From nobody Mon Apr 21 21:15:43 2025
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZhJ7M2tbYz5t3XN;
	Mon, 21 Apr 2025 21:15:43 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ZhJ7M1ydJz3KMC;
	Mon, 21 Apr 2025 21:15:43 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1745270143;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=5tUAK1Qqc346BI22jXmLJaB7cvz/BUs0wUy393+Y7W4=;
	b=RHs1c1Oh/pkByLU9zUwYC4d3wNj4EBjVlRKD958PVydT+y5FKBRzXVZnMkXF8ctnpSIUbU
	zrtL0JlKAaR/o6EjZVaYhi1WJGr9ROEov8nCekUNGqD3WuZeVxyecUZFQSsVdjLEq57mA8
	SIGAS/ry/z15j3Vms6qNdQT64Xb2yRYBOc/QOJr94ihR9YnqOOtZ05ZDjgDCo5xIDPtQ+A
	mk0tU/33O5IqsIKWxqD/HT/POi2PCyFt8O1e6zSxsTtbiQH8QisaUwwxdew1qfvSmbQhKj
	TvBo23hjSCQ7DXXbPFAA24O2vZp++0LBHau3gU3/98e8fK+tnxfdrkTvjmEKcQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1745270143; a=rsa-sha256; cv=none;
	b=Jsx7ZYpgElBEoM7XSpD8MxBEYlGUuUkJtKW9uXsEJ9eaGlBAv6maA1J5DqWCyKkzBEIY2R
	6sAp4cuT0/LQhBwfNFPfPD0VAwmBUWlwzaAVu+GDaybS4bEKWkSU9WRFkuI6UwkHWEM8Ok
	4Xny7nkY3fW9l0l9YovjbbPfYn/XqmqQLvBHDxJXisUpu3fc+yRZ/+GpX4vZDjRa/T8uPe
	QMDkjSJxkUOayz/nyZPRVrwGHOeiMaLhh5KZIL39K6Tjl+ttg8KZxvGiA6/cOuffwAgfNg
	DIlR4vwSS+O2Q6SvOTmiUl8hOrJ9nzYKu2rZ4A01EDfBikVloxj9/d3KbS7Xtw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1745270143;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=5tUAK1Qqc346BI22jXmLJaB7cvz/BUs0wUy393+Y7W4=;
	b=AvGTKxSOZpf3m8g5VRmaZ+U4JVML1a6C4PJWP8zgSg/wCVfS4pr3mH/4WR/UpbGW+Q6Dmv
	QavcUhxdMa0qPtiFxN6BRhzUKVprKm0JEe9hr6QD+PAIkLoVRLLbNagjS2X6B6W0Xq33N+
	ZvtrDnGQefBnlEPIsEKiL8r6rpXtPVfbkdLiPKlth/I0VeK8Houh4PhAtWrardNYFvwd94
	EzZB4+G5Ad3MdrC69DXKcXv4Zsixbt9IES/S+sQA7Om0tcaeTygWnPPR6L4CXv+qXVg6dn
	TdtJPgeO1FRJuXL3QKgujXPoPIyDtfQpTb2FGeH53X4I9Aly2P9ZIlvDyGrW2w==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ZhJ7M1Z6Pz15kj;
	Mon, 21 Apr 2025 21:15:43 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 53LLFh81033196;
	Mon, 21 Apr 2025 21:15:43 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 53LLFhn5033193;
	Mon, 21 Apr 2025 21:15:43 GMT
	(envelope-from git)
Date: Mon, 21 Apr 2025 21:15:43 GMT
Message-Id: <202504212115.53LLFhn5033193@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: 482f4dc272cc - stable/14 - pf: improve pf_state_key_attach()
  error handling
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: 482f4dc272ccb73f80f07e838fe53d0ab2e85931
Auto-Submitted: auto-generated

The branch stable/14 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=482f4dc272ccb73f80f07e838fe53d0ab2e85931

commit 482f4dc272ccb73f80f07e838fe53d0ab2e85931
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-03-27 14:21:41 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-04-21 20:25:45 +0000

    pf: improve pf_state_key_attach() error handling
    
    If we fail to attach the stack key that means we've already attached the wire
    key. That means the state could be found by other cores, and given that we then
    free it, be used after free.
    Fix this by not releasing the ID hashrow lock and key locks until after we've
    removed the inserted key again, ensuring the state cannot be found by other
    cores.
    
    Reported by:    markj
    Submitted by:   glebius
    Reviewed by:    glebius, markj
    MFC after:      3 weeks
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D49550
    
    (cherry picked from commit 8efd2acf07bc0e1c3ea1f7390e0f1cfb7cf6f86c)
---
 sys/netpfil/pf/pf.c | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 06761060b583..c962821b8acd 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -1365,15 +1365,28 @@ keyattach:
 						printf("\n");
 					}
 					s->timeout = PFTM_UNLINKED;
+					if (idx == PF_SK_STACK)
+						/*
+						 * Remove the wire key from
+						 * the hash. Other threads
+						 * can't be referencing it
+						 * because we still hold the
+						 * hash lock.
+						 */
+						pf_state_key_detach(s,
+						    PF_SK_WIRE);
 					PF_HASHROW_UNLOCK(ih);
 					KEYS_UNLOCK();
-					if (idx == PF_SK_WIRE) {
+					if (idx == PF_SK_WIRE)
+						/*
+						 * We've not inserted either key.
+						 * Free both.
+						 */
 						uma_zfree(V_pf_state_key_z, skw);
-						if (skw != sks)
-							uma_zfree(V_pf_state_key_z, sks);
-					} else {
-						pf_detach_state(s);
-					}
+					if (skw != sks)
+						uma_zfree(
+						    V_pf_state_key_z,
+						    sks);
 					return (EEXIST); /* collision! */
 				}
 			}