From owner-freebsd-net@FreeBSD.ORG Sat Mar 20 01:50:03 2010 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A2B821065672 for ; Sat, 20 Mar 2010 01:50:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 7714F8FC0A for ; Sat, 20 Mar 2010 01:50:03 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o2K1o3FG046334 for ; Sat, 20 Mar 2010 01:50:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o2K1o3sx046333; Sat, 20 Mar 2010 01:50:03 GMT (envelope-from gnats) Date: Sat, 20 Mar 2010 01:50:03 GMT Message-Id: <201003200150.o2K1o3sx046333@freefall.freebsd.org> To: freebsd-net@FreeBSD.org From: Gleb Kurtsou Cc: Subject: Re: kern/144874: [if_bridge] [patch] if_bridge frees mbuf after pfil hooks returns non-zero X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Gleb Kurtsou List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Mar 2010 01:50:03 -0000 The following reply was made to PR kern/144874; it has been noted by GNATS. From: Gleb Kurtsou To: bug-followup@FreeBSD.org, jacobmdrop@comcast.net Cc: Subject: Re: kern/144874: [if_bridge] [patch] if_bridge frees mbuf after pfil hooks returns non-zero Date: Sat, 20 Mar 2010 03:50:04 +0200 [...] > Create a simple pfil hook and install it with pfil_add_hook(PFIL_IN). > The hook should drop (some) packets by returning a non-zero value. The > hook should free the mbuf on dropped packets by calling m_freem(*mp). > The filter should _not_ modify the mbuf pointer (mp). Install a ^^^^^^^^^ documentation is wrong here. As far as I can see all firewalls in the tree zero mp after free, something like: if (chk && *m) { m_freem(*m); *m = NULL; } Correct fix would be to update documentation and add KASSERT to pfil_run_hooks checking *mp == 0 if hook returned non-zero result. > if_bridge on the system, and pass traffic through the bridge, such > that at least one packet gets dropped by the pfil hook. At some point > shortly after that the system will panic. The panic is usually occurs > in sbflush_internal(), though there are other ways that the corruption > can manifest.