https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=235097
--- Comment #11 from Kristof Provost <k...@freebsd.org> --- I think I understand the use-after-free bug, and it's a pf problem. Patching the counter increment code to check for 0xdeadc0dedeadc0de (and panicing) produces this backtrace: panic: Incrementing freed counter! cpuid = 0 time = 1548368229 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00a94da210 vpanic() at vpanic+0x1b4/frame 0xfffffe00a94da270 panic() at panic+0x43/frame 0xfffffe00a94da2d0 pf_purge_expired_src_nodes() at pf_purge_expired_src_nodes+0x1f4/frame 0xfffffe00a94da320 pf_unload_vnet_purge() at pf_unload_vnet_purge+0x2b/frame 0xfffffe00a94da330 vnet_pf_uninit() at vnet_pf_uninit+0x74a/frame 0xfffffe00a94da7d0 vnet_destroy() at vnet_destroy+0x124/frame 0xfffffe00a94da800 prison_deref() at prison_deref+0x29d/frame 0xfffffe00a94da840 sys_jail_remove() at sys_jail_remove+0x28e/frame 0xfffffe00a94da890 amd64_syscall() at amd64_syscall+0x29b/frame 0xfffffe00a94da9b0 fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe00a94da9b0 Essentially, pf frees its counters before it's all the way done cleaning up, and it can end up incrementing a counter. -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
