vnet shutdown / ifnet_departure_event
Kristof Provost
kp at FreeBSD.org
Thu Sep 6 13:15:34 UTC 2018
Hi Bjoern,
I’m running into an issue with vnet shutdown. It manifests
consistently with pfsync, but if I understand the problem fully it’s
not really related to pfsync.
The issue is that we end up with a use-after-free of the struct ifnet of
the pfsync interface.
When the jail shuts down the pfsync interface is destroyed, but because
this is during vnet shutdown we skip a lot of the cleanup.
Including the `EVENTHANDLER_INVOKE(ifnet_departure_event, ifp);`, which
means pf doesn’t get notified that the interface went away, so it
keeps its struct pfi_kif for that interface, which it tries to clean up
when we get round to doing the vnet shutdown for pf. At that point it
tries to clear the if_pf_kif and pfg_pf_kif pointers, for an ifp which
has already been freed.
Invoking the event handler from the ‘if (shutdown)’ code in
if_detach_internal() fixes the problem, but I’m not totally confident
that won’t have any unexpected side effects.
Best regards,
Kristof
More information about the freebsd-net
mailing list