Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 15 Oct 2003 19:00:12 -0700 (PDT)
From:      Kirk McKusick <mckusick@FreeBSD.org>
To:        src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   cvs commit: src/sys/netinet ip_fw2.c
Message-ID:  <200310160200.h9G20CZu030138@repoman.freebsd.org>

next in thread | raw e-mail | index | archive | help
mckusick    2003/10/15 19:00:12 PDT

  FreeBSD src repository

  Modified files:
    sys/netinet          ip_fw2.c 
  Log:
  Malloc buckets of size 128 have been having their 64-byte offset
  trashed after being freed. This has caused several panics including
  kern/42277 related to soft updates. Jim Kuhn tracked the problem
  down to ipfw limit rule processing.  In the expiry of dynamic rules,
  it is possible for an O_LIMIT_PARENT rule to be removed when it still
  has live children.  When the children eventually do expire, a pointer
  to the (long gone) parent is dereferenced and a count decremented.
  Since this memory can, and is, allocated for other purposes (in the
  case of kern/42277 an inodedep structure), chaos ensues. The offset
  in question in inodedep is the offset of the 16 bit count field in
  the ipfw2 ipfw_dyn_rule.
  
  Submitted by:   Jim Kuhn <jkuhn@sandvine.com>
  Reviewed by:    "Evgueni V. Gavrilov" <aquatique@rusunix.org>
  Reviewed by:    Ben Pfountz <netprince@vt.edu>
  MFC after:      1 week
  
  Revision  Changes    Path
  1.40      +7 -4      src/sys/netinet/ip_fw2.c



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200310160200.h9G20CZu030138>