From 264bf696ba1de682cdf6f36cf5d6ce251489183a Mon Sep 17 00:00:00 2001
From: kp <kp@FreeBSD.org>
Date: Sat, 11 Aug 2018 16:37:55 +0000
Subject: [PATCH] pf: Take the IF_ADDR_RLOCK() when iterating over the group
 list

We did do this elsewhere in pf, but the lock was missing here.

Sponsored by:	Essen Hackathon
---
 sys/netpfil/pf/pf_if.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/sys/netpfil/pf/pf_if.c b/sys/netpfil/pf/pf_if.c
index 68d626dc620..cc9c2f80011 100644
--- a/sys/netpfil/pf/pf_if.c
+++ b/sys/netpfil/pf/pf_if.c
@@ -297,11 +297,16 @@ pfi_kif_match(struct pfi_kif *rule_kif, struct pfi_kif *packet_kif)
 	if (rule_kif == NULL || rule_kif == packet_kif)
 		return (1);
 
-	if (rule_kif->pfik_group != NULL)
-		/* XXXGL: locking? */
+	if (rule_kif->pfik_group != NULL) {
+		IF_ADDR_RLOCK(packet_kif->pfik_ifp);
 		CK_STAILQ_FOREACH(p, &packet_kif->pfik_ifp->if_groups, ifgl_next)
-			if (p->ifgl_group == rule_kif->pfik_group)
+			if (p->ifgl_group == rule_kif->pfik_group) {
+				IF_ADDR_RUNLOCK(packet_kif->pfik_ifp);
 				return (1);
+			}
+		IF_ADDR_RUNLOCK(packet_kif->pfik_ifp);
+	}
+
 
 	return (0);
 }
-- 
2.45.0