From nobody Wed Feb 18 22:26:50 2026
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fGWMb0PS6z6QSpd
	for <dev-commits-src-main@mlmmj.nyi.freebsd.org>; Wed, 18 Feb 2026 22:26:51 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4fGWMZ58lzz48jk
	for <dev-commits-src-main@FreeBSD.org>; Wed, 18 Feb 2026 22:26:50 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1771453610;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=xmUiX3Y5R9YReJ3BYJienQiMV8J4CIp6BiDNnmRcgow=;
	b=olLn26G4WoxtkoWYhk6orhKEadwoXgizeMNHyhUbl/lWGouu5bJsIcRIdUWGxCEb5XQMbH
	sKeluAq0mBytKp995km3t6ehTTFaH5YbAekPah1KoImJNCUvVBatN/aVSA+ZplxPkIfCD1
	9CZpg1H2bqJsmZs1XkneeMr2UsTXM6n9QP7N5V0pOxRIG4WFRs4DR78gwmX8FWw0560Ls/
	7mIgm8fICrbxg6q5h/lWE2BO0vaJ4yyXi+NSEew723sGx3ScIwOQonQRL7yEjtDZjAO2ul
	FbHI+0UXmMwxzOfrglzo4we47HM6WxOn5xafKcthDvCkR56HAtBEi843pa/PzQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1771453610; a=rsa-sha256; cv=none;
	b=HPV5Vq8zc/Wk8JVQyZVGVSzH4bMO/P+xOmnElJwLd9RJb2livdKd/YrqBoPulrU0BRQMOX
	QZtX/9F0U4vyZNp9N4j9v40bPndiJPOqJSGI6jGYEGWgFLnbCUqbA9i7TqxY7Be47zhA6F
	iifBVnGCWxmrFtUFHP7YbMw+IQ3BWd4LUwNetHDwXzLdv5WwdJhFz4i+OX9+qcsC7dR1p4
	nZYvj9KiLJuhMnUOT9IyRBdL/8aobOApYT1VuPqb6R+eLSaxzoNVQUtfN540gkGALl2ehF
	41Nx60ujaP+tG8y84CHDcnoXMQ5cvSnnETUAbgvxaR7Na8nDsoLYJ/EVTKoLiw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1771453610;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=xmUiX3Y5R9YReJ3BYJienQiMV8J4CIp6BiDNnmRcgow=;
	b=P9Q1pyftlfjAvk8zOaAG1+wcvY23gJSw9Cpy4erBOtU93ZqKC468NsOQGC8DFNCGxwkNPs
	+MurE7z9jE6zh0QTLnJVZiPp8YhJrmEQLqYxeRaCX2S2DD+dpKdN97uyTgKaP5YWhB3WB8
	NMoVKeGuakEiTyyy4zCxo0gjDx5tEWoWI2MKMmH9FCfsQ2le6tBdEg8XPdgIqnp+nh8kYh
	nDYd2+VtU7cBD3j/gFgfIdq5G4oJ2ci1e6sIizn68wspdtkZIUkNKL1lbGldKZy7grQi/T
	G2/WGVknlxpS//nFuAQe6Mn39AhcYpGq6OO8MdmKd3bUF++lSVS3hUz0vF3MYg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fGWMZ3z1qzsZ
	for <dev-commits-src-main@FreeBSD.org>; Wed, 18 Feb 2026 22:26:50 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 318ee
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Wed, 18 Feb 2026 22:26:50 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: d60082f16e4c - main - pf: avoid NULL deref on purged states
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: d60082f16e4c91d4b97d8b3b56b39fa348ecfbda
Auto-Submitted: auto-generated
Date: Wed, 18 Feb 2026 22:26:50 +0000
Message-Id: <69963caa.318ee.75b6db61@gitrepo.freebsd.org>

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=d60082f16e4c91d4b97d8b3b56b39fa348ecfbda

commit d60082f16e4c91d4b97d8b3b56b39fa348ecfbda
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2026-02-18 18:23:42 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2026-02-18 20:22:53 +0000

    pf: avoid NULL deref on purged states
    
    States can be invalidated and still be present in the state table for a
    while (until the pf_purge thread cleans them up). These states might not
    have keys set, so we must make sure a state is not purged before we try
    to access those keys.
    
    MFC after:      1 week
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index b7c79437584e..90342f045763 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -2226,8 +2226,10 @@ pf_find_state(struct pf_pdesc *pd, const struct pf_state_key_cmp *key,
 	/* Look through the other list, in case of AF-TO */
 	idx = idx == PF_SK_WIRE ? PF_SK_STACK : PF_SK_WIRE;
 	TAILQ_FOREACH(s, &sk->states[idx], key_list[idx]) {
-		if (s->key[PF_SK_WIRE]->af == s->key[PF_SK_STACK]->af)
+		if (s->timeout < PFTM_MAX &&
+		    s->key[PF_SK_WIRE]->af == s->key[PF_SK_STACK]->af)
 			continue;
+
 		if (s->kif == V_pfi_all || s->kif == pd->kif ||
 		    s->orig_kif == pd->kif) {
 			PF_STATE_LOCK(s);