Bug 274915 - panic immediately on loading ruleset, in pf_ioctl_addrule sha #4ffe410
Summary: panic immediately on loading ruleset, in pf_ioctl_addrule sha #4ffe410
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 15.0-CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-pf (Nobody)
URL:
Keywords: crash
Depends on:
Blocks:
 
Reported: 2023-11-04 18:01 UTC by Dave Cottlehuber
Modified: 2023-11-10 06:41 UTC (History)
1 user (show)

See Also:

Attachments
pf.conf that triggers it (57.80 KB, text/plain)
2023-11-04 18:01 UTC, Dave Cottlehuber 		no flags Details
kp's fix (442 bytes, patch)
2023-11-08 15:06 UTC, Dave Cottlehuber 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dave Cottlehuber freebsd_committer freebsd_triage 2023-11-04 18:01:27 UTC 
Created attachment 246120 [details]
pf.conf that triggers it

## dump

```
[555]
[555] Fatal trap 12: page fault while in kernel mode
[555] cpuid = 0; apic id = 00
[555] fault virtual address     = 0x0
[555] fault code                = supervisor read data, page not present
[555] instruction pointer       = 0x20:0xffffffff86f5d574
[555] stack pointer             = 0x28:0xfffffe027f6a8c40
[555] frame pointer             = 0x28:0xfffffe027f6a8c90
[555] code segment              = base rx0, limit 0xfffff, type 0x1b
[555]                   = DPL 0, pres 1, long 1, def32 0, gran 1
[555] processor eflags  = interrupt enabled, resume, IOPL = 0
[555] current process           = 0 (netlink_socket (PID)
[555] rdi: 0000000000000070 rsi: fffffe015526f1e0 rdx: 00000000000000c4
[555] rcx: 0000000000000004  r8: 0000000000000000  r9: 0000000000000000
[555] rax: 0000000000000000 rbx: 00000000000000c4 rbp: fffffe027f6a8c90
[555] r10: 0000000000000000 r11: 0000000000000000 r12: 0000000000000004
[555] r13: fffffe00d69e4078 r14: fffff8090e4b7800 r15: fffff8090e58f000
[555] trap number               = 12
[555] panic: page fault
[555] cpuid = 0
[555] time = 1699118804
[555] KDB: stack backtrace:
[555] db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe027f6a8920
[555] vpanic() at vpanic+0x132/frame 0xfffffe027f6a8a50
[555] panic() at panic+0x43/frame 0xfffffe027f6a8ab0
[555] trap_fatal() at trap_fatal+0x40c/frame 0xfffffe027f6a8b10
[555] trap_pfault() at trap_pfault+0x4f/frame 0xfffffe027f6a8b70
[555] calltrap() at calltrap+0x8/frame 0xfffffe027f6a8b70
[555] --- trap 0xc, rip = 0xffffffff86f5d574, rsp = 0xfffffe027f6a8c40, rbp = 0xfffffe027f6a8c90 ---
[555] pf_ioctl_addrule() at pf_ioctl_addrule+0x224/frame 0xfffffe027f6a8c90
[555] pf_handle_addrule() at pf_handle_addrule+0xa0/frame 0xfffffe027f6a8d00
[555] nl_taskqueue_handler() at nl_taskqueue_handler+0x79b/frame 0xfffffe027f6a8e40
[555] taskqueue_run_locked() at taskqueue_run_locked+0x182/frame 0xfffffe027f6a8ec0
[555] taskqueue_thread_loop() at taskqueue_thread_loop+0xc2/frame 0xfffffe027f6a8ef0
[555] fork_exit() at fork_exit+0x7f/frame 0xfffffe027f6a8f30
[555] fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe027f6a8f30
[555] --- trap 0, rip = 0, rsp = 0, rbp = 0 ---
[555] KDB: enter: panic
```

