git: 8845978fec03 - releng/14.3 - rack: Reload the TCP stack PCB after reacquiring the inpcb lock

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Tue, 30 Jun 2026 17:20:34 UTC
The branch releng/14.3 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=8845978fec035db3a9643d7f36843dfc7c6c68d8

commit 8845978fec035db3a9643d7f36843dfc7c6c68d8
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-06-23 21:46:17 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-06-30 02:32:01 +0000

    rack: Reload the TCP stack PCB after reacquiring the inpcb lock
    
    Malicious userspace might switch TCP stacks twice while the inpcb lock
    is dropped.  If it does so, the validation of tp->t_fb might succeed,
    but the saved pointer to the stack PCB might be invalid.  Reload it to
    avoid this problem, as BBR already does.
    
    Approved by:    so
    Security:       FreeBSD-SA-26:43.tcp
    Security:       CVE-2026-49422
    Reported by:    Maik Münch
    Reviewed by:    tuexen
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D57791
---
 sys/netinet/tcp_stacks/rack.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sys/netinet/tcp_stacks/rack.c b/sys/netinet/tcp_stacks/rack.c
index f90b747cc2e4..3d6734b6874b 100644
--- a/sys/netinet/tcp_stacks/rack.c
+++ b/sys/netinet/tcp_stacks/rack.c
@@ -23934,6 +23934,7 @@ process_opt:
 		INP_WUNLOCK(inp);
 		return (ENOPROTOOPT);
 	}
+	rack = (struct tcp_rack *)tp->t_fb_ptr;
 	if (rack->defer_options && (rack->gp_ready == 0) &&
 	    (sopt->sopt_name != TCP_DEFER_OPTIONS) &&
 	    (sopt->sopt_name != TCP_HYBRID_PACING) &&