Date: Thu, 24 Jan 2019 22:31:40 +0000 From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 235097] ci runs panic with use-after-free when running sys/netpfil/pf/nat tests Message-ID: <bug-235097-7501-8tV6335IPc@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-235097-7501@https.bugs.freebsd.org/bugzilla/> References: <bug-235097-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D235097 --- Comment #11 from Kristof Provost <kp@freebsd.org> --- I think I understand the use-after-free bug, and it's a pf problem. Patching the counter increment code to check for 0xdeadc0dedeadc0de (and panicing) produces this backtrace: panic: Incrementing freed counter! cpuid =3D 0 time =3D 1548368229 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00a94da= 210 vpanic() at vpanic+0x1b4/frame 0xfffffe00a94da270 panic() at panic+0x43/frame 0xfffffe00a94da2d0 pf_purge_expired_src_nodes() at pf_purge_expired_src_nodes+0x1f4/frame 0xfffffe00a94da320 pf_unload_vnet_purge() at pf_unload_vnet_purge+0x2b/frame 0xfffffe00a94da330 vnet_pf_uninit() at vnet_pf_uninit+0x74a/frame 0xfffffe00a94da7d0 vnet_destroy() at vnet_destroy+0x124/frame 0xfffffe00a94da800 prison_deref() at prison_deref+0x29d/frame 0xfffffe00a94da840 sys_jail_remove() at sys_jail_remove+0x28e/frame 0xfffffe00a94da890 amd64_syscall() at amd64_syscall+0x29b/frame 0xfffffe00a94da9b0 fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe00a94da9b0 Essentially, pf frees its counters before it's all the way done cleaning up, and it can end up incrementing a counter. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-235097-7501-8tV6335IPc>