## output of `pfctl -vef /etc/pf.conf` 

```
...
pass out quick on igb0 proto udp from any port = dhcpv6-server to any port = dhcpv6-server keep state
pass out quick on igb0 inet proto udp all keep state
pass out quick on igb0 inet6 proto udp all keep state
pass in on igb0 inet proto icmp all keep state
pass in on igb0 inet proto icmp all icmp-type echoreq keep state
pass in on igb0 inet proto icmp all icmp-type unreach keep state
pass in on tap0 inet proto icmp all icmp-type echoreq keep state
pass in on tap0 inet proto icmp all icmp-type unreach keep state
pass in on tap1 inet proto icmp all icmp-type echoreq keep state
pass in on tap1 inet proto icmp all icmp-type unreach keep state
pass in on vm-public inet proto icmp all icmp-type echoreq keep state
pass in on vm-public inet proto icmp all icmp-type unreach keep state
pass in quick on igb0 inet proto udp from any to 172.16.1.4 port = domain keep state
pass in quick on igb0 inet proto udp from any to 172.16.1.4 port = 9000 keep state
pass in quick on igb0 inet proto udp from any to 172.16.1.4 port = 9993 keep state
pass in quick on igb0 inet proto udp from any to 172.16.1.4 port = 42853 keep state
pass in quick on igb0 inet proto udp from any to 172.16.1.4 port = 21027 keep state
pass in quick on igb0 inet proto udp from any to 172.16.1.4 port = 3478 keep state
... probably should be more rules output here
```

## ifconfig

```
igb0: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1400
	options=4e503bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
	ether ac:1f:6b:67:e1:38
	inet 172.16.1.4 netmask 0xffffff00 broadcast 172.16.1.255
	inet6 fe80::ae1f:6bff:fe67:e138%igb0 prefixlen 64 scopeid 0x1
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
igb1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=4e507bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
	ether ac:1f:6b:67:e1:39
	media: Ethernet autoselect
	status: no carrier
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet 127.0.0.1 netmask 0xff000000
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo1: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet 100.64.0.0 netmask 0xfffe0000
	inet 100.64.0.1 netmask 0xffffffff
	inet 100.64.0.2 netmask 0xffffffff
	inet 100.64.0.3 netmask 0xffffffff
	inet 100.64.0.4 netmask 0xffffffff
	inet 100.64.0.5 netmask 0xffffffff
	inet 100.64.0.6 netmask 0xffffffff
	inet 100.64.0.7 netmask 0xffffffff
	inet 100.64.0.8 netmask 0xffffffff
	inet 100.64.0.9 netmask 0xffffffff
	inet 100.64.0.10 netmask 0xffffffff
	inet 100.64.0.11 netmask 0xffffffff
	inet 100.64.0.12 netmask 0xffffffff
	inet 100.64.0.13 netmask 0xffffffff
	inet 100.64.0.14 netmask 0xffffffff
	inet 100.64.0.15 netmask 0xffffffff
	inet 100.64.68.238 netmask 0xffffffff
	inet 100.64.8.8 netmask 0xffffffff
	inet6 fe80::1%lo1 prefixlen 64 scopeid 0x4
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
zt1flo98dm17np8: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 5000 mtu 2800
	options=80000<LINKSTATE>
	ether 2a:3d:9d:3c:2f:91
	hwaddr 58:9c:fc:10:65:16
	inet6 fc7b:c4d6:6be2:8e50:6c98::1 prefixlen 40
	inet6 fe80::283d:9dff:fe3c:2f91%zt1flo98dm17np8 prefixlen 64 scopeid 0x5
	groups: tap
	media: Ethernet 1000baseT <full-duplex>
	status: active
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	Opened by PID 25
ztagim5o45dhe4c: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 5000 mtu 2800
	options=80000<LINKSTATE>
	ether 8e:5a:56:5a:ad:5d
	hwaddr 58:9c:fc:00:16:3e
	inet6 fca2:927d:4de2:8e50:6c98::1 prefixlen 40
	inet6 fe80::8c5a:56ff:fe5a:ad5d%ztagim5o45dhe4c prefixlen 64 scopeid 0x6
	groups: tap
	media: Ethernet 1000baseT <full-duplex>
	status: active
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	Opened by PID 25
vm-public: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1400
	options=0
	ether be:b4:fd:ec:d1:27
	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
	maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
	member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
	        ifmaxaddr 0 port 1 priority 128 path cost 20000
	groups: bridge vm-switch viid-4c918@
	nd6 options=9<PERFORMNUD,IFDISABLED>
```

lots of netlink-related messages scroll past at unreadable speed during the crash.

