From nobody Mon Mar 31 14:57:57 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZRDl94Tsyz5s8Dw;
	Mon, 31 Mar 2025 14:57:57 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ZRDl92MZBz442V;
	Mon, 31 Mar 2025 14:57:57 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1743433077;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=UE33rxKmJdeCM2IW18cgLUhJ7Os3hCAn0IQwBsc6LqM=;
	b=bL4WArGt7MTarwoyaskomcXl5cCX17h/mgoxoCwYPcQTYEc+mhJSwHPWFZGejWZ2pfV27g
	qXp0ITrFsbPDITJh/OkR8YS0iZPd/k8nRCYqxyOGAsQAkgHS1fH6RGJlXPiJZqGlL94CxP
	aNDmDe+OJnAwCyNr11sWf2iCLCtTwcsyfcVtmFUYUcuhdKOUIud9FmoyKwE7Bb7q78nAWv
	EHlzs8O8av5sNaPx+jTDXXawtFyDuXXijxpQsvkqd2SBpma/W+ouIpEPjgt9ZiFCKaLfn2
	1erAlQQFcizBxtj7IqvuE4zaAzUK9OF16BJ77A/Y0K7rlteT/qat/VS2NkKg1g==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1743433077; a=rsa-sha256; cv=none;
	b=oQV7Bx6Pu4+nMbAXpHQUOT0kD/QjnIc8OdGj42T7oIWWamJ6zU5afye01sWR+Bz1mM/JaS
	9BPCO84Edj/WKoVlF1e44orSzAZlVYNuS+MeyCs0Rur3fEXifWGZdrkNkstebSmU1l8VsY
	0Vn2B4vWJxPvLHycd06bX12BDAQhuupDjdj0XDZugaT/Ttjqb2FJ62zzBQsKJJlhKU37NN
	h2AIImRwH0fmBAR0GiiKvRMTXHUQ4eE8fuNUT+O+UM68x2nqMljXLNvnHdmcBKzu0h5n9t
	dPKIc5PFfrRUbqOpyyIPX1a5T7yGxic3lWOfZxZRRQJWHYbGou1T+M+Ch8/euw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1743433077;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=UE33rxKmJdeCM2IW18cgLUhJ7Os3hCAn0IQwBsc6LqM=;
	b=GsUZzgUOg8tPFLWOanZsHBqi+Zx5jIy7at23VxweTSe8HyXtOpFp8cyrazqvtHGS/9z1VO
	DzeBq7L/hP8R/UgmhF3JbsgwaSDLbXbSOy65eqO6cSyLljJcePRO8ymHB/o9lYRVBS6cJJ
	OYoyrh3mQdCGUoi9F/mnL9HDunbFJnixBbLSs3CEjfFzq8pQhBOo2fImuMGKIaSuEmbXx7
	J8z1JNNO0SRhpu5t+uWyieO23EB7W1PAOjhu+W/QX+O+Ao6a6KaypdIt+/zRnaogjSAjaH
	u0HAPX/IzNhneCyyVLSUHfkSjFMedVf7VMf4BoPkVkkmxWAQ6otEdVwnsrnKcw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ZRDl91HjkzqZ5;
	Mon, 31 Mar 2025 14:57:57 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 52VEvvE9037954;
	Mon, 31 Mar 2025 14:57:57 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 52VEvveC037951;
	Mon, 31 Mar 2025 14:57:57 GMT
	(envelope-from git)
Date: Mon, 31 Mar 2025 14:57:57 GMT
Message-Id: <202503311457.52VEvveC037951@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: 8efd2acf07bc - main - pf: improve pf_state_key_attach()
  error handling
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 8efd2acf07bc0e1c3ea1f7390e0f1cfb7cf6f86c
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=8efd2acf07bc0e1c3ea1f7390e0f1cfb7cf6f86c

commit 8efd2acf07bc0e1c3ea1f7390e0f1cfb7cf6f86c
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-03-27 14:21:41 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-03-31 12:55:42 +0000

    pf: improve pf_state_key_attach() error handling
    
    If we fail to attach the stack key that means we've already attached the wire
    key. That means the state could be found by other cores, and given that we then
    free it, be used after free.
    Fix this by not releasing the ID hashrow lock and key locks until after we've
    removed the inserted key again, ensuring the state cannot be found by other
    cores.
    
    Reported by:    markj
    Submitted by:   glebius
    Reviewed by:    glebius, markj
    MFC after:      3 weeks
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D49550
---
 sys/netpfil/pf/pf.c | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index ef86d70db760..ae1ad679d951 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -1523,15 +1523,28 @@ keyattach:
 						printf("\n");
 					}
 					s->timeout = PFTM_UNLINKED;
+					if (idx == PF_SK_STACK)
+						/*
+						 * Remove the wire key from
+						 * the hash. Other threads
+						 * can't be referencing it
+						 * because we still hold the
+						 * hash lock.
+						 */
+						pf_state_key_detach(s,
+						    PF_SK_WIRE);
 					PF_HASHROW_UNLOCK(ih);
 					KEYS_UNLOCK();
-					if (idx == PF_SK_WIRE) {
+					if (idx == PF_SK_WIRE)
+						/*
+						 * We've not inserted either key.
+						 * Free both.
+						 */
 						uma_zfree(V_pf_state_key_z, skw);
-						if (skw != sks)
-							uma_zfree(V_pf_state_key_z, sks);
-					} else {
-						pf_detach_state(s);
-					}
+					if (skw != sks)
+						uma_zfree(
+						    V_pf_state_key_z,
+						    sks);
 					return (EEXIST); /* collision! */
 				}
 			}