From owner-svn-src-all@freebsd.org Sat Jun 16 09:32:06 2018
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mailman.ysv.freebsd.org (Postfix) with ESMTP id 220B11010421;
Sat, 16 Jun 2018 09:32:06 +0000 (UTC) (envelope-from kp@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
[IPv6:2610:1c1:1:606c::19:3])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mxrelay.nyi.freebsd.org",
Issuer "Let's Encrypt Authority X3" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id C88927B6DD;
Sat, 16 Jun 2018 09:32:05 +0000 (UTC) (envelope-from kp@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
[IPv6:2610:1c1:1:6068::e6a:0])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client did not present a certificate)
by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A9BF0248CB;
Sat, 16 Jun 2018 09:32:05 +0000 (UTC) (envelope-from kp@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w5G9W5Jm040540;
Sat, 16 Jun 2018 09:32:05 GMT (envelope-from kp@FreeBSD.org)
Received: (from kp@localhost)
by repo.freebsd.org (8.15.2/8.15.2/Submit) id w5G9W5Fv040539;
Sat, 16 Jun 2018 09:32:05 GMT (envelope-from kp@FreeBSD.org)
Message-Id: <201806160932.w5G9W5Fv040539@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: kp set sender to kp@FreeBSD.org
using -f
From: Kristof Provost <kp@FreeBSD.org>
Date: Sat, 16 Jun 2018 09:32:05 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r335251 - stable/11/sys/netpfil/pf
X-SVN-Group: stable-11
X-SVN-Commit-Author: kp
X-SVN-Commit-Paths: stable/11/sys/netpfil/pf
X-SVN-Commit-Revision: 335251
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for "
user" and " projects" \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Jun 2018 09:32:06 -0000
Author: kp
Date: Sat Jun 16 09:32:05 2018
New Revision: 335251
URL: https://svnweb.freebsd.org/changeset/base/335251
Log:
MFC r334876:
pf: Fix deadlock with route-to
If a locally generated packet is routed (with route-to/reply-to/dup-to) out of
a different interface it's passed through the firewall again. This meant we
lost the inp pointer and if we required the pointer (e.g. for user ID matching)
we'd deadlock trying to acquire an inp lock we've already got.
Pass the inp pointer along with pf_route()/pf_route6().
PR: 228782
Modified:
stable/11/sys/netpfil/pf/pf.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/sys/netpfil/pf/pf.c
==============================================================================
--- stable/11/sys/netpfil/pf/pf.c Sat Jun 16 08:26:23 2018 (r335250)
+++ stable/11/sys/netpfil/pf/pf.c Sat Jun 16 09:32:05 2018 (r335251)
@@ -290,14 +290,14 @@ static void pf_mtag_free(struct m_tag *);
#ifdef INET
static void pf_route(struct mbuf **, struct pf_rule *, int,
struct ifnet *, struct pf_state *,
- struct pf_pdesc *);
+ struct pf_pdesc *, struct inpcb *);
#endif /* INET */
#ifdef INET6
static void pf_change_a6(struct pf_addr *, u_int16_t *,
struct pf_addr *, u_int8_t);
static void pf_route6(struct mbuf **, struct pf_rule *, int,
struct ifnet *, struct pf_state *,
- struct pf_pdesc *);
+ struct pf_pdesc *, struct inpcb *);
#endif /* INET6 */
int in4_cksum(struct mbuf *m, u_int8_t nxt, int off, int len);
@@ -5428,7 +5428,7 @@ pf_routable(struct pf_addr *addr, sa_family_t af, stru
#ifdef INET
static void
pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
- struct pf_state *s, struct pf_pdesc *pd)
+ struct pf_state *s, struct pf_pdesc *pd, struct inpcb *inp)
{
struct mbuf *m0, *m1;
struct sockaddr_in dst;
@@ -5513,7 +5513,7 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir,
goto bad;
if (oifp != ifp) {
- if (pf_test(PF_OUT, 0, ifp, &m0, NULL) != PF_PASS)
+ if (pf_test(PF_OUT, 0, ifp, &m0, inp) != PF_PASS)
goto bad;
else if (m0 == NULL)
goto done;
@@ -5606,7 +5606,7 @@ bad:
#ifdef INET6
static void
pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
- struct pf_state *s, struct pf_pdesc *pd)
+ struct pf_state *s, struct pf_pdesc *pd, struct inpcb *inp)
{
struct mbuf *m0;
struct sockaddr_in6 dst;
@@ -5685,7 +5685,7 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir,
goto bad;
if (oifp != ifp) {
- if (pf_test6(PF_OUT, PFIL_FWD, ifp, &m0, NULL) != PF_PASS)
+ if (pf_test6(PF_OUT, PFIL_FWD, ifp, &m0, inp) != PF_PASS)
goto bad;
else if (m0 == NULL)
goto done;
@@ -6248,7 +6248,7 @@ done:
default:
/* pf_route() returns unlocked. */
if (r->rt) {
- pf_route(m0, r, dir, kif->pfik_ifp, s, &pd);
+ pf_route(m0, r, dir, kif->pfik_ifp, s, &pd, inp);
return (action);
}
break;
@@ -6644,7 +6644,7 @@ done:
default:
/* pf_route6() returns unlocked. */
if (r->rt) {
- pf_route6(m0, r, dir, kif->pfik_ifp, s, &pd);
+ pf_route6(m0, r, dir, kif->pfik_ifp, s, &pd, inp);
return (action);
}
break;