I'll try to trim the pf.conf to find what's responsible in the meantime.
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2023-11-05 06:21:18 UTC 
^Triage: assign to pf@.

While here, remove the [tag] information -- that was a hack for GNATS back in the day.  We use Bugzilla's Keywords now.
Comment 2 Kristof Provost freebsd_committer freebsd_triage 2023-11-05 11:53:29 UTC 
Hi Dave,

I've not been able to reproduce this yet. The attached pf.conf appears to have been HTML-mangled, so perhaps I'm missing something in it.

The rule addition code has recently been moved to netlink, so it's not at all impossible that I missed something there, but it'll be easier to debug if I can reproduce it.

Failing that, if you can pass it though kgdb on your box and have that identify the panicing line in pf_ioctl_addrule(), that might give a clue as well.

(Basically, `sudo kgdb /boot/kernel/kernel /var/crash/vmcore.last`, and then 'bt' to get a backtrace, select the pf_ioctl_addrule() frame 'frame X', and 'l' to get the source line.)
Comment 3 Dave Cottlehuber freebsd_committer freebsd_triage 2023-11-07 22:58:13 UTC 
(kgdb) bt
#0  __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:57
#1  doadump (textdump=textdump@entry=0) at /usr/src/sys/kern/kern_shutdown.c:405
#2  0xffffffff804a291a in db_dump (dummy=<optimized out>, dummy2=<optimized out>, dummy3=<optimized out>, dummy4=<optimized out>) at /usr/src/sys/ddb/db_command.c:591
#3  0xffffffff804a271d in db_command (last_cmdp=<optimized out>, cmd_table=<optimized out>, dopager=true) at /usr/src/sys/ddb/db_command.c:504
#4  0xffffffff804a23dd in db_command_loop () at /usr/src/sys/ddb/db_command.c:551
#5  0xffffffff804a5d56 in db_trap (type=<optimized out>, code=<optimized out>) at /usr/src/sys/ddb/db_main.c:268
#6  0xffffffff80b9c527 in kdb_trap (type=type@entry=3, code=code@entry=0, tf=tf@entry=0xfffffe0268632860) at /usr/src/sys/kern/subr_kdb.c:790
#7  0xffffffff8102214d in trap (frame=0xfffffe0268632860) at /usr/src/sys/amd64/amd64/trap.c:608
#8  <signal handler called>
#9  kdb_enter (why=<optimized out>, msg=<optimized out>) at /usr/src/sys/kern/subr_kdb.c:556
#10 0xffffffff80b4d4b3 in vpanic (fmt=0xffffffff8114dead "%s", ap=ap@entry=0xfffffe0268632a90) at /usr/src/sys/kern/kern_shutdown.c:958
#11 0xffffffff80b4d343 in panic (fmt=0xffffffff816b6b98 <gdb_consdev> "\020\3272\201\377\377\377\377\001") at /usr/src/sys/kern/kern_shutdown.c:894
#12 0xffffffff8102260c in trap_fatal (frame=0xfffffe0268632b80, eva=0) at /usr/src/sys/amd64/amd64/trap.c:952
#13 0xffffffff8102265f in trap_pfault (frame=0xfffffe0268632b80, usermode=false, signo=<optimized out>, ucode=<optimized out>) at /usr/src/sys/amd64/amd64/trap.c:760
#14 <signal handler called>
#15 0xffffffff83710574 in pf_ioctl_addrule (rule=rule@entry=0xfffff80cdc854800, ticket=ticket@entry=2, pool_ticket=pool_ticket@entry=196, anchor=anchor@entry=0xfffff8014bb5c028 "", anchor_call=anchor_call@entry=0xfffff8014bb5c030 "", uid=<optimized out>, pid=0)
    at /usr/src/sys/netpfil/pf/pf_ioctl.c:2094
#16 0xffffffff83730750 in pf_handle_addrule (hdr=0xfffff8014bb5c000, npt=0xfffffe0268632dc0) at /usr/src/sys/netpfil/pf/pf_nl.c:631
#17 0xffffffff80d947fb in nl_receive_message (hdr=0xfffff8014bb5c000, remaining_length=<optimized out>, nlp=0xfffff80c49506e00, npt=0xfffffe0268632dc0) at /usr/src/sys/netlink/netlink_io.c:506
#18 nl_process_mbuf (m=0xfffff80164c27300, nlp=0xfffff80c49506e00) at /usr/src/sys/netlink/netlink_io.c:580
#19 nl_process_received_one (nlp=0xfffff80c49506e00) at /usr/src/sys/netlink/netlink_io.c:293
#20 nl_process_received (nlp=0xfffff80c49506e00) at /usr/src/sys/netlink/netlink_io.c:320
#21 nl_taskqueue_handler (_arg=0xfffff80c49506e00, pending=<optimized out>) at /usr/src/sys/netlink/netlink_io.c:371
#22 0xffffffff80bb2452 in taskqueue_run_locked (queue=queue@entry=0xfffff80c4cb46c00) at /usr/src/sys/kern/subr_taskqueue.c:512
#23 0xffffffff80bb36e2 in taskqueue_thread_loop (arg=arg@entry=0xfffff80c49506e60) at /usr/src/sys/kern/subr_taskqueue.c:824
#24 0xffffffff80b0661f in fork_exit (callout=0xffffffff80bb3620 <taskqueue_thread_loop>, arg=0xfffff80c49506e60, frame=0xfffffe0268632f40) at /usr/src/sys/kern/kern_fork.c:1160
#25 <signal handler called>


