Re: kern/54439: npf causes kernel panic (pr_find_pagehead)

[mlelstv%serpens.de@localhost (Michael van Elst)]

The following reply was made to PR kern/54439; it has been noted by GNATS.

From: mlelstv%serpens.de@localhost (Michael van Elst)
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: kern/54439: npf causes kernel panic (pr_find_pagehead)
Date: Tue, 6 Aug 2019 04:45:32 -0000 (UTC)

 htodd%i8u.org@localhost writes:
 
 >[ 1055.9565284] panic: pr_find_pagehead: [npfcn4pl] item 0xc25db2dc poolid 173 != 172
 >[ 1055.9565284] cpu0: Begin traceback...
 >[ 1055.9565284] vpanic(c0677a98,da27ce98,da27cee0,c04adab4,c0677a98,c061be2c,c066782d,c25db2dc,ad,ac) at netbsd:vpanic+0x12d
 >[ 1055.9565284] snprintf(c0677a98,c061be2c,c066782d,c25db2dc,ad,ac,c1c1ba26,0,c07806c4,da27cee4) at netbsd:snprintf
 >[ 1055.9565284] pool_put(c1c1b940,c25db2dc,c2015e00,c25db2dc,c1c1b940,c1c1ba24,c2b6f500,da27cf30,c04aea3b,0) at netbsd:pool_put+0x3bd
 
 npf stores connections in two pools depending on the address length
 (IPv4 vs IPv6). An item gets the address length encoded into the forwards
 key field and that key is decoded to determine which pool the item should
 be released to.
 
 However, there are error paths where the key isn't initialized. An
 item can then be released to the wrong pool.
 
 -- 
 -- 
                                 Michael van Elst
 Internet: mlelstv%serpens.de@localhost
                                 "A potential Snark may lurk in every tree."