oding;
	bh=zqfthXCfMjzR8sRX5tJJZsuyNrAR+mE0g0GhEr9cSxE=;
	b=j3XmjoJk3gLnoTVOOdCpLNO4ZuQ1zrX/UlVkNBYxMRpAtZVaK3TnFU/mfNYweOCQMAlMW2
	EsCBmtr/wCqZlSYbIi2yMwKSAMxlFw0GQGL7Ez3Cgf7WdS7eM3shxeqKldsMiZzU1qvbV+
	r0pCCacirF7QuCuX6MxN9N/CuwbLfSrmoNLv4Xeh7bz2sXs4zALRQRurJicicDDHCQUTmE
	puZQG06OAsZRcsay7LEYz2EJgy10v9Y4i8TN8shduLDdzmIhxKMGOEPhae2dHdadapWHTb
	X3vK9whEjpTk/FSj4PUx7Dwg+7ZeEvrpVDxxYLgPUC+txqhj6RVz2xhzkMZv2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1765965930;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=zqfthXCfMjzR8sRX5tJJZsuyNrAR+mE0g0GhEr9cSxE=;
	b=WxcJEWr3PXVkYNJcjDqcrwBcOtmFj9Mxa65NrzllKTQ/RCbpDICe4kSdla03MJEBoE48CX
	SfXYj0v5rt+X2QuXILlniJRvQXbvOuwLLp8KLSakhugXxjErOLkyE0qLF2gMQaJVTXiuZ4
	Ovx4pOdybchaE0/b2BzRDdKEG0p5deGFPgQTZwly6kL3h5O8RcOhIxKdfvrRGe8o9uIB/9
	CO2kuJvGrqzGhnvