Author: kp
Date: Tue Oct 13 11:04:00 2020
New Revision: 366667
URL: https://svnweb.freebsd.org/changeset/base/366667
Log:
pf: do not remove kifs that are referenced by rules
Even if a kif doesn't have an ifp or if_group pointer we still can't delete it
if it's referenced by a rule. In other words: we must check rulerefs as well.
While we're here also teach pfi_kif_unref() not to remove kifs with flags.
Reported-by: syzbot+b31d1d7e12c5d4d42...@syzkaller.appspotmail.com
MFC after: 2 weeks
Modified:
head/sys/netpfil/pf/pf_if.c
Modified: head/sys/netpfil/pf/pf_if.c
==============================================================================
--- head/sys/netpfil/pf/pf_if.c Tue Oct 13 10:31:12 2020 (r366666)
+++ head/sys/netpfil/pf/pf_if.c Tue Oct 13 11:04:00 2020 (r366667)
@@ -282,8 +282,10 @@ pfi_kif_unref(struct pfi_kif *kif)
if (kif->pfik_rulerefs > 0)
return;
- /* kif referencing an existing ifnet or group should exist. */
- if (kif->pfik_ifp != NULL || kif->pfik_group != NULL || kif ==
V_pfi_all)
+ /* kif referencing an existing ifnet or group or holding flags should
+ * exist. */
+ if (kif->pfik_ifp != NULL || kif->pfik_group != NULL ||
+ kif == V_pfi_all || kif->pfik_flags != 0)
return;
RB_REMOVE(pfi_ifhead, &V_pfi_ifs, kif);
@@ -833,7 +835,7 @@ pfi_clear_flags(const char *name, int flags)
p->pfik_flags &= ~flags;
if (p->pfik_ifp == NULL && p->pfik_group == NULL &&
- p->pfik_flags == 0) {
+ p->pfik_flags == 0 && p->pfik_rulerefs == 0) {
/* Delete this kif. */
RB_REMOVE(pfi_ifhead, &V_pfi_ifs, p);
free(p, PFI_MTYPE);
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
