git: 01194da28a21 - main - pfsync: hold b_mtx for callout_stop(pd_tmo)

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kristof Provost <kp_at_FreeBSD.org>
Date: Tue, 28 Mar 2023 01:18:32 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=01194da28a2123a2aa09808319f152fa115f60f1

commit 01194da28a2123a2aa09808319f152fa115f60f1
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2023-03-22 13:46:25 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2023-03-27 23:17:55 +0000

    pfsync: hold b_mtx for callout_stop(pd_tmo)
    
    The pd_tmo callout has an associated mutex, which we must hold while
    calling callout_stop().
    
    Reported by:    markj
    Reviewed by:    markj
    MFC after:      3 days
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D39223
---
 sys/netpfil/pf/if_pfsync.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c
index ae3a2e46e26b..4e4bbc9bc8b7 100644
--- a/sys/netpfil/pf/if_pfsync.c
+++ b/sys/netpfil/pf/if_pfsync.c
@@ -402,7 +402,7 @@ pfsync_clone_destroy(struct ifnet *ifp)
 {
 	struct pfsync_softc *sc = ifp->if_softc;
 	struct pfsync_bucket *b;
-	int c;
+	int c, ret;
 
 	for (c = 0; c < pfsync_buckets; c++) {
 		b = &sc->sc_buckets[c];
@@ -411,22 +411,25 @@ pfsync_clone_destroy(struct ifnet *ifp)
 		 * cleared by pfsync_uninit(), and we have only to
 		 * drain callouts.
 		 */
+		PFSYNC_BUCKET_LOCK(b);
 		while (b->b_deferred > 0) {
 			struct pfsync_deferral *pd =
 			    TAILQ_FIRST(&b->b_deferrals);
 
-			TAILQ_REMOVE(&b->b_deferrals, pd, pd_entry);
-			b->b_deferred--;
-			if (callout_stop(&pd->pd_tmo) > 0) {
-				pf_release_state(pd->pd_st);
-				m_freem(pd->pd_m);
-				free(pd, M_PFSYNC);
+			ret = callout_stop(&pd->pd_tmo);
+			PFSYNC_BUCKET_UNLOCK(b);
+			if (ret > 0) {
+				pfsync_undefer(pd, 1);
 			} else {
 				pd->pd_refs++;
 				callout_drain(&pd->pd_tmo);
-				free(pd, M_PFSYNC);
 			}
+			free(pd, M_PFSYNC);
+			PFSYNC_BUCKET_LOCK(b);
 		}
+		MPASS(b->b_deferred == 0);
+		MPASS(TAILQ_EMPTY(&b->b_deferrals));
+		PFSYNC_BUCKET_UNLOCK(b);
 
 		callout_drain(&b->b_tmo);
 	}