netbsd-bugs: kern/26498: panic: uvm_fault during fr_send_icmp

Subject: kern/26498: panic: uvm_fault during fr_send_icmp_err (ipfilter)
To: None <gnats-bugs@gnats.NetBSD.org>
From: Frank Kardel <kardel@pip.acrys.com>
List: netbsd-bugs
Date: 07/31/2004 20:38:25
>Number:         26498
>Category:       kern
>Synopsis:       panic: uvm_fault during fr_send_icmp_err (ipfilter)
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Jul 31 18:55:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Frank Kardel
>Release:        NetBSD 2.0G
>Organization:
	
>Environment:
	
	
System: NetBSD pip 2.0G NetBSD 2.0G (SYSPIP_ISDN) #0: Sat Jul 31 17:09:16 MEST 2004 kardel@pip:/fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/arch/i386/compile/obj.i386/SYSPIP_ISDN i386
Architecture: i386
Machine: i386
>Description:
	Kernel as of current-20040731-071339 panics when attempting to
	reply a blocked packet with an ICMP paket.
stack trace:

#19 0xc0102cab in calltrap ()
#20 0xc0127ead in fr_check (ip=0xcb135818, hlen=20, ifp=0xc1aac800, out=0, 
    mp=0xcd9a2684)
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/netinet/fil.c:2416
#21 0xc012c0fe in fr_check_wrapper (arg=0x0, mp=0xcd9a2684, ifp=0xc1aac800, 
    dir=1)
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/netinet/ip_fil_netbsd.c:158
#22 0xc031ed6a in pfil_run_hooks (ph=0xc053e080, mp=0xcd9a26ec, 
    ifp=0xc1aac800, dir=1)
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/net/pfil.c:72
#23 0xc0114459 in ip_input (m=0xc18fe100)
---Type <return> to continue, or q <return> to quit---
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/netinet/ip_input.c:645
#24 0xc0113d16 in ipintr ()
    at /fs/IC35L180AVV207-1-n/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/netinet/ip_input.c:466
#25 0xc0102981 in Xsoftnet ()
#26 0xc036044d in softintr_dispatch (which=0) at x86/intr.h:168

Actual crash is at: fr_send_icmp_err(3,cd464a70,0,4000a001,c21d1800) at netbsd:fr_send_icmp_err+0x278

which is: sys/netinet/ip_fil_netbsd.c:938

In source:
        iclen = hlen + sizeof(*icmp) + xtra;
        avail -= (max_linkhdr + iclen);
        m->m_data += max_linkhdr;
CRASH-> m->m_pkthdr.rcvif = (struct ifnet *)0;
        if (xtra > avail)
                xtra = avail;


It seems that m->m_pkthdr is not properly set up when attempting to
reply with an ICMP paket.

>How-To-Repeat:
	Run -current with ipfilter enabled and a configuration that
	returns ICMP paketes for blocked packets.
	wait for the worm connection request of the day and watch
	the kernel crash.
>Fix:
	Workaround: remove all return* clauses from /etc/ipf.conf
>Release-Note:
>Audit-Trail:
>Unformatted:
 		current-20040731-071339