From nobody Sat May 24 08:23:15 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4b4FQr39Fbz5xJlC;
	Sat, 24 May 2025 08:23:16 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4b4FQr0LTsz3syM;
	Sat, 24 May 2025 08:23:16 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1748074996;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=RfeVhQYdznf4nGlPTlsIBPjXK1oFxA+d5uP2hmdYZPE=;
	b=Vvif7+u0BNTbOdmoAbdNTHxYIeZtXYVw1dt+5Ms8my1/yhuYiW/Oqo1rjMLGvyzbsB4iES
	ii7BOQOK9XtaF87bAq4+WyxcGwtwUo66jdlD/gSoTLGuBRgFJ43QushzZdPIMulzqPxaq8
	pgCWNP8AHGUr2g1iInA1r4wRfz3C0w/lEhTzTDKfPvzxdIcq/ycxsBOxnfKp6fKjY8sQJa
	6ctUVSNTv1pwIt5PYhIYXTAkCi3Yz2kP41hIllp6NgHrIChmeMTKQlpQ4Qp9KQj6Re9ZOr
	asUdy96IPJfRvWoxx6D6RvprZZZn/6XD4zMwLzUf8YJt6L5kGW/JpXwKrbN57A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1748074996;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=RfeVhQYdznf4nGlPTlsIBPjXK1oFxA+d5uP2hmdYZPE=;
	b=D8jRMOMHnYDXKsE79v+5NpJYvooZlOSoBpFgJdmzLFYeNmpO+NMDI7IvOLkUYtWeryLfkr
	8cFGU+wHPf5W6FJ5hWdOi47hveCUGs5ONsmnUE/Zk4DyY7uvtMDAAyQYCmpa3LYPEEjFcH
	E4g4FXfyembhnfu0mGnWKyuf0w7qMWr8DEHGEg/M7c3XkFENj1MG8aLXjWkAd7tPmsdrGs
	EKvJOuMnvhlOJ5tm5+hEp96YR8un4ay9sXFa0+QYzWnx1oW34EeaQ54junanEGBbV4qswl
	/gWjs51kaX5/ejKOB66ZRauiN+E5WQuraa294QzckPoEUa1Vv8WukTcxP99+HA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1748074996; a=rsa-sha256; cv=none;
	b=ASxwGCKSdu/7ZKQkHvMFtKcV+zHZc6+P5WPdj6qli+O1DdiDr3oaiNBsUDQzcYIlrtk+U0
	zTBQIU5nwBXwhQA0KZsIWsYdHHRv+yHKqK5uS7nyF7e8iRBmYrLjGGXYjE55p/haxajFyM
	k8jWl0TqvD6x2uJi8JbOnt+bJMZvpw+pj7PT7D9MmMsmkrwFCfabeV4ymXEmnoYIg7jFck
	kD/s+MjI5/jcsQZDPxj9SyzQ7kYUl1cNEYsHaYMfdwDiDbtAqr2347fT/JqHyPTOX9AlmB
	eJl/c5JDHIixin+MPeuaZZgMHbfUhvpnVlcC3HhyamX7ek4LVGno+OYWZRoSow==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4b4FQq71f5zCQ5;
	Sat, 24 May 2025 08:23:15 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 54O8NF7P020310;
	Sat, 24 May 2025 08:23:15 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 54O8NFQD020307;
	Sat, 24 May 2025 08:23:15 GMT
	(envelope-from git)
Date: Sat, 24 May 2025 08:23:15 GMT
Message-Id: <202505240823.54O8NFQD020307@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Subject: git: 6a97fbe6fcb3 - main - carp: fix mbuf_tag usage in
  carp_macmatch6
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: ae
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 6a97fbe6fcb3f9d413384c6b3594346aebc42e59
Auto-Submitted: auto-generated

The branch main has been updated by ae:

URL: https://cgit.FreeBSD.org/src/commit/?id=6a97fbe6fcb3f9d413384c6b3594346aebc42e59

commit 6a97fbe6fcb3f9d413384c6b3594346aebc42e59
Author:     Andrey V. Elsukov <ae@FreeBSD.org>
AuthorDate: 2025-05-24 08:18:31 +0000
Commit:     Andrey V. Elsukov <ae@FreeBSD.org>
CommitDate: 2025-05-24 08:18:31 +0000

    carp: fix mbuf_tag usage in carp_macmatch6
    
    carp_macmatch6() had two issues that affect IPv6 processing:
    1) it returns sc->sc_addr pointer that might become invalid after
       softc destroying.
    2) carp_output() expects carp vhid to be stored in the mtag,
       not the pointer to softc.
    
    Fix these issues. Allocate enough space in mtag to keep both vhid and
    mac address. Copy vhid first to fix issue with carp_output(), then
    copy sc_addr and return pointer to this copy. mtag will be alive
    until mbuf is used.
    This fixes problem when IPv6 packets originated from CARP IPv6 address
    use incorrect mac address due to mbuf_tag has invalid data.
    
    Reviewed by:    zlei, kp, glebius
    Obtained from:  Yandex LLC
    Sponsored by:   Yandex LLC
    Differential Revision:  https://reviews.freebsd.org/D50455
---
 sys/netinet/ip_carp.c | 27 +++++++++++++++++----------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/sys/netinet/ip_carp.c b/sys/netinet/ip_carp.c
index 0ead7149c1e2..d3d7957cf087 100644
--- a/sys/netinet/ip_carp.c
+++ b/sys/netinet/ip_carp.c
@@ -206,8 +206,6 @@ struct carpkreq {
  *
  * Known issues with locking:
  *
- * - Sending ad, we put the pointer to the softc in an mtag, and no reference
- *   counting is done on the softc.
  * - On module unload we may race (?) with packet processing thread
  *   dereferencing our function pointers.
  */
@@ -1688,6 +1686,7 @@ char *
 carp_macmatch6(struct ifnet *ifp, struct mbuf *m, const struct in6_addr *taddr)
 {
 	struct ifaddr *ifa;
+	char *mac = NULL;
 
 	NET_EPOCH_ASSERT();
 
@@ -1698,18 +1697,26 @@ carp_macmatch6(struct ifnet *ifp, struct mbuf *m, const struct in6_addr *taddr)
 			struct m_tag *mtag;
 
 			mtag = m_tag_get(PACKET_TAG_CARP,
-			    sizeof(struct carp_softc *), M_NOWAIT);
-			if (mtag == NULL)
-				/* Better a bit than nothing. */
-				return (sc->sc_addr);
+			    sizeof(sc->sc_vhid) + sizeof(sc->sc_addr),
+			    M_NOWAIT);
+			if (mtag == NULL) {
+				CARPSTATS_INC(carps_onomem);
+				break;
+			}
+			/* carp_output expects sc_vhid first. */
+			bcopy(&sc->sc_vhid, mtag + 1, sizeof(sc->sc_vhid));
+			/*
+			 * Save sc_addr into mtag data after sc_vhid to avoid
+			 * possible access to destroyed softc.
+			 */
+			mac = (char *)(mtag + 1) + sizeof(sc->sc_vhid);
+			bcopy(sc->sc_addr, mac, sizeof(sc->sc_addr));
 
-			bcopy(&sc, mtag + 1, sizeof(sc));
 			m_tag_prepend(m, mtag);
-
-			return (sc->sc_addr);
+			break;
 		}
 
-	return (NULL);
+	return (mac);
 }
 #endif /* INET6 */