Date: Wed, 29 Jul 2015 06:36:21 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 201879] panic: boot time panic with a scrub rule on "exclusive sleep mutex pf fragments"... Message-ID: <bug-201879-17777-JccgldwmoC@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-201879-17777@https.bugs.freebsd.org/bugzilla/> References: <bug-201879-17777@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201879 --- Comment #5 from commit-hook@freebsd.org --- A commit references this bug: Author: kp Date: Wed Jul 29 06:35:37 UTC 2015 New revision: 285999 URL: https://svnweb.freebsd.org/changeset/base/285999 Log: pf: Always initialise pf_fragment.fr_flags When we allocate the struct pf_fragment in pf_fillup_fragment() we forgot to initialise the fr_flags field. As a result we sometimes mistakenly thought the fragment to not be a buffered fragment. This resulted in panics because we'd end up freeing the pf_fragment but not removing it from V_pf_fragqueue (believing it to be part of V_pf_cachequeue). The next time we iterated V_pf_fragqueue we'd use a freed object and panic. While here also fix a pf_fragment use after free in pf_normalize_ip(). pf_reassemble() frees the pf_fragment, so we can't use it any more. PR: 201879, 201932 MFC after: 5 days Changes: head/sys/netpfil/pf/pf_norm.c -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-201879-17777-JccgldwmoC>