On 24.5.2022. 9:01, Alexandr Nedvedicky wrote: > interesting. I went through mbuf handling in if_veb.c > I just could find a single nit, which is most likely unrelated, > however I think it's still worth to give it a try a diff below. > > basically all calls to veb_pf() read as follows: > m = veb_pf(ifp, ..., m); > except the one in veb_broadcast(), which readsa as: > m = veb_pf(ifp, ..., m0); > I think it is a bug, veb_pf() caller should continue to run > with packet returned by veb_pf(). > > thanks and > regards > sashan
Hi, and with this diff i can panic box the same way as before... ip6 forwarding, pf and veb/vport panic: r620-1# panuicvm:_ f paoulotl(_0caxcffhfef_iftfeffm8_2ma2gfi13ca_c8h, e ck : m bu f p l cp u f r e0ex1 7 , l i 0s,t 2 ) - > e mkoedrnieflie: d : i t e m a dd r 0 xf f f ff d 8 0 a 42 0 e 5 00 + 2 4 0x 6 a b 22 4 5 9 6 1e e 9 8 5c ! = 0 x 6 ab 2 2 4 5 9pcadge0 a f8 5 c Stopped at db_enter+0x10: popq %rbp TID PID UID PRFLAGS PFLAGS CPU COMMAND 418374 46077 0 0x14000 0x200 3 softnet 355064 80120 0 0x14000 0x200 2K softnet *401307 69853 0 0x14000 0x200 5 softnet db_enter() at db_enter+0x10 panic(ffffffff81f3c6f5) at panic+0xbf pool_cache_get(ffffffff82483608) at pool_cache_get+0x25b pool_get(ffffffff82483608,2) at pool_get+0x61 m_get(2,1) at m_get+0x3f m_copym(fffffd80a3b50900,0,40,2) at m_copym+0xd8 ip6_forward(fffffd80a3b50900,fffffd842ce9c708,0) at ip6_forward+0x1cc ip6_input_if(ffff800022c6b728,ffff800022c6b734,29,0,ffff80000074b000) at ip6_input_if+0x80a ipv6_input(ffff80000074b000,fffffd80a3b50900) at ipv6_input+0x39 ether_input(ffff80000074b000,fffffd80a3b50900) at ether_input+0x3ad vport_if_enqueue(ffff80000074b000,fffffd80a3b50900) at vport_if_enqueue+0x19 veb_port_input(ffff800000095048,fffffd80a3b50900,ecf4bbdaf7f8,ffff800000747300) at veb_port_input+0x5b0 ether_input(ffff800000095048,fffffd80a3b50900) at ether_input+0x100 if_input_process(ffff800000095048,ffff800022c6b938) at if_input_process+0x6f end trace frame: 0xffff800022c6b980, count: 0 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{5}> show panic *cpu5: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0x fffffd80a420e500+24 0x6ab2245961ee985c!=0x6ab22459cd0af85c cpu2: uvm_fault(0xffffffff822f13a8, 0x17, 0, 2) -> e ddb{5}>