Hi Martin, i'm using IPv6 but not on the syncdev interface, on all my other interfaces (CARP & OSPF).
Here is the syncdev config: inet 10.XX.XX.2 255.255.255.224 NONE vlan 30 vlandev trunk1 and the pfsync config: up defer syncdev vlan30 To precise how the bug happens, i have removed some other interfaces before restarting it (a vlan57 and carp57 interfaces, childs of trunk1), and also reloaded (without removing) the trunk1 interface. Before do the "ifconfig pfsync0 up" i also saw that pfsync0 was down and there is no syncdev (strange because the interface wasn't modified since boot). -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr Le jeudi 22 mai 2014 à 12:49 +0200, Martin Pieuchot a écrit : > Hello Loïc, > > On 22/05/14(Thu) 11:11, Loïc Blot wrote: > > Hi, > > today i upgraded my primary router from OpenBSD 5.4 to OpenBSD 5.5 (i > > follow the process described here: > > http://www.openbsd.org/faq/upgrade55.html and this is my 5th upgrade > > from 5.4 to 5.5 since the release). > > > > After rebooting and doing the sysmerge without network copper cables, i > > rebooted and set my carp & pfsync interfaces to down before plugging the > > cables. At this time, the router was in a CARP INIT mode, no problem. > > > > Note: all the traffic was redirected to my second OpenBSD router (which > > was upgraded at release time) 3 days ago, this routers hasn't any > > problem and have exactly the same hardware and software configuration > > (except some IPs). > > > > After finishing the upgrading process, i have incremented the carpdemote > > counter to force CARP to be in BACKUP mode and then i have set all my > > carp interface to up. Then ifaces were in BACKUP mode. No problem since > > there all was right, all services works fine, etc. > > > > The last step i do is to do a "ifconfig pfsync0 up" and then a OpenBSD > > crash. > > Thanks for the report. How is your pfsync0 interface configured? Same > thing for its syncdev interface. > > > ddb{1}> trace > > ip_output() at ip_output+0xdd9 > > This is a use after free in IFP_TO_IA(), somehow one of the ifa pointer > on the list of your syncdev is now pointing to memory that has been freed: > > > rcx 0xdeadbeefdeadbeef > > This should be pointing to `ifa_addr` which makes me believe that you > are hitting a reference counting bug because it should not be possible > to free an ifa which is still on the list of an ifp. > > Can you easily reproduce this bug? Do you use IPv6? If yes does > setting "-inet6" on the syncdev interface helps? > > Martin
