From nobody Mon Apr 21 21:15:44 2025
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZhJ7N5frlz5t3Tn;
	Mon, 21 Apr 2025 21:15:44 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ZhJ7N1YZ2z3KBV;
	Mon, 21 Apr 2025 21:15:44 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1745270144;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=acE0vii0SH3wY38VyH8PGsaVvglw30mDRFz/7damcAE=;
	b=TC3QPhGLp8uzEzzTa2uNNiHp+ug2tkexlybFdVJJxGxxfEN8MyyhARu/wUPhifZ2nZ8PWn
	VuK+wWFsOw5kVePgGnwRB9GA9kg0HsJ2slvOp+6VGXaXD87VtoeW2zqSYDASjiZhld05Qn
	LvOIXHY4Yzsv1QavW6H80FKNWe/wL5aGgUAEtU+00yltZVdgfsDpZ0utflYVX9RA7C3IJO
	TcSQDZiP4T0DIE0vIpf2jHQfXGxkbkeIJlQWrYj0Dv5SMu+zVCsMHft0IBUlR+4FGvKjhf
	4HbCO2ce5iLh/O6PXvhq0LqoSQZfuGrPma8MkPgdkopYZbGlCorK0gOtT1HGjg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1745270144; a=rsa-sha256; cv=none;
	b=vxAX0ZFLxKT+LvmzVffRX8hXzkZqLtvCS5fGhXz/OfnBdf6bo47aACxyYKiOV+n9iWC7tO
	TNnlP+c+fXJLwVOeSecFuFzdiBD30Bqe0wbNgL85zsFMGOFnHgGu0/7uF+6O2dcoR64EBw
	GLtE0Ry3Nb9/6CEg6XLoXKjR626jmYZV6D8zFuIGyitzeobibgGPfs/uuwTZZbFhmvJwAQ
	YBct4uO2CDMSkAAGrKHsakQvp22YWeHuF3D9QA9oYRuhoKSkmwGHZFcWnPP++gsEmXfPH/
	7MfkgASS/MIHoO0cuct1J8Z0ilXw8QSfO+SUYi8DrunIwcNArbVN8K+UqsfiJg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1745270144;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=acE0vii0SH3wY38VyH8PGsaVvglw30mDRFz/7damcAE=;
	b=QeLWlYmr3rXi/ilJcf6SehEtn3SIWjArqfJncfVUQhZZpkwagL21DuwZ5bfRbObO7mTV8d
	Iu5x3xSEkCm/fF9dUPlrxGw53cypFJGLaIXddnw/o9hdHjMny2jRUIpLGEOQ8HQiC/XJQi
	N2PZxwEIT4UJpFw5TVQSeXCpWpJ4AXgiJHQx93Tg9d16aizdCk3F01ySeCE9jov3vTbqyF
	fQJD9tQ+Y5GqweWR3ZRZl3yMM13qRpNjTngwYLRiQKbHbP7vsRLrX9wdKHLMRx5CAxBMyC
	ohDJZzj2iftnWRMmsV3o7UhIiI/2ZX1BRqo0oL3XNrqA73rRMJ3y61Z/x6Hw9w==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ZhJ7N18GPz15kk;
	Mon, 21 Apr 2025 21:15:44 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 53LLFiO5033301;
	Mon, 21 Apr 2025 21:15:44 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 53LLFi6M033298;
	Mon, 21 Apr 2025 21:15:44 GMT
	(envelope-from git)
Date: Mon, 21 Apr 2025 21:15:44 GMT
Message-Id: <202504212115.53LLFi6M033298@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: d6381193a3e8 - stable/13 - pf: improve pf_state_key_attach()
  error handling
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: d6381193a3e8bf4663863510fd8af8396f4fdb07
Auto-Submitted: auto-generated

The branch stable/13 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=d6381193a3e8bf4663863510fd8af8396f4fdb07

commit d6381193a3e8bf4663863510fd8af8396f4fdb07
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-03-27 14:21:41 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-04-21 21:14:16 +0000

    pf: improve pf_state_key_attach() error handling
    
    If we fail to attach the stack key that means we've already attached the wire
    key. That means the state could be found by other cores, and given that we then
    free it, be used after free.
    Fix this by not releasing the ID hashrow lock and key locks until after we've
    removed the inserted key again, ensuring the state cannot be found by other
    cores.
    
    Reported by:    markj
    Submitted by:   glebius
    Reviewed by:    glebius, markj
    MFC after:      3 weeks
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D49550
    
    (cherry picked from commit 8efd2acf07bc0e1c3ea1f7390e0f1cfb7cf6f86c)
---
 sys/netpfil/pf/pf.c | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index b5f872d40b02..363e678cbe24 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -1300,15 +1300,28 @@ keyattach:
 						printf("\n");
 					}
 					s->timeout = PFTM_UNLINKED;
+					if (idx == PF_SK_STACK)
+						/*
+						 * Remove the wire key from
+						 * the hash. Other threads
+						 * can't be referencing it
+						 * because we still hold the
+						 * hash lock.
+						 */
+						pf_state_key_detach(s,
+						    PF_SK_WIRE);
 					PF_HASHROW_UNLOCK(ih);
 					KEYS_UNLOCK();
-					if (idx == PF_SK_WIRE) {
+					if (idx == PF_SK_WIRE)
+						/*
+						 * We've not inserted either key.
+						 * Free both.
+						 */
 						uma_zfree(V_pf_state_key_z, skw);
-						if (skw != sks)
-							uma_zfree(V_pf_state_key_z, sks);
-					} else {
-						pf_detach_state(s);
-					}
+					if (skw != sks)
+						uma_zfree(
+						    V_pf_state_key_z,
+						    sks);
 					return (EEXIST); /* collision! */
 				}
 			}