[Bug 268246] crash and panic using pfsync on 13.1-RELEASE

Tue, 31 Jan 2023 21:35:22 -0800 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268246

--- Comment #44 from Kristof Provost <k...@freebsd.org> ---
(In reply to jjasen from comment #43)
That .. that doesn't make a whole lot of sense. With that patch the system
should have panicked before that point. We don't modify mbufs while they're
deferred, so if it's bad coming out it had to have been bad going in. Yet we
didn't panic on insertion.

So either the bad mbuf took the other path, for which I've extended the test
patch now:

diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c
index 61308a35a7e1..ae913185ec8a 100644
--- a/sys/netpfil/pf/if_pfsync.c
+++ b/sys/netpfil/pf/if_pfsync.c
@@ -604,7 +604,11 @@ pfsync_state_import(struct pfsync_state *sp, int flags)
        if (!(flags & PFSYNC_SI_IOCTL)) {
                st->state_flags &= ~PFSTATE_NOSYNC;
                if (st->state_flags & PFSTATE_ACK) {
+            struct pfsync_bucket *b = pfsync_get_bucket(sc, st);
+            PFSYNC_BUCKET_LOCK(b);
                        pfsync_q_ins(st, PFSYNC_S_IACK, true);
+            PFSYNC_BUCKET_UNLOCK(b);
+
                        pfsync_push_all(sc);
                }
        }
@@ -1690,6 +1694,17 @@ pfsync_sendout(int schedswi, int c)
        if_inc_counter(sc->sc_ifp, IFCOUNTER_OBYTES, m->m_pkthdr.len);
        b->b_len = PFSYNC_MINPKT;

+       {
+               struct ip *ip;
+
+               ip = mtod(m, struct ip *);
+               if (ip->ip_v == 4) {
+                       int len = ntohs(ip->ip_len);
+                       if (m_length(m, NULL) != len)
+                               panic("Incorrect ip_len %d != m_length %d",
len, m_length(m, NULL));
+               }
+       }
+
        if (!_IF_QFULL(&b->b_snd))
                _IF_ENQUEUE(&b->b_snd, m);
        else {
@@ -1734,6 +1749,7 @@ pfsync_defer(struct pf_kstate *st, struct mbuf *m)
        struct pfsync_softc *sc = V_pfsyncif;
        struct pfsync_deferral *pd;
        struct pfsync_bucket *b;
+    struct ip *ip;

        if (m->m_flags & (M_BCAST|M_MCAST))
                return (0);
@@ -1751,6 +1767,13 @@ pfsync_defer(struct pf_kstate *st, struct mbuf *m)
                return (0);
        }

+    ip = mtod(m, struct ip *);
+    if (ip->ip_v == 4) {
+        int len = ntohs(ip->ip_len);
+        if (m_length(m, NULL) != len)
+            panic("Incorrect ip_len %d != m_length %d", len, m_length(m,
NULL));
+    }
+
        PFSYNC_BUCKET_LOCK(b);
        PFSYNC_UNLOCK(sc);


Or ... something else is wrong with that particular machine. Have you run a
memory test on it?

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to