freebsd stable - Feb 2016 - 10.2-RELEASE-p12 pf+GRE crashing

All,

I recently upgraded a pair of 10.0-RELEASE firewalls in the hope that I 
could avoid the local patching required to keep it up and running. 
Unfortunately, it crashes whenever I reload my pf firewall rule set. If 
I remove the GRE tunnel configurations from rc.conf, it happily reloads 
the rule set all day long. The kernel config is mostly GENERIC with the 
following additions ...

# Packet Filter
device      pf          # PF OpenBSD packet-filter firewall
device      pflog       # Logging support interface for PF
device      pfsync      # Synchronization interface for PF
device      carp        # Common Address Redundancy Protocol

# IPsec
device      crypto
device      enc
options     IPSEC

The crash is easy to reproduce as pfctl -f /etc/pf.conf does it every 
time. I should also mention that I tried with and without the following 
additional commits applied, but get the same result ...

https://svnweb.freebsd.org/base?view=revision&revision=272695
https://svnweb.freebsd.org/base?view=revision&revision=288529

I'm also a bit confused as to why these patches haven't made it into 10 
STABLE yet. The former doesn't mention an MFC and the latter has an MFC 
of 1 week, but was never done. In any case, here is the output from kgdb ...

[root at fw2 /var/crash]# kgdb /boot/kernel/kernel vmcore.3
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain 
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "amd64-marcel-freebsd"...

Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x4a4
fault code              = supervisor write data, page not present
instruction pointer     = 0x20:0xffffffff809c07f4
stack pointer           = 0x28:0xfffffe0000233b30
frame pointer           = 0x28:0xfffffe0000233b40
code segment            = base 0x0, limit 0xfffff, type 0x1b
                         = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 1990 (pfctl)
trap number             = 12
panic: page fault
cpuid = 1
KDB: stack backtrace:
#0 0xffffffff808048c0 at kdb_backtrace+0x60
#1 0xffffffff807c8596 at vpanic+0x126
#2 0xffffffff807c8463 at panic+0x43
#3 0xffffffff80bdc10b at trap_fatal+0x36b
#4 0xffffffff80bdc40d at trap_pfault+0x2ed
#5 0xffffffff80bdbaaa at trap+0x47a
#6 0xffffffff80bc1fa2 at calltrap+0x8
#7 0xffffffff809a91f4 at pf_empty_pool+0x44
#8 0xffffffff809ab3e5 at pfioctl+0x805
#9 0xffffffff806b5659 at devfs_ioctl_f+0x139
#10 0xffffffff8081b805 at kern_ioctl+0x255
#11 0xffffffff8081b500 at sys_ioctl+0x140
#12 0xffffffff80bdca27 at amd64_syscall+0x357
#13 0xffffffff80bc228b at Xfast_syscall+0xfb
Uptime: 1m1s
Dumping 156 out of 2025 MB:..11%..21%..31%..42%..52%..62%..72%..83%..93%

Reading symbols from /boot/kernel/if_lagg.ko.symbols...done.
Loaded symbols for /boot/kernel/if_lagg.ko.symbols
Reading symbols from /boot/kernel/if_gre.ko.symbols...done.
Loaded symbols for /boot/kernel/if_gre.ko.symbols
#0  doadump (textdump=<value optimized out>) at pcpu.h:219
219     pcpu.h: No such file or directory.
         in pcpu.h

Any help in resolving this would be greatly appreciated.

