Date: Wed, 24 Sep 2025 11:45:18 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: dc0cf0648c8d - main - pf: check if a group has a kif before dereferencing it Message-ID: <202509241145.58OBjIjF083114@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=dc0cf0648c8d28ab4914c798a4cff8256ae94ee5 commit dc0cf0648c8d28ab4914c798a4cff8256ae94ee5 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2025-09-02 08:46:26 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2025-09-24 11:44:54 +0000 pf: check if a group has a kif before dereferencing it It's possible for interface groups to not have had a pfi_kkif assigned to them, so before we pass that pointer to pfi_kkif_update() we must check if it's actually set. We've seen panics such as this, where we get an address update for an interface that belongs to a group without associated pfi_kkif: Tracing pid 12 tid 100034 td 0xfffff80100d2a000 kdb_enter() at kdb_enter+0x33/frame 0xfffffe0067eed340 panic() at panic+0x43/frame 0xfffffe0067eed3a0 trap_pfault() at trap_pfault+0x3c9/frame 0xfffffe0067eed3f0 calltrap() at calltrap+0x8/frame 0xfffffe0067eed3f0 --- trap 0xc, rip = 0xffffffff8102ebd5, rsp = 0xfffffe0067eed4c0, rbp = 0xfffffe0067eed500 --- pfi_kkif_update() at pfi_kkif_update+0x15/frame 0xfffffe0067eed500 pfi_kkif_update() at pfi_kkif_update+0x1fc/frame 0xfffffe0067eed550 pfi_ifaddr_event() at pfi_ifaddr_event+0x82/frame 0xfffffe0067eed5a0 srcaddr_change_event() at srcaddr_change_event+0xa7/frame 0xfffffe0067eed610 in6_update_ifa() at in6_update_ifa+0xd52/frame 0xfffffe0067eed790 in6_ifadd() at in6_ifadd+0x29a/frame 0xfffffe0067eed8b0 nd6_ra_input() at nd6_ra_input+0xf65/frame 0xfffffe0067eeda90 icmp6_input() at icmp6_input+0x3c8/frame 0xfffffe0067eedc10 ip6_input() at ip6_input+0xa15/frame 0xfffffe0067eedcf0 sppp_input() at sppp_input+0x502/frame 0xfffffe0067eedd80 pppoe_data_input() at pppoe_data_input+0x1e7/frame 0xfffffe0067eeddf0 swi_net() at swi_net+0x128/frame 0xfffffe0067eede60 ithread_loop() at ithread_loop+0x239/frame 0xfffffe0067eedef0 fork_exit() at fork_exit+0x7b/frame 0xfffffe0067eedf30 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0067eedf30 Note that pf doesn't assign pfi_kkif objects to groups created before pf has fully started (see V_pf_vnet_active check in pfi_attach_group_event()), which is one possible way for this to happen. Reported by: garga Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf_if.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/sys/netpfil/pf/pf_if.c b/sys/netpfil/pf/pf_if.c index e2200c15c704..f3be036ef745 100644 --- a/sys/netpfil/pf/pf_if.c +++ b/sys/netpfil/pf/pf_if.c @@ -655,8 +655,10 @@ pfi_kkif_update(struct pfi_kkif *kif) /* again for all groups kif is member of */ if (kif->pfik_ifp != NULL) { CK_STAILQ_FOREACH(ifgl, &kif->pfik_ifp->if_groups, ifgl_next) - pfi_kkif_update((struct pfi_kkif *) - ifgl->ifgl_group->ifg_pf_kif); + if (ifgl->ifgl_group->ifg_pf_kif) { + pfi_kkif_update((struct pfi_kkif *) + ifgl->ifgl_group->ifg_pf_kif); + } } }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202509241145.58OBjIjF083114>