I believe that was accidentally broken by 96b29c7f0cffd377a757ad8ccc0cdd8fcb96d0dd, which fixed the issue of jails being unable to go away while they still had ovpn interfaces in them. It fixed that, but also removed the VNET_SYSUNINIT that prevented this leak.

Ah, thanks. With the original patch reverted this applies and works as expected.
I'm not all that familiar with this code, but it works and I don't see any obvious problems (and it addresses the problem CHERI found, being that we used more than 'new_size' from 'new_base'.)

What's this based on? It doesn't seem to want to apply to FreeBSD main (f9500e75791cf793904c80ca4a52433afd585a23).

In D53697#1227856, @igoro wrote:

In D53697#1226388, @jhb wrote:

@igoro would you be able to test this on your workload (armv7) to ensure it still does the correct thing?

VM-based armv7 tests on my side passed. I believe it's enough as pfctl was unusable before the fix (after switching to Netlink).
It's up to @kp whether it needs additional run on actual armv7-based appliance.

The content looks good to me.

Do you have a specific OpenBSD patch you obtained this from?

Part of the issue here is that we've got layer 3 and ethernet anchors and it's possible for an anchor to exist in one but not the other. So a pfctl -sA -a foo can be valid for one but not the other. I don't immediately see a better way of handling that than to just not raise errors either.

Thanks. I’ll try to review this (and your other patch) in the next days.

In D53070#1213136, @mjg wrote:

In D53070#1212847, @kp wrote:

I do still want to murder this code, but we'll wait until armv7 finally dies, or dies enough.

one can consider reverting this to a state prior to introduction of per-cpu counters. that is, just have a var updated directly. this loses updates, but maybe it's good enough for armv7?

Thanks for catching that. I'm not sure how I missed it, but I'm glad I remembered you wrote it and would be a good person to copy on a review.