From 0777f694d39d1fa04a7cff934b61fe47165f47ac Mon Sep 17 00:00:00 2001 From: glebius Date: Thu, 6 Dec 2012 08:38:14 +0000 Subject: Rule memory garbage collecting in new pf scans only states that are on id hash. If a state has been disconnected from id hash, its rule pointers can no longer be dereferenced, and referenced memory can't be modified. Thus, move rule statistics from pf_free_rule() to pf_unlink_rule() and update them prior to releasing id hash slot lock. Reported by: Ian FREISLICH --- sys/netpfil/pf/pf.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'sys') diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index a86e550..5816320 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -1504,6 +1504,12 @@ pf_unlink_state(struct pf_state *s, u_int flags) if (pfsync_delete_state_ptr != NULL) pfsync_delete_state_ptr(s); + --s->rule.ptr->states_cur; + if (s->nat_rule.ptr != NULL) + --s->nat_rule.ptr->states_cur; + if (s->anchor.ptr != NULL) + --s->anchor.ptr->states_cur; + s->timeout = PFTM_UNLINKED; PF_HASHROW_UNLOCK(ih); @@ -1521,11 +1527,7 @@ pf_free_state(struct pf_state *cur) KASSERT(cur->refs == 0, ("%s: %p has refs", __func__, cur)); KASSERT(cur->timeout == PFTM_UNLINKED, ("%s: timeout %u", __func__, cur->timeout)); - --cur->rule.ptr->states_cur; - if (cur->nat_rule.ptr != NULL) - --cur->nat_rule.ptr->states_cur; - if (cur->anchor.ptr != NULL) - --cur->anchor.ptr->states_cur; + pf_normalize_tcp_cleanup(cur); uma_zfree(V_pf_state_z, cur); V_pf_status.fcounters[FCNT_STATE_REMOVALS]++; -- cgit v1.1