Hello Jesper,
thank you for report. can you share rules which are loaded
to kernel when crash happens?
output of 'pfctl -sr' should be sufficient.
thanks a lot
regards
sashan
On Wed, Nov 26, 2025 at 08:22:25PM +0100, Jesper Wallin wrote:
> Hi,
>
> One of my machines experienced the following this morning:
>
> kernel: protection fault trap, code=0
> Stopped at pf_counters_inc+0x17c: movq 0x8(%rbx),%rax
>
>
> This is unfortunately way beyond my level to even attempt to fix,
> but after discussing this with Renaud Allard, his notes were:
>
>
> Looking at the code at pf.c:8177-8180:
>
> SLIST_FOREACH(sni, &st->src_nodes, next) {
> sni->sn->packets[dirndx]++; // <- LINE 8178
> sni->sn->bytes[dirndx] += pd->tot_len;
> }
>
>
> The crash is happening when:
>
> 1. %rbx contains the sni pointer (the list item)
> 2. movq 0x8(%rbx),%rax is dereferencing sni->sn
> (the source node pointer at offset +8)
> 3. But sni has already been freed by another thread in pf_lb.c:301
>
>
> Timeline:
>
> Time Thread A (packet path) Thread B (cleanup)
> ---- ------------------------------ --------------------------------
> T1 pf_counters_inc() called
> T2 SLIST_FOREACH(sni, ...)
> T3 -> sni points to valid item
> T4 pf_map_addr_sticky() called
> T5 -> pf_state_rm_src_node(s, sn)
> T6 -> SLIST_REMOVE(sni from list)
> T7 -> pool_put(&pf_sn_item_pl, sni)
> T8 -> sni memory is FREED
> T9 movq 0x8(%rbx),%rax <- CRASH!
> (trying to read sni->sn)
>
>
> This is a virtual machine at Vultr running with hw.smt=1, not sure if
> that makes any difference, but might worth mentioning. dmesg(8) below:
>
>
> Jesper Wallin
>
