Bug #13896
openPanic: page fault with ipV6
0%
Description
The pfsense crashes if the pfsense gets a IPv6 subnet over a PPPoE interface.
The pfsense gets the subnet via DHCPv6 and delegates it to 2 VLANs.
Thees VLANs are managed as captive portal zones each.
Panic:
<118>pfSense 2.7.0-DEVELOPMENT amd64 Sat Jan 14 02:41:40 UTC 2023 <118>Bootup complete <7>cannot forward src fe80:13::648c:80ff:fea1:41bf, dst 2a00:1450:4001:80b::200a, nxt 58, rcvif igb2.215, outif pppoe1 <7>cannot forward src fe80:13::648c:80ff:fea1:41bf, dst 2a00:1450:4001:82a::200a, nxt 58, rcvif igb2.215, outif pppoe1 lock order reversal: 1st 0xfffff8031035c590 lle (lle, rw) @ /var/jenkins/workspace/pfSense-CE-snapshots-master-main/sources/FreeBSD-src-devel-main/sys/netinet6/in6.c:2401 2nd 0xfffffe0021f30270 nd6 list (nd6 list, rw) @ /var/jenkins/workspace/pfSense-CE-snapshots-master-main/sources/FreeBSD-src-devel-main/sys/netinet6/nd6_rtr.c:863 lock order nd6 list -> lle established at: #0 0xffffffff80debf1d at witness_checkorder+0x32d #1 0xffffffff80d74c97 at _rw_wlock_cookie+0x67 #2 0xffffffff810077ed at nd6_llinfo_timer+0x9d #3 0xffffffff80d98ed1 at softclock_call_cc+0x151 #4 0xffffffff80d9a726 at softclock_thread+0xc6 #5 0xffffffff80d31dc0 at fork_exit+0x80 #6 0xffffffff813072de at fork_trampoline+0xe lock order lle -> nd6 list attempted at: #0 0xffffffff80dec7ed at witness_checkorder+0xbfd #1 0xffffffff80d74c97 at _rw_wlock_cookie+0x67 #2 0xffffffff8100dce1 at defrouter_remove+0x41 #3 0xffffffff8100ab0d at nd6_na_input+0x97d #4 0xffffffff80fdb7e4 at icmp6_input+0x8a4 #5 0xffffffff80ff53d3 at ip6_input+0xbc3 #6 0xffffffff80eea7a0 at netisr_dispatch_src+0x220 #7 0xffffffff80ec4e7c at ether_demux+0x17c #8 0xffffffff80ec64f6 at ether_nh_input+0x3f6 #9 0xffffffff80eea62f at netisr_dispatch_src+0xaf #10 0xffffffff80ec5339 at ether_input+0x99 #11 0xffffffff80ec4dcd at ether_demux+0xcd #12 0xffffffff80ec64f6 at ether_nh_input+0x3f6 #13 0xffffffff80eea62f at netisr_dispatch_src+0xaf #14 0xffffffff80ec5339 at ether_input+0x99 #15 0xffffffff80ee5ed4 at iflib_rxeof+0xdf4 #16 0xffffffff80edfeea at _task_fn_rx+0x7a #17 0xffffffff80dc7917 at gtaskqueue_run_locked+0xa7 <7>cannot forward src fe80:13::648c:80ff:fea1:41bf, dst 2a00:1450:4001:80e::2014, nxt 58, rcvif igb2.215, outif pppoe1 <7>cannot forward src fe80:13::648c:80ff:fea1:41bf, dst 2600:9000:21f3:ac00:13:48f8:7bc0:93a1, nxt 58, rcvif igb2.215, outif pppoe1 <7>cannot forward src fe80:13::7cec:b157:babc:971e, dst 2a00:1450:4001:809::200a, nxt 6, rcvif igb2.215, outif pppoe1 Fatal trap 12: page fault while in kernel mode cpuid = 2; apic id = 10 fault virtual address = 0x460 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff80eb567d stack pointer = 0x28:0xfffffe00c86dc280 frame pointer = 0x28:0xfffffe00c86dc280 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 12 (swi1: netisr 2) rdi: 0 rsi: 2 rdx: 1 rcx: 0 r8: 0 r9: 2c5f55feffefec3e rax: 2 rbx: fffff801bbc95200 rbp: fffffe00c86dc280 r10: 1 r11: 0 r12: fffffe00c86dc2e8 r13: fffff801bbc95278 r14: 0 r15: 0 trap number = 12 panic: page fault cpuid = 2 time = 1674235212 KDB: enter: panic
