Actions
Regression #12217
closed
Kernel panic in IPFW when using Captive Portal
Status:
Resolved
Priority:
Very High
Assignee:
Category:
Captive Portal
Target version:
Start date:
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
22.01
Release Notes:
Force Exclusion
Affected Version:
2.6.0
Affected Architecture:
Description
Starting around the 2.6.0 snapshot on August 3rd (20210803*), a VM configured for HA with Captive Portal experiences a kernel panic at boot. The same VM with the same config is stable using a snapshot from a few days prior, 20210731*.
If I disable captive portal, the system boots successfully and does not panic. The portal has very few settings active, only local authentication and vouchers are enabled.
After inspecting the textdump contents, Kristof suggested the following patch:
diff --git a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c
index 7b3038b8f1c..50ff6676d55 100644
--- a/sys/netpfil/ipfw/ip_fw2.c
+++ b/sys/netpfil/ipfw/ip_fw2.c
@@ -1928,7 +1928,8 @@ do { \
}
case O_MACADDR2_LOOKUP:
- if (args->eh != NULL) { /* have MAC header */
+ if ((args->flags & IPFW_ARGS_ETHER) &&
+ args->eh != NULL) { /* have MAC header */
uint32_t v = 0;
match = ipfw_lookup_table(chain,
cmd->arg1, 0, args->eh, &v, NULL,
Textdumps from two panics attached, but they contain the same backtrace and panic message (aside from time values and slight difference in some memory addresses):
Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address = 0x3
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff84346fd2
stack pointer = 0x28:0xfffffe000e7b7590
frame pointer = 0x28:0xfffffe000e7b7610
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 12 (swi4: clock (0))
trap number = 12
panic: page fault
cpuid = 1
time = 1628171656
KDB: enter: panic
db:0:kdb.enter.default> bt Tracing pid 12 tid 100028 td 0xfffff8000516f740 kdb_enter() at kdb_enter+0x37/frame 0xfffffe000e7b7250 vpanic() at vpanic+0x197/frame 0xfffffe000e7b72a0 panic() at panic+0x43/frame 0xfffffe000e7b7300 trap_fatal() at trap_fatal+0x391/frame 0xfffffe000e7b7360 trap_pfault() at trap_pfault+0x4f/frame 0xfffffe000e7b73b0 trap() at trap+0x286/frame 0xfffffe000e7b74c0 calltrap() at calltrap+0x8/frame 0xfffffe000e7b74c0 --- trap 0xc, rip = 0xffffffff84346fd2, rsp = 0xfffffe000e7b7590, rbp = 0xfffffe000e7b7610 --- ta_lookup_mhash() at ta_lookup_mhash+0x62/frame 0xfffffe000e7b7610 ipfw_chk() at ipfw_chk+0x226f/frame 0xfffffe000e7b7840 ipfw_check_packet() at ipfw_check_packet+0xf0/frame 0xfffffe000e7b7920 pfil_run_hooks() at pfil_run_hooks+0xb0/frame 0xfffffe000e7b79b0 ip_output() at ip_output+0xb4f/frame 0xfffffe000e7b7af0 carp_send_ad_locked() at carp_send_ad_locked+0x26a/frame 0xfffffe000e7b7b90 carp_send_ad() at carp_send_ad+0x33/frame 0xfffffe000e7b7bc0 softclock_call_cc() at softclock_call_cc+0x141/frame 0xfffffe000e7b7c70 softclock() at softclock+0x79/frame 0xfffffe000e7b7c90 ithread_loop() at ithread_loop+0x23c/frame 0xfffffe000e7b7cf0 fork_exit() at fork_exit+0x7e/frame 0xfffffe000e7b7d30 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe000e7b7d30 --- trap 0, rip = 0, rsp = 0, rbp = 0 ---
Files
Updated by 
Updated by
Actions