NetBSD Problem Report #54950
From www@netbsd.org Mon Feb 10 05:04:14 2020
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 10FA11A9213
for <gnats-bugs@gnats.NetBSD.org>; Mon, 10 Feb 2020 05:04:14 +0000 (UTC)
Message-Id: <20200210050413.151CC1A9227@mollari.NetBSD.org>
Date: Mon, 10 Feb 2020 05:04:13 +0000 (UTC)
From: lloyd@must-have-coffee.gen.nz
Reply-To: lloyd@must-have-coffee.gen.nz
To: gnats-bugs@NetBSD.org
Subject: Kernel panic in NPF with empty procedure
X-Send-Pr-Version: www-1.0
>Number: 54950
>Category: kern
>Synopsis: Kernel panic in NPF with empty procedure
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Feb 10 05:05:00 +0000 2020
>Closed-Date: Mon May 25 17:36:16 +0000 2020
>Last-Modified: Mon May 25 17:36:16 +0000 2020
>Originator: Lloyd Parkes
>Release: NetBSD 9.0_RC1
>Organization:
Must Have Coffee
>Environment:
System: NetBSD mossdog.must-have-coffee.gen.nz 9.0_RC1 NetBSD 9.0_RC1 (SERIAL) #
0: Sun Jan 12 09:07:43 NZDT 2020 lloyd@ceph4:/vol/build/cylc/20200102T0000+13/bu
ild-netbsd-9/obj.amd64/sys/arch/amd64/compile/SERIAL amd64
Architecture: x86_64
Machine: amd64
>Description:
When loading an NPF configuration that contains an empty procedure then the kernel panics.
>How-To-Repeat:
Load the following NPF config file with "/etc/rc.d/npf onestart". Don't enable NPF in /etc/rc.conf because then you'll get into a panic loop as NetBSD panics everytime it boots.
procedure "empty" {
}
group default {
pass all
}
>Fix:
I don't have a code fix, nor a stack trace just yet. The obvious work around is to not put an empty procedure in your npf.conf file.
I should be able to get a core dump on -current.
>Release-Note:
>Audit-Trail:
From: Lloyd Parkes <lloyd@must-have-coffee.gen.nz>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/54950: Kernel panic in NPF with empty procedure
Date: Tue, 11 Feb 2020 17:25:31 +1300
After really quite a lot of fussing, I managed to get a stack trace from
GDB that appears OK enough to be useful.
(gdb) info files
Kernel memory interface:
Using the kernel crash dump /mnt/netbsd.2.core.
(gdb) where
#0 0xc011d695 in maybe_dump (howto=260)
at /vol/src/cylc/src-marples/sys/arch/i386/i386/machdep.c:728
#1 cpu_reboot (howto=howto@entry=260, bootstr=bootstr@entry=0x0)
at /vol/src/cylc/src-marples/sys/arch/i386/i386/machdep.c:749
#2 0xc06516c2 in kern_reboot (howto=howto@entry=260,
bootstr=bootstr@entry=0x0)
at /vol/src/cylc/src-marples/sys/kern/kern_reboot.c:61
#3 0xc069283a in vpanic (fmt=fmt@entry=0xc08e801e "trap",
ap=ap@entry=0xcdc6abd8 "\254\254\306\315\254\254\306\315\001")
at /vol/src/cylc/src-marples/sys/kern/subr_prf.c:336
#4 0xc06928d1 in panic (fmt=fmt@entry=0xc08e801e "trap")
at /vol/src/cylc/src-marples/sys/kern/subr_prf.c:255
#5 0xc0120026 in trap (frame=0xcdc6acac)
at /vol/src/cylc/src-marples/sys/arch/i386/i386/trap.c:348
#6 0xc0115c82 in alltraps ()
#7 0xcdc6acac in ?? ()
#8 0xc0469470 in npf_config_destroy (nc=nc@entry=0xc13d6ca8)
at /vol/src/cylc/src-marples/sys/net/npf/npf_conf.c:97
#9 0xc046ace6 in npfctl_load_nvlist (errdict=0xc1ab30cc,
npf_dict=0xc1a8be8c,
npf=0xc13cbac8) at /vol/src/cylc/src-marples/sys/net/npf/npf_ctl.c:643
#10 npfctl_load (npf=0xc13cbac8, cmd=3222031974, data=0xcdc6aeac)
at /vol/src/cylc/src-marples/sys/net/npf/npf_ctl.c:664
#11 0xc070cc87 in spec_ioctl (v=0xcdc6ad9c) at ./machine/cpu.h:69
#12 0xc07011e5 in VOP_IOCTL (vp=vp@entry=0xc1562804,
--Type <RET> for more, q to quit, c to continue without paging--
command=command@entry=3222031974, data=data@entry=0xcdc6aeac, fflag=1,
' cred=0xc1a86100) at /vol/src/cylc/src-marples/sys/kern/vnode_if.c:612
#13 0xc06f7b88 in vn_ioctl (fp=0xc194bac0, com=3222031974, data=0xcdc6aeac)
at /vol/src/cylc/src-marples/sys/kern/vfs_vnops.c:775
#14 0xc06a01d9 in sys_ioctl (l=<optimized out>, uap=<optimized out>,
retval=<optimized out>)
at /vol/src/cylc/src-marples/sys/kern/sys_generic.c:671
#15 0xc014ee95 in sy_call (rval=0xcdc6af60, uap=0xcdc6af68, l=0xc1522b80,
sy=0xc0a79c78 <sysent+1080>)
at /vol/src/cylc/src-marples/sys/sys/syscallvar.h:65
#16 sy_invoke (code=54, rval=0xcdc6af60, uap=0xcdc6af68, l=0xc1522b80,
sy=<optimized out>) at
/vol/src/cylc/src-marples/sys/sys/syscallvar.h:94
#17 syscall (frame=0xcdc6afa8)
at /vol/src/cylc/src-marples/sys/arch/x86/x86/syscall.c:138
#18 0xc0100849 in Xsyscall ()
#19 0xcdc6afa8 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb)
From: Lloyd Parkes <lloyd@must-have-coffee.gen.nz>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/54950: Kernel panic in NPF with empty procedure
Date: Tue, 11 Feb 2020 17:36:37 +1300
The following version of the stack trace looks like it won't get mangled
by Thunderbird.