(kgdb) frame 15
#15 0xffffffff83710574 in pf_ioctl_addrule (rule=rule@entry=0xfffff80cdc854800, ticket=ticket@entry=2, pool_ticket=pool_ticket@entry=196, anchor=anchor@entry=0xfffff8014bb5c028 "", anchor_call=anchor_call@entry=0xfffff8014bb5c030 "", uid=<optimized out>, pid=0)
    at /usr/src/sys/netpfil/pf/pf_ioctl.c:2094
warning: Source file is more recent than executable.
2094            tail = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
(kgdb)

(kgdb) l
2089             */
2090            if (ruleset->rules[rs_num].inactive.tree == NULL) {
2091                    ERROUT(EINVAL);
2092            }
2093
2094            tail = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
2095                pf_krulequeue);
2096            if (tail)
2097                    rule->nr = tail->nr + 1;
2098            else
(kgdb)

I bumped my src repo today for $WORK but its not a big jump. Easy enough now to repro with your steps above, thank-you!
Comment 4 Kristof Provost freebsd_committer freebsd_triage 2023-11-07 23:06:02 UTC 
(In reply to Dave Cottlehuber from comment #3)
Can you also try printing rs_num, ruleset and ruleset->rules?

(p rs_num)
Comment 5 Dave Cottlehuber freebsd_committer freebsd_triage 2023-11-08 07:16:38 UTC 
-- redone with src & core matching again https://git.sr.ht/~dch/src/commit/c6fd7e65435a3ea7184bbeb0e0138a4daf6d80e6


