From owner-svn-src-stable@freebsd.org Sat Jun 16 11:42:28 2018 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F238F1013681; Sat, 16 Jun 2018 11:42:27 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A7E6C7EB7C; Sat, 16 Jun 2018 11:42:27 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 70B2525DEF; Sat, 16 Jun 2018 11:42:27 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w5GBgR1i009822; Sat, 16 Jun 2018 11:42:27 GMT (envelope-from kp@FreeBSD.org) Received: (from kp@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w5GBgRS6009821; Sat, 16 Jun 2018 11:42:27 GMT (envelope-from kp@FreeBSD.org) Message-Id: <201806161142.w5GBgRS6009821@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kp set sender to kp@FreeBSD.org using -f From: Kristof Provost Date: Sat, 16 Jun 2018 11:42:27 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r335252 - stable/10/sys/netpfil/pf X-SVN-Group: stable-10 X-SVN-Commit-Author: kp X-SVN-Commit-Paths: stable/10/sys/netpfil/pf X-SVN-Commit-Revision: 335252 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jun 2018 11:42:28 -0000 Author: kp Date: Sat Jun 16 11:42:27 2018 New Revision: 335252 URL: https://svnweb.freebsd.org/changeset/base/335252 Log: MFC r334876: pf: Fix deadlock with route-to If a locally generated packet is routed (with route-to/reply-to/dup-to) out of a different interface it's passed through the firewall again. This meant we lost the inp pointer and if we required the pointer (e.g. for user ID matching) we'd deadlock trying to acquire an inp lock we've already got. Pass the inp pointer along with pf_route()/pf_route6(). PR: 228782 Modified: stable/10/sys/netpfil/pf/pf.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/netpfil/pf/pf.c ============================================================================== --- stable/10/sys/netpfil/pf/pf.c Sat Jun 16 09:32:05 2018 (r335251) +++ stable/10/sys/netpfil/pf/pf.c Sat Jun 16 11:42:27 2018 (r335252) @@ -284,14 +284,14 @@ static void pf_mtag_free(struct m_tag *); #ifdef INET static void pf_route(struct mbuf **, struct pf_rule *, int, struct ifnet *, struct pf_state *, - struct pf_pdesc *); + struct pf_pdesc *, struct inpcb *); #endif /* INET */ #ifdef INET6 static void pf_change_a6(struct pf_addr *, u_int16_t *, struct pf_addr *, u_int8_t); static void pf_route6(struct mbuf **, struct pf_rule *, int, struct ifnet *, struct pf_state *, - struct pf_pdesc *); + struct pf_pdesc *, struct inpcb *); #endif /* INET6 */ int in4_cksum(struct mbuf *m, u_int8_t nxt, int off, int len); @@ -5333,7 +5333,7 @@ out: #ifdef INET static void pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, - struct pf_state *s, struct pf_pdesc *pd) + struct pf_state *s, struct pf_pdesc *pd, struct inpcb *inp) { struct mbuf *m0, *m1; struct sockaddr_in dst; @@ -5421,7 +5421,7 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, goto bad; if (oifp != ifp) { - if (pf_test(PF_OUT, ifp, &m0, NULL) != PF_PASS) + if (pf_test(PF_OUT, ifp, &m0, inp) != PF_PASS) goto bad; else if (m0 == NULL) goto done; @@ -5515,7 +5515,7 @@ bad: #ifdef INET6 static void pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, - struct pf_state *s, struct pf_pdesc *pd) + struct pf_state *s, struct pf_pdesc *pd, struct inpcb *inp) { struct mbuf *m0; struct sockaddr_in6 dst; @@ -5594,7 +5594,7 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, goto bad; if (oifp != ifp) { - if (pf_test6(PF_FWD, ifp, &m0, NULL) != PF_PASS) + if (pf_test6(PF_FWD, ifp, &m0, inp) != PF_PASS) goto bad; else if (m0 == NULL) goto done; @@ -6145,7 +6145,7 @@ done: default: /* pf_route() returns unlocked. */ if (r->rt) { - pf_route(m0, r, dir, kif->pfik_ifp, s, &pd); + pf_route(m0, r, dir, kif->pfik_ifp, s, &pd, inp); return (action); } break; @@ -6548,7 +6548,7 @@ done: default: /* pf_route6() returns unlocked. */ if (r->rt) { - pf_route6(m0, r, dir, kif->pfik_ifp, s, &pd); + pf_route6(m0, r, dir, kif->pfik_ifp, s, &pd, inp); return (action); } break;