(gdb) where
#0 0xc011d695 in maybe_dump (howto=260)
at /vol/src/cylc/src-marples/sys/arch/i386/i386/machdep.c:728
#1 cpu_reboot (howto=howto@entry=260, bootstr=bootstr@entry=0x0)
at /vol/src/cylc/src-marples/sys/arch/i386/i386/machdep.c:749
#2 0xc06516c2 in kern_reboot (howto=howto@entry=260,
bootstr=bootstr@entry=0x0)
at /vol/src/cylc/src-marples/sys/kern/kern_reboot.c:61
#3 0xc069283a in vpanic (fmt=fmt@entry=0xc08e801e "trap",
ap=ap@entry=0xcdc6abd8 "\254\254\306\315\254\254\306\315\001")
at /vol/src/cylc/src-marples/sys/kern/subr_prf.c:336
#4 0xc06928d1 in panic (fmt=fmt@entry=0xc08e801e "trap")
at /vol/src/cylc/src-marples/sys/kern/subr_prf.c:255
#5 0xc0120026 in trap (frame=0xcdc6acac)
at /vol/src/cylc/src-marples/sys/arch/i386/i386/trap.c:348
#6 0xc0115c82 in alltraps ()
#7 0xcdc6acac in ?? ()
#8 0xc0469470 in npf_config_destroy (nc=nc@entry=0xc13d6ca8)
at /vol/src/cylc/src-marples/sys/net/npf/npf_conf.c:97
#9 0xc046ace6 in npfctl_load_nvlist (errdict=0xc1ab30cc,
npf_dict=0xc1a8be8c,
npf=0xc13cbac8) at /vol/src/cylc/src-marples/sys/net/npf/npf_ctl.c:643
#10 npfctl_load (npf=0xc13cbac8, cmd=3222031974, data=0xcdc6aeac)
at /vol/src/cylc/src-marples/sys/net/npf/npf_ctl.c:664
#11 0xc070cc87 in spec_ioctl (v=0xcdc6ad9c) at ./machine/cpu.h:69
#12 0xc07011e5 in VOP_IOCTL (vp=vp@entry=0xc1562804,
--Type <RET> for more, q to quit, c to continue without paging--
command=command@entry=3222031974, data=data@entry=0xcdc6aeac, fflag=1,
' cred=0xc1a86100) at /vol/src/cylc/src-marples/sys/kern/vnode_if.c:612
#13 0xc06f7b88 in vn_ioctl (fp=0xc194bac0, com=3222031974, data=0xcdc6aeac)
at /vol/src/cylc/src-marples/sys/kern/vfs_vnops.c:775
#14 0xc06a01d9 in sys_ioctl (l=<optimized out>, uap=<optimized out>,
retval=<optimized out>)
at /vol/src/cylc/src-marples/sys/kern/sys_generic.c:671
#15 0xc014ee95 in sy_call (rval=0xcdc6af60, uap=0xcdc6af68, l=0xc1522b80,
sy=0xc0a79c78 <sysent+1080>)
at /vol/src/cylc/src-marples/sys/sys/syscallvar.h:65
#16 sy_invoke (code=54, rval=0xcdc6af60, uap=0xcdc6af68, l=0xc1522b80,
sy=<optimized out>) at
/vol/src/cylc/src-marples/sys/sys/syscallvar.h:94
#17 syscall (frame=0xcdc6afa8)
at /vol/src/cylc/src-marples/sys/arch/x86/x86/syscall.c:138
#18 0xc0100849 in Xsyscall ()
#19 0xcdc6afa8 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/54950 CVS commit: src/sys/net/npf
Date: Tue, 11 Feb 2020 20:34:55 -0500
Module Name: src
Committed By: christos
Date: Wed Feb 12 01:34:55 UTC 2020
Modified Files:
src/sys/net/npf: npf_ruleset.c
Log Message:
PR/54950: Lloyd Parkes: Avoid NULL deref.