Backtrace:
db:0:kdb.enter.default> bt Tracing pid 12 tid 100039 td 0xfffffe0021fed000 kdb_enter() at kdb_enter+0x32/frame 0xfffffe00c86dc040 vpanic() at vpanic+0x182/frame 0xfffffe00c86dc090 panic() at panic+0x43/frame 0xfffffe00c86dc0f0 trap_fatal() at trap_fatal+0x409/frame 0xfffffe00c86dc150 trap_pfault() at trap_pfault+0xab/frame 0xfffffe00c86dc1b0 calltrap() at calltrap+0x8/frame 0xfffffe00c86dc1b0 --- trap 0xc, rip = 0xffffffff80eb567d, rsp = 0xfffffe00c86dc280, rbp = 0xfffffe00c86dc280 --- if_inc_counter() at if_inc_counter+0xd/frame 0xfffffe00c86dc280 looutput() at looutput+0x64/frame 0xfffffe00c86dc2b0 ip6_forward() at ip6_forward+0x8cd/frame 0xfffffe00c86dc3b0 pf_refragment6() at pf_refragment6+0x174/frame 0xfffffe00c86dc400 pf_test6() at pf_test6+0xed6/frame 0xfffffe00c86dc570 pf_check6_out() at pf_check6_out+0x57/frame 0xfffffe00c86dc5a0 pfil_mbuf_out() at pfil_mbuf_out+0x55/frame 0xfffffe00c86dc5e0 ip6_output() at ip6_output+0x11e8/frame 0xfffffe00c86dc810 icmp6_reflect() at icmp6_reflect+0x2f7/frame 0xfffffe00c86dc8d0 icmp6_error() at icmp6_error+0x41a/frame 0xfffffe00c86dc940 pf_route6() at pf_route6+0xa91/frame 0xfffffe00c86dca10 pf_test6() at pf_test6+0xe47/frame 0xfffffe00c86dcb90 pf_check6_out() at pf_check6_out+0x57/frame 0xfffffe00c86dcbc0 pfil_mbuf_out() at pfil_mbuf_out+0x55/frame 0xfffffe00c86dcc00 ip6_forward() at ip6_forward+0x42f/frame 0xfffffe00c86dcd00 ip6_input() at ip6_input+0xc38/frame 0xfffffe00c86dcde0 swi_net() at swi_net+0x191/frame 0xfffffe00c86dce60 ithread_loop() at ithread_loop+0x279/frame 0xfffffe00c86dcef0 fork_exit() at fork_exit+0x80/frame 0xfffffe00c86dcf30 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00c86dcf30 --- trap 0x720061, rip = 0x20003000620061, rsp = 0x30003000300031, rbp = 0 ---
Files
Updated by Marcos M almost 2 years ago
Does this happen without the Captive Portal configuration? It looks like IPv6 on Captive Portal isn't yet supported according to https://redmine.pfsense.org/issues/1831.
Updated by Grischa Zengel almost 2 years ago
Even this is a pre-release, the Pfsense is used in production.
So I can't provoke a crash.
Since the crash is only while work time, I think there is one device which behave strange and provoke this crash.
I don't know this particular device and I can't move it to another VLAN without authorization.
Even captive portal couldn't handle IPv6, the Pfsense should never crash with page fault in kernel mode.