: Alexander Nasonov: 'block user' in pf's ruleset panics 8.0_BETA
Check for NULL.
To generate a diff of this commit:
cvs rdiff -u -r1.78 -r1.79 src/sys/dist/pf/net/pf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Alexander Nasonov <alnsn@yandex.ru>
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org, alnsn@NetBSD.org
Subject: Re: PR/53036 CVS commit: src/sys/dist/pf/net
Date: Mon, 19 Feb 2018 00:16:24 +0000
Christos Zoulas wrote:
> Log Message:
> PR/53036: Alexander Nasonov: 'block user' in pf's ruleset panics 8.0_BETA
> Check for NULL.
> + if (so == NULL)
> + return -1;
> + if (so->so_cred == NULL) {
> + DPFPRINTF(PF_DEBUG_URGENT,
> + ("%s: so->so_cred == NULL so=%p\n", __func__, so));
> + return -1;
> + }
This change fixes the panic but my /var/log/messages is now full of
these debug messages https://twitter.com/nasonov/status/965371936447565824
I also see that some incoming messages are blocked in /var/log/pflogd:
23:48:33.xxxxxx rule 0/0(match): block in on wm0: xxx.xxx.xxx.xxx > xxx.xxx.xxx.xxx: Flags [.], seq 468711:469427, ack 149621, win 475, length 716
23:48:33.xxxxxx rule 0/0(match): block in on wm0: xxx.xxx.xxx.xxx > xxx.xxx.xxx.xxx: ip-proto-6
23:48:33.xxxxxx rule 0/0(match): block in on wm0: xxx.xxx.xxx.xxx > xxx.xxx.xxx.xxx: ip-proto-6
23:48:40.xxxxxx rule 0/0(match): block in on wm0: xxx.xxx.xxx.xxx > xxx.xxx.xxx.xxx: Flags [.], seq 0:1440, ack 2, win 271, options [nop,nop,TS val 1121107037 ecr 601], length 1440
23:48:40.xxxxxx rule 0/0(match): block in on wm0: xxx.xxx.xxx.xxx > xxx.xxx.xxx.xxx: ip-proto-6
If I add 'pass all' rule, this weird behaviour stops.
My new pf rules:
proxy_users="{ dnsmasq, privoxy }"
local_users="{ _tcpdump, _pflogd }"
pass all
block quick log user $local_users
block log user $proxy_users
pass on lo0 all
--
Alex
From: Alexander Nasonov <alnsn@yandex.ru>
To: Alexander Nasonov <alnsn@yandex.ru>
Cc: gnats-bugs@NetBSD.org, kern-bug-people@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, alnsn@NetBSD.org
Subject: Re: PR/53036 CVS commit: src/sys/dist/pf/net
Date: Mon, 19 Feb 2018 00:24:20 +0000
Alexander Nasonov wrote:
> If I add 'pass all' rule, this weird behaviour stops.
It stops only printing debug messages. I still see blocked incoming
packets.
--
Alex
From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, kern-bug-people@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, alnsn@NetBSD.org
Cc:
Subject: Re: PR/53036 CVS commit: src/sys/dist/pf/net
Date: Sun, 18 Feb 2018 20:29:07 -0500
On Feb 19, 12:20am, alnsn@yandex.ru (Alexander Nasonov) wrote:
-- Subject: Re: PR/53036 CVS commit: src/sys/dist/pf/net
How about adding this?
christos
Index: uipc_socket2.c
===================================================================
RCS file: /cvsroot/src/sys/kern/uipc_socket2.c,v
retrieving revision 1.126
diff -u -u -r1.126 uipc_socket2.c
--- uipc_socket2.c 6 Jul 2017 17:42:39 -0000 1.126
+++ uipc_socket2.c 19 Feb 2018 01:27:55 -0000
@@ -356,6 +356,8 @@
}
KASSERT(solocked2(head, so));
+ so->so_cred = kauth_cred_dup(head->so_cred);
+
/*
* Insert into the queue. If ready, update the connection status
* and wake up any waiters, e.g. processes blocking on accept().
From: Alexander Nasonov <alnsn@yandex.ru>
To: Christos Zoulas <christos@zoulas.com>
Cc: gnats-bugs@NetBSD.org, kern-bug-people@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, alnsn@NetBSD.org
Subject: Re: PR/53036 CVS commit: src/sys/dist/pf/net
Date: Mon, 19 Feb 2018 21:27:20 +0000
Christos Zoulas wrote:
> How about adding this?
