From nobody Wed Dec 17 10:05:30 2025 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dWTvH0Rj0z6KksR for ; Wed, 17 Dec 2025 10:05:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dWTvG6s6Hz3nmm for ; Wed, 17 Dec 2025 10:05:30 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1765965931; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CFWwShFQ3RYD/BPoWUnXuTW9IQud5ZCOAiptPq7X90Y=; b=O6KZH+RnBuL8XPiG96+I/ch/z2q9dGILkNckJhWkuT7BNZeO8q6N93Tt7kXlFhiNg7Ek0l xpgYmGqQHIdi6KtgKox0ZblMqmFGdPi4ltas1TVTSEhkyHNpPTkYAeb6AYTdwsZVG845aQ +RfvhxLzZr/ILx4OP3BhudtvdXvu+t1Y4xrKG2eL1dIRytD+Fb8EAIuhT6XsVWcEpNkBP2 uVTuh1d+xbnJKFy4CslDJXnYA26fzZikugk9bkpKl8E9Xhq+OwVrfRA1rek9WskGQnVByx E+6YxXccZ1r+06Lrr++HnKVC7fQZsKJLkBh0ntbbim5Pql+3Fw5TXj/HCcwvmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1765965931; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CFWwShFQ3RYD/BPoWUnXuTW9IQud5ZCOAiptPq7X90Y=; b=NJdr8qW+T3J6ZF8IfImxllc3E+OVD04ATAKzNQF9uCIo7tvAaX84KPpCfQb/DceKZO5XhR VMTWVPIkkJEy/Bx+NDhhdqjyyLy9snTPlRubSsXN44whckYzLSSzbBfAeCLDxkGrOPs+TJ tGQz0hXd8yLO/yjY/dcXT1yMJdEpr9xNexW2a+PfOafDsFCQ/U4W4izXQI6xU6ByK5qpSz cIXoz/DM5TrM0yxLhTJ6Jw4EXzLQq7OQO8qt7PRytN/ZgqEyKXc1jngyrMXs9NOXXfQplI 4D35fgSH856pnKTwyq8V5nUMRnWXZM3P0edQXA26cqYW+gh3Z8vm7a0feaYjxQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1765965931; a=rsa-sha256; cv=none; b=JrASCsfxAeqH7AGhI0o+Nf902aUrG2YHoV+GI0s5H/PO6gTZE9wUxGNCApeqCBOIEY/4rV ZZW9QbJjhdKNcjIRfYYoFzoB7iKJM5PRQAbpxT5hVyT7GbR3WH6Mr1j9VY9eDRmzp9l+pq QeRvZ5bAV0ftuUJS4f26WqGKTQiEYPLWcKaQh3uNMdxO06s9AJ7xtYTAaY6WPyDM81cAB2 s3I1Ghyr2geQLrt1Zzeop20DAdkuhHClVoRbtxHXa3GNL4FxER9ZYDOGqCcft+y2GAT07H uErme4mGKGqycvOzqthuNfT2yj9RakqwMpcrQxbJN0PI5sNYrEGSCL/sZiF7fA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dWTvG6R9wznsD for ; Wed, 17 Dec 2025 10:05:30 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e56e by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 17 Dec 2025 10:05:30 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: d19083e833d7 - stable/14 - if_ovpn: use epoch to free peers List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: d19083e833d73319425650de938d087b8ca9f673 Auto-Submitted: auto-generated Date: Wed, 17 Dec 2025 10:05:30 +0000 Message-Id: <6942806a.3e56e.3756ec27@gitrepo.freebsd.org> The branch stable/14 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=d19083e833d73319425650de938d087b8ca9f673 commit d19083e833d73319425650de938d087b8ca9f673 Author: Kristof Provost AuthorDate: 2025-12-09 10:55:30 +0000 Commit: Kristof Provost CommitDate: 2025-12-17 10:05:15 +0000 if_ovpn: use epoch to free peers Avoid a possible use-after-free in the rx path. ovpn_decrypt_rx_cb() calls ovpn_finish_rx() which releases the lock, but continues to use the peer. Ensure that the peer cannot be freed until we're sure all potential users have stopped using it (i.e. have left net_epoch). Reported by: Kevin Day MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 5e2bbfe387f7eac8f802c4b6ad2114f0e17bb5f2) --- sys/net/if_ovpn.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c index 631b3f4dfa26..a0d34850943b 100644 --- a/sys/net/if_ovpn.c +++ b/sys/net/if_ovpn.c @@ -161,6 +161,7 @@ struct ovpn_kpeer { struct callout ping_rcv; counter_u64_t counters[OVPN_PEER_COUNTER_SIZE]; + struct epoch_context epoch_ctx; }; struct ovpn_counters { @@ -599,6 +600,15 @@ ovpn_notify_float(struct ovpn_softc *sc, uint32_t peerid, return (0); } +static void +_ovpn_free_peer(struct epoch_context *ctx) { + struct ovpn_kpeer *peer = __containerof(ctx, struct ovpn_kpeer, + epoch_ctx); + + uma_zfree_pcpu(pcpu_zone_4, peer->last_active); + free(peer, M_OVPN); +} + static void ovpn_peer_release_ref(struct ovpn_kpeer *peer, bool locked) { @@ -639,8 +649,8 @@ ovpn_peer_release_ref(struct ovpn_kpeer *peer, bool locked) callout_stop(&peer->ping_send); callout_stop(&peer->ping_rcv); - uma_zfree_pcpu(pcpu_zone_4, peer->last_active); - free(peer, M_OVPN); + + NET_EPOCH_CALL(_ovpn_free_peer, &peer->epoch_ctx); if (! locked) OVPN_WUNLOCK(sc);