Re: [External] : pf_state_key_unref: panic: kernel diagnostic assertion "refcnt != ~0" failed: file "/usr/src/sys/kern/kern_synch.c", line 826

Tue, 04 May 2021 08:03:36 -0700 

On 2021-05-04 16:50 +02, Sebastien Marie <sema...@online.fr> wrote:
> On Tue, May 04, 2021 at 02:15:05PM +0200, Alexandr Nedvedicky wrote:
>> Hello Sebastien,
>> 
>> thank you for additional info about previously working kernel.
>> 
>> it looks like your older kernel, which works, might be running without
>> my commit
>> 
>>     revision 1.1116
>>     date: 2021/04/27 09:38:29;  author: sashan;  state: Exp;\
>>       lines: +14 -6;  commitid: 3W1fRTkLb3ZlUanF;
>>     pf_state_key_link_reverse() is prone to race on parallel forwarding
>> 
>>     we need to adjust assertions. at time we call pf_state_key_link_reverse()
>>     is state_key either linked to correct reverse peer or not linked at all.
>>     The pf_state_key_link_reverse() is being called as a reader ons 
>> tate_lock.
>>     There might be more packets, which try to update the state key.
>> 
>>     OK bluhm@
>> 
>> > # cat /etc/pf.conf
>> > # See pf.conf(5) and /etc/examples/pf.conf
>> > # 
>> > # avoid skip on lo to get tryton redir
>> > #set skip on lo
>> > 
>> > block return    # block stateless traffic
>> > pass            # establish keep-state
>> > 
>> > # redir 80 -> 8000
>> > pass in proto tcp to (self) port 80 rdr-to
>> > 2001:41d0:fe39:c05c:56b8:d15b:2e0a:8775 port 8000
>> > 
>> 
>>     the rule above is also interesting bit. this may trigger NAT-64.
>>     I'm not using IPv6 on my hosts/routers. I'll try to use similar rule
>>     to try to reproduce the crash.
>
> I will first try with another rule:
>
>   pass in inet6 proto tcp to (self) port 80 rdr-to
> 2001:41d0:fe39:c05c:56b8:d15b:2e0a:8775 port 8000
>
> to avoid the possible NAT-64.

fwiw I intentionally run NAT64 and I don't see this.
But I only have one client, my android phone.

kern.version=OpenBSD 6.9-current (GENERIC.MP) #559: Fri Apr 30 03:31:48 MDT 2021


set skip on lo
block return    # block stateless traffic
pass            # establish keep-state
pass in log on vlan64 inet6 from any to 64:ff9b::/96 af-to inet \
        from 192.168.178.23


>
> And next (if I still trigger the assert) I will rebuild a kernel and
> backout this specific commit.
>
> It should permit to see if the commit is the problem or not.
>
> Thanks.

-- 
I'm not entirely sure you are real.

Reply via email to