To generate a diff of this commit:
cvs rdiff -u -r1.49 -r1.50 src/sys/net/npf/npf_ruleset.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Christos Zoulas <christos@zoulas.com>
To: gnats-bugs@netbsd.org
Cc: kern-bug-people@netbsd.org,
gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org,
lloyd@must-have-coffee.gen.nz
Subject: Re: kern/54950: Kernel panic in NPF with empty procedure
Date: Tue, 11 Feb 2020 20:38:52 -0500
--Apple-Mail=_5510AE03-BF3B-477C-A4E8-87D266C4BC33
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=us-ascii
For future reference, this is really easy to debug in userland:
$ npfctl debug npf.conf npf.nvlist
$ gdb --args npftest -c npf.nvlist -t
christos
--Apple-Mail=_5510AE03-BF3B-477C-A4E8-87D266C4BC33
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iF0EARECAB0WIQS+BJlbqPkO0MDBdsRxESqxbLM7OgUCXkNXLAAKCRBxESqxbLM7
OtxwAKDR8Gr2xSYYdoDI1G+Fr09aVCB1WACfU32DeLuKkiiSKunPkbWvXZrAesE=
=sjTe
-----END PGP SIGNATURE-----
--Apple-Mail=_5510AE03-BF3B-477C-A4E8-87D266C4BC33--
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/54950 CVS commit: [netbsd-9] src/sys/net/npf
Date: Wed, 12 Feb 2020 19:41:13 +0000
Module Name: src
Committed By: martin
Date: Wed Feb 12 19:41:13 UTC 2020
Modified Files:
src/sys/net/npf [netbsd-9]: npf_ruleset.c
Log Message:
Pull up following revision(s) (requested by christos in ticket #699):
sys/net/npf/npf_ruleset.c: revision 1.50
PR/54950: Lloyd Parkes: Avoid NULL deref.
To generate a diff of this commit:
cvs rdiff -u -r1.48.2.1 -r1.48.2.2 src/sys/net/npf/npf_ruleset.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Lloyd Parkes <lloyd@must-have-coffee.gen.nz>
To: gnats-bugs@netbsd.org, kern-bug-people@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc:
Subject: Re: PR/54950 CVS commit: src/sys/net/npf
Date: Thu, 13 Feb 2020 19:50:29 +1300
On 12/02/20 2:35 pm, Christos Zoulas wrote:
> The following reply was made to PR kern/54950; it has been noted by GNATS.
>
> From: "Christos Zoulas" <christos@netbsd.org>
> To: gnats-bugs@gnats.NetBSD.org
> Cc:
> Subject: PR/54950 CVS commit: src/sys/net/npf
> Date: Tue, 11 Feb 2020 20:34:55 -0500
>
> Modified Files:
> src/sys/net/npf: npf_ruleset.c
I'm pretty sure that this doesn't cover all NULL pointer derefs in NPF.
You can also get a NULL pointer deref for the NAT rulesets.
I'm still waiting for my CVS to rsync from anoncvs.netbsd.org so I don't
actually know what this patch is, but a patch I generated last night is
below.
On top of that, I don't see how any of this could have been triggered my
my actual NPF configuration and I'm guessing that our trivial test cases
have uncovered other problems. I'm going to try and regenerate my
original configuration and see what happens.
Cheers
cvs diff: Diffing .
Index: npf_conf.c
===================================================================
RCS file: /vol/src/rsync-src/src/sys/net/npf/npf_conf.c,v
retrieving revision 1.15
diff -u -r1.15 npf_conf.c
--- npf_conf.c 25 Aug 2019 13:21:03 -0000 1.15
+++ npf_conf.c 12 Feb 2020 04:38:30 -0000
@@ -47,7 +47,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.14 2019/08/11 20:26:33 rmind
Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.15 2019/08/25 13:21:03 rmind
Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -94,8 +94,8 @@
* Note: the rulesets must be destroyed first, in order to drop
* any references to the tableset.
*/
- npf_ruleset_destroy(nc->ruleset);
- npf_ruleset_destroy(nc->nat_ruleset);
+ if (nc->ruleset) npf_ruleset_destroy(nc->ruleset);
+ if (nc->nat_ruleset) npf_ruleset_destroy(nc->nat_ruleset);
npf_rprocset_destroy(nc->rule_procs);
npf_tableset_destroy(nc->tableset);
kmem_free(nc, sizeof(npf_config_t));
State-Changed-From-To: open->closed
State-Changed-By: rmind@NetBSD.org
State-Changed-When: Mon, 25 May 2020 17:36:16 +0000
State-Changed-Why:
Fixed.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.