Date: Sun, 05 Mar 2017 22:19:01 +0900 From: "Kristof Provost" <kp@FreeBSD.org> To: Ross <basarevych@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: sonewconn: pru_attach() failed and kernel panic in PF Message-ID: <F5E22FFD-FE2D-4A1A-B284-D7B660CCF9BF@FreeBSD.org> In-Reply-To: <D0CD7B4C-2C21-4ABE-9F1B-41E5414A9A8A@FreeBSD.org> References: <CANmv3=xB0Kce4ZQ4GYBE0cNpam0jzGPX7dSYSVBPiT-sryCyHA@mail.gmail.com> <D0CD7B4C-2C21-4ABE-9F1B-41E5414A9A8A@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5 Mar 2017, at 21:42, Kristof Provost wrote: > There’s only a couple of calls to uma_zfree() in > pf_get_translations(). > > These are: > * uma_zfree(V_pf_state_key_z, skp); > * uma_zfree(V_pf_state_key_z, *nkp); > * uma_zfree(V_pf_state_key_z, *skp); > > Going by the inconsistent pointer use the first one is rather suspect. > Looking a bit deeper, pf_get_translation() is only called from one > place, > and it always passes stack variables for skp and nkp, so the first > call > ends up trying to free that, which won’t work too well. > > That’s a bug (and I’ll fix it), but you’re only running into it > because > pf_state_key_clone() returned NULL, which will only happen under > memory > pressure. > The fix is done in r314702. Regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F5E22FFD-FE2D-4A1A-B284-D7B660CCF9BF>