From owner-freebsd-pf@freebsd.org Sat Feb 10 06:58:29 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8D264F018D8 for ; Sat, 10 Feb 2018 06:58:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 10F7A6FB97 for ; Sat, 10 Feb 2018 06:58:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 32FB6254C4 for ; Sat, 10 Feb 2018 06:58:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w1A6wRwK057445 for ; Sat, 10 Feb 2018 06:58:27 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w1A6wRAa057444 for freebsd-pf@FreeBSD.org; Sat, 10 Feb 2018 06:58:27 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 209475] pf didn't check if enough free RAM for net.pf.states_hashsize Date: Sat, 10 Feb 2018 06:58:26 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: fnoyanisi@yahoo.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Feb 2018 06:58:29 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D209475 --- Comment #26 from fehmi noyan isi --- Created attachment 190476 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D190476&action= =3Dedit Kernel Crash Dump (In reply to Kristof Provost from comment #25) The VM I am running the tests is 64-bit,so I do not think the panic is triggered by mallocarray(9). However, I see that the mtx_init(9) in the for loop causes the crash. I attach textdump output for your reference.... Here is the problem; if ((V_pf_keyhash =3D mallocarray(pf_hashsize, sizeof(struct pf_keyh= ash), M_PFHASH, M_NOWAIT | M_ZERO)) =3D=3D NULL){ V_pf_keyhash =3D mallocarray(PF_HASHSIZ, sizeof(struct pf_keyha= sh), M_PFHASH, M_WAITOK | M_ZERO); printf(...); } if ((V_pf_idhash =3D mallocarray(pf_hashsize, sizeof(struct pf_idha= sh), M_PFHASH, M_NOWAIT | M_ZERO)) =3D=3D NULL){ V_pf_idhash =3D mallocarray(PF_HASHSIZ, sizeof(struct pf_idhash= ), M_PFHASH, M_WAITOK | M_ZERO); printf(...); } pf_hashmask =3D pf_hashsize - 1; // pf_hashsize is 2147483648 for (i =3D 0, kh =3D V_pf_keyhash, ih =3D V_pf_idhash; i <=3D pf_ha= shmask; i++, kh++, ih++) { mtx_init(&kh->lock, "pf_keyhash", NULL, MTX_DEF | MTX_DUPOK= ); mtx_init(&ih->lock, "pf_idhash", NULL, MTX_DEF); } In the code above, V_ph_idhash and V_pf_keyhash are allocated PF_HASHSIZ * sizeof(struct pf_keyhash) and PF_HASHSIZ * sizeof(struct pf_idhash) amount = of memory respectively.=20 The for loop following the mallocarray(9) calls expects the allocated memor= y to be aligned with pf_hashsize variable, which is usd in the loop and set to 2147483648 in our example. On the other hand, PH_HASHSIZ is 32768. This mismatch causes the initialisation to fail. Apparently, the value of pf_hashsize needs to be set and it should be used = in mallocarray(9) calls rather than PF_HASHSIZ.=20 Although, sizeof(struct pf_keyhash) =3D sizeof(struct pf_idhash) =3D 40, we= cannot guarantee that the size of structs will stay the same (please correct me if= I am wrong).=20 Given that the for loop assumes V_ph_idhash and V_pf_keyhash are allocated memory by using the same multiplier, which is pf_hashsize, I think we either * should make a test before the mallocarray() calls and set pf_hashsize accordingly (how?) * make two mallocarray(...,M_NOWAIT) calls and test return values in a sin= gle if() statement. If either or both of these pointers is NULL, we should fall= back and re-allocate memory for _both_ V_ph_idhash and V_pf_keyhash by using a single pf_hashsize value. --=20 You are receiving this mail because: You are the assignee for the bug.=