(kgdb) bt
#0  __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:57
#1  doadump (textdump=textdump@entry=0) at /usr/src/sys/kern/kern_shutdown.c:405
#2  0xffffffff804a2a1a in db_dump (dummy=<optimized out>, dummy2=<optimized out>, dummy3=<optimized out>, dummy4=<optimized out>)
    at /usr/src/sys/ddb/db_command.c:591
#3  0xffffffff804a281d in db_command (last_cmdp=<optimized out>, cmd_table=<optimized out>, dopager=false)
    at /usr/src/sys/ddb/db_command.c:504
#4  0xffffffff804a2966 in db_command_script (command=command@entry=0xffffffff817b5724 <db_recursion_data+84> "dump")
    at /usr/src/sys/ddb/db_command.c:569
#5  0xffffffff804a7f58 in db_script_exec (scriptname=scriptname@entry=0xfffffe026a44e520 "kdb.enter.panic",
    warnifnotfound=warnifnotfound@entry=0) at /usr/src/sys/ddb/db_script.c:302
#6  0xffffffff804a7d82 in db_script_kdbenter (eventname=<optimized out>) at /usr/src/sys/ddb/db_script.c:324
#7  0xffffffff804a5e51 in db_trap (type=<optimized out>, code=<optimized out>) at /usr/src/sys/ddb/db_main.c:267
#8  0xffffffff80b9c627 in kdb_trap (type=type@entry=3, code=code@entry=0, tf=tf@entry=0xfffffe026a44e860)
    at /usr/src/sys/kern/subr_kdb.c:790
#9  0xffffffff8102214d in trap (frame=0xfffffe026a44e860) at /usr/src/sys/amd64/amd64/trap.c:608
#10 <signal handler called>
#11 kdb_enter (why=<optimized out>, msg=<optimized out>) at /usr/src/sys/kern/subr_kdb.c:556
#12 0xffffffff80b4d5b3 in vpanic (fmt=0xffffffff8114decf "%s", ap=ap@entry=0xfffffe026a44ea90) at /usr/src/sys/kern/kern_shutdown.c:958
#13 0xffffffff80b4d443 in panic (fmt=0xffffffff816b6b98 <gdb_consdev> "\320\3312\201\377\377\377\377\001")
    at /usr/src/sys/kern/kern_shutdown.c:894
#14 0xffffffff8102260c in trap_fatal (frame=0xfffffe026a44eb80, eva=0) at /usr/src/sys/amd64/amd64/trap.c:952
#15 0xffffffff8102265f in trap_pfault (frame=0xfffffe026a44eb80, usermode=false, signo=<optimized out>, ucode=<optimized out>)
    at /usr/src/sys/amd64/amd64/trap.c:760
#16 <signal handler called>
#17 0xffffffff836de574 in pf_ioctl_addrule (rule=rule@entry=0xfffff80c1342a000, ticket=ticket@entry=2, pool_ticket=pool_ticket@entry=196,
    anchor=anchor@entry=0xfffff80cbe561028 "", anchor_call=anchor_call@entry=0xfffff80cbe561030 "", uid=<optimized out>, pid=0)
    at /usr/src/sys/netpfil/pf/pf_ioctl.c:2094
#18 0xffffffff836fe730 in pf_handle_addrule (hdr=0xfffff80cbe561000, npt=0xfffffe026a44edc0) at /usr/src/sys/netpfil/pf/pf_nl.c:631
#19 0xffffffff80d94aeb in nl_receive_message (hdr=0xfffff80cbe561000, remaining_length=<optimized out>, nlp=0xfffff80161e77300,
    npt=0xfffffe026a44edc0) at /usr/src/sys/netlink/netlink_io.c:506
#20 nl_process_mbuf (m=0xfffff80193368a00, nlp=0xfffff80161e77300) at /usr/src/sys/netlink/netlink_io.c:580
#21 nl_process_received_one (nlp=0xfffff80161e77300) at /usr/src/sys/netlink/netlink_io.c:293
#22 nl_process_received (nlp=0xfffff80161e77300) at /usr/src/sys/netlink/netlink_io.c:320
#23 nl_taskqueue_handler (_arg=0xfffff80161e77300, pending=<optimized out>) at /usr/src/sys/netlink/netlink_io.c:371
#24 0xffffffff80bb2552 in taskqueue_run_locked (queue=queue@entry=0xfffff80c09004a00) at /usr/src/sys/kern/subr_taskqueue.c:512
#25 0xffffffff80bb37e2 in taskqueue_thread_loop (arg=arg@entry=0xfffff80161e77360) at /usr/src/sys/kern/subr_taskqueue.c:824
#26 0xffffffff80b0671f in fork_exit (callout=0xffffffff80bb3720 <taskqueue_thread_loop>, arg=0xfffff80161e77360, frame=0xfffffe026a44ef40)
    at /usr/src/sys/kern/kern_fork.c:1160
#27 <signal handler called>
(kgdb) frame 17
#17 0xffffffff836de574 in pf_ioctl_addrule (rule=rule@entry=0xfffff80c1342a000, ticket=ticket@entry=2, pool_ticket=pool_ticket@entry=196,