>
> christos
>
> + so->so_cred = kauth_cred_dup(head->so_cred);
panic: kernel diagnostic assertion "(!cpu_intr_p() && !cpu_softintr_p()) || (pc->pc_pool.pr_ipl != IPL_NONE || cold || panicstr != NULL)" failed: file "/home/alnsn/netbsd-8/src/sys/kern/subr_pool.c", line 2179 pool 'kcredpl' is IPL_NONE, but called from interrupt context
Screenshot of the stack trace is here:
https://twitter.com/nasonov/status/965692871549517826
--
Alex
From: christos@zoulas.com (Christos Zoulas)
To: Alexander Nasonov <alnsn@yandex.ru>
Cc: gnats-bugs@NetBSD.org, kern-bug-people@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, alnsn@NetBSD.org
Subject: Re: PR/53036 CVS commit: src/sys/dist/pf/net
Date: Mon, 19 Feb 2018 17:50:22 -0500
On Feb 19, 9:27pm, alnsn@yandex.ru (Alexander Nasonov) wrote:
-- Subject: Re: PR/53036 CVS commit: src/sys/dist/pf/net
| Christos Zoulas wrote:
| > How about adding this?
| >
| > christos
| >
| > + so->so_cred = kauth_cred_dup(head->so_cred);
|
| panic: kernel diagnostic assertion "(!cpu_intr_p() && !cpu_softintr_p()) || (pc->pc_pool.pr_ipl != IPL_NONE || cold || panicstr != NULL)" failed: file "/home/alnsn/netbsd-8/src/sys/kern/subr_pool.c", line 2179 pool 'kcredpl' is IPL_NONE, but called from interrupt context
|
| Screenshot of the stack trace is here:
| https://twitter.com/nasonov/status/965692871549517826
|
Ok, how about this then?
christos
Index: uipc_socket2.c
===================================================================
RCS file: /cvsroot/src/sys/kern/uipc_socket2.c,v
retrieving revision 1.126
diff -u -u -r1.126 uipc_socket2.c
--- uipc_socket2.c 6 Jul 2017 17:42:39 -0000 1.126
+++ uipc_socket2.c 19 Feb 2018 22:49:37 -0000
@@ -356,6 +356,9 @@
}
KASSERT(solocked2(head, so));
+ so->so_cred = head->so_cred;
+ kauth_cred_hold(so->so_cred);
+
/*
* Insert into the queue. If ready, update the connection status
* and wake up any waiters, e.g. processes blocking on accept().
From: Alexander Nasonov <alnsn@yandex.ru>
To: Christos Zoulas <christos@zoulas.com>
Cc: Alexander Nasonov <alnsn@yandex.ru>, gnats-bugs@NetBSD.org,
kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org, alnsn@NetBSD.org
Subject: Re: PR/53036 CVS commit: src/sys/dist/pf/net
Date: Tue, 20 Feb 2018 09:22:06 +0000
Christos Zoulas wrote:
> Ok, how about this then?
>
> christos
> Index: uipc_socket2.c
> ===================================================================
> RCS file: /cvsroot/src/sys/kern/uipc_socket2.c,v
> retrieving revision 1.126
> diff -u -u -r1.126 uipc_socket2.c
> --- uipc_socket2.c 6 Jul 2017 17:42:39 -0000 1.126
> +++ uipc_socket2.c 19 Feb 2018 22:49:37 -0000
> @@ -356,6 +356,9 @@
> }
> KASSERT(solocked2(head, so));
>
> + so->so_cred = head->so_cred;
> + kauth_cred_hold(so->so_cred);
> +
> /*
> * Insert into the queue. If ready, update the connection status
> * and wake up any waiters, e.g. processes blocking on accept().
I assume this change isn't needed. My server is running fine with your
if (so == NULL | so->so_cred == NULL) return -1;
change.
--
Alex
State-Changed-From-To: open->closed
State-Changed-By: alnsn@NetBSD.org
State-Changed-When: Thu, 22 Feb 2018 08:46:37 +0000
State-Changed-Why:
Fixed. Pull-up requested: pullup-8 #570.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/53036 CVS commit: [netbsd-8] src/sys/dist/pf/net
Date: Mon, 26 Feb 2018 00:33:08 +0000
Module Name: src
Committed By: snj
Date: Mon Feb 26 00:33:08 UTC 2018
Modified Files:
src/sys/dist/pf/net [netbsd-8]: pf.c
Log Message:
Pull up following revision(s) (requested by alnsn in ticket #570):
sys/dist/pf/net/pf.c: 1.79-1.80
PR/53036: Alexander Nasonov: 'block user' in pf's ruleset panics 8.0_BETA
Check for NULL.
--
It is normal for socket credentials to be missing for incoming sockets,
so don't warn.
To generate a diff of this commit:
cvs rdiff -u -r1.76.6.1 -r1.76.6.2 src/sys/dist/pf/net/pf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home