-Matthew

On 2/3/2016 4:56 PM, Matthew Grooms wrote:
> All,
>
> I recently upgraded a pair of 10.0-RELEASE firewalls in the hope that 
> I could avoid the local patching required to keep it up and running. 
> Unfortunately, it crashes whenever I reload my pf firewall rule set. 
> If I remove the GRE tunnel configurations from rc.conf, it happily 
> reloads the rule set all day long. The kernel config is mostly GENERIC 
> with the following additions ...
>
> # Packet Filter
> device      pf          # PF OpenBSD packet-filter firewall
> device      pflog       # Logging support interface for PF
> device      pfsync      # Synchronization interface for PF
> device      carp        # Common Address Redundancy Protocol
>
> # IPsec
> device      crypto
> device      enc
> options     IPSEC
>
> The crash is easy to reproduce as pfctl -f /etc/pf.conf does it every 
> time. I should also mention that I tried with and without the 
> following additional commits applied, but get the same result ...
>
> https://svnweb.freebsd.org/base?view=revision&revision=272695
> https://svnweb.freebsd.org/base?view=revision&revision=288529
>
> I'm also a bit confused as to why these patches haven't made it
into
> 10 STABLE yet. The former doesn't mention an MFC and the latter has an 
> MFC of 1 week, but was never done. In any case, here is the output 
> from kgdb ...
This turned out to be another issue that was patched in head but not 
back ported to stable. I can't explain why it didn't get tripped when 
GRE tunnels were disabled. With the patch applied, I can reload my rule 
sets again without crashing ...

https://svnweb.freebsd.org/base?view=revision&revision=264689

(kgdb) bt
#0  doadump (textdump=<value optimized out>) at pcpu.h:219
#1  0xffffffff807c81f2 in kern_reboot (howto=260) at 
../../../kern/kern_shutdown.c:451
#2  0xffffffff807c85d5 in vpanic (fmt=<value optimized out>, ap=<value 
optimized out>)
     at ../../../kern/kern_shutdown.c:758
#3  0xffffffff807c8463 in panic (fmt=0x0) at 
../../../kern/kern_shutdown.c:687
#4  0xffffffff80bdc10b in trap_fatal (frame=<value optimized out>,
     eva=<value optimized out>) at ../../../amd64/amd64/trap.c:851
#5  0xffffffff80bdc40d in trap_pfault (frame=0xfffffe0000233a80,
     usermode=<value optimized out>) at ../../../amd64/amd64/trap.c:674
#6  0xffffffff80bdbaaa in trap (frame=0xfffffe0000233a80)
     at ../../../amd64/amd64/trap.c:440
#7  0xffffffff80bc1fa2 in calltrap () at 
../../../amd64/amd64/exception.S:236
#8  0xffffffff809c07f4 in pfr_detach_table (kt=0x0) at 
../../../netpfil/pf/pf_table.c:2047
#9  0xffffffff809a91f4 in pf_empty_pool (poola=0xffffffff813c3d68)
     at ../../../netpfil/pf/pf_ioctl.c:354
#10 0xffffffff809ab3e5 in pfioctl (dev=<value optimized out>,
cmd=<value
optimized out>,
     addr=0xfffff8005eaf6800 "", flags=<value optimized out>,
td=<value
optimized out>)
     at ../../../netpfil/pf/pf_ioctl.c:2189
#11 0xffffffff806b5659 in devfs_ioctl_f (fp=0xfffff8000a2927d0, 
com=3295691827,
     data=0xfffff8005eaf6800, cred=<value optimized out>, 
td=0xfffff8000a25f000)
     at ../../../fs/devfs/devfs_vnops.c:785
#12 0xffffffff8081b805 in kern_ioctl (td=0xfffff8000a25f000, fd=<value 
optimized out>,
     com=2) at file.h:320
#13 0xffffffff8081b500 in sys_ioctl (td=0xfffff8000a25f000, 
uap=0xfffffe0000234b40)
     at ../../../kern/sys_generic.c:718
#14 0xffffffff80bdca27 in amd64_syscall (td=0xfffff8000a25f000, traced=0)
     at subr_syscall.c:134
#15 0xffffffff80bc228b in Xfast_syscall () at 
../../../amd64/amd64/exception.S:396
#16 0x0000000800dd9fda in ?? ()
Previous frame inner to this frame (corrupt stack?)
Current language:  auto; currently minimal

-Matthew