    anchor=anchor@entry=0xfffff80cbe561028 "", anchor_call=anchor_call@entry=0xfffff80cbe561030 "", uid=<optimized out>, pid=0)
    at /usr/src/sys/netpfil/pf/pf_ioctl.c:2094
2094            tail = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
(kgdb) l
2089             */
2090            if (ruleset->rules[rs_num].inactive.tree == NULL) {
2091                    ERROUT(EINVAL);
2092            }
2093
2094            tail = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
2095                pf_krulequeue);
2096            if (tail)
2097                    rule->nr = tail->nr + 1;
2098            else
(kgdb) p rs_num
$1 = <optimized out>
(kgdb) p ruleset
$2 = (struct pf_kruleset *) 0xfffffe00d69e4078
(kgdb) p ruleset->rules
$3 = {{queues = {{tqh_first = 0xfffff801616ea000, tqh_last = 0xfffff801616ea328}, {tqh_first = 0x0, tqh_last = 0xfffffe00d69e4088}},
    active = {ptr = 0xfffffe00d69e4088, ptr_array = 0x0, rcount = 0, ticket = 1, open = 0, tree = 0xfffff80c850ea4d0}, inactive = {
      ptr = 0xfffffe00d69e4078, ptr_array = 0x0, rcount = 1, ticket = 2, open = 1, tree = 0xfffff80193841180}}, {queues = {{
        tqh_first = 0xfffff80be2d45000, tqh_last = 0xfffff80c1342a328}, {tqh_first = 0x0, tqh_last = 0xfffffe00d69e40f8}}, active = {
      ptr = 0xfffffe00d69e40f8, ptr_array = 0x0, rcount = 0, ticket = 1, open = 0, tree = 0xfffff801617f8f60}, inactive = {
      ptr = 0xfffffe00d69e40e8, ptr_array = 0x0, rcount = 150, ticket = 2, open = 1, tree = 0xfffff80a1889d4f0}}, {queues = {{
        tqh_first = 0xfffff80a182e4800, tqh_last = 0xfffff8016b176328}, {tqh_first = 0x0, tqh_last = 0xfffffe00d69e4168}}, active = {
      ptr = 0xfffffe00d69e4168, ptr_array = 0x0, rcount = 0, ticket = 1, open = 0, tree = 0xfffff80a188a4640}, inactive = {
      ptr = 0xfffffe00d69e4158, ptr_array = 0x0, rcount = 18, ticket = 2, open = 1, tree = 0xfffff80a1889d5b0}}, {queues = {{
        tqh_first = 0x0, tqh_last = 0xfffffe00d69e41c8}, {tqh_first = 0x0, tqh_last = 0xfffffe00d69e41d8}}, active = {
      ptr = 0xfffffe00d69e41d8, ptr_array = 0x0, rcount = 0, ticket = 1, open = 0, tree = 0xfffff80c850ea4e0}, inactive = {
      ptr = 0xfffffe00d69e41c8, ptr_array = 0x0, rcount = 0, ticket = 2, open = 1, tree = 0xfffff80c850ea490}}, {queues = {{
        tqh_first = 0xfffff80be2d3f800, tqh_last = 0xfffff80be2d3fb28}, {tqh_first = 0x0, tqh_last = 0xfffffe00d69e4248}}, active = {
      ptr = 0xfffffe00d69e4248, ptr_array = 0x0, rcount = 0, ticket = 1, open = 0, tree = 0xfffff80cac818520}, inactive = {
      ptr = 0xfffffe00d69e4238, ptr_array = 0x0, rcount = 1, ticket = 2, open = 1, tree = 0xfffff80a1889d530}}}
(kgdb)

btw see you on irc for faster RTT
Comment 6 Dave Cottlehuber freebsd_committer freebsd_triage 2023-11-08 15:06:14 UTC 
Created attachment 246199 [details]
kp's fix

perfect. thanks!
Comment 7 commit-hook freebsd_committer freebsd_triage 2023-11-08 21:56:37 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=a6246a50b63450d0fe34e3429807bd5aba8cc2ac

commit a6246a50b63450d0fe34e3429807bd5aba8cc2ac
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2023-11-08 14:06:15 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2023-11-08 20:58:52 +0000

    pf: fix double free if pf_ioctl_addrule() fails

    If pf_ioctl_addrule() returns an error it will have freed the rule
    itself. There's no need for the caller to free it again.

    PR:             274915
    Reported by:    Dave Cottlehuber <dch@FreeBSD.org>
    MFC after:      1 week
    Sponsored by:   Rubicon Communications, LLC ("Netgate")

 sys/netpfil/pf/pf_nl.c | 3 ---
 1 file changed, 3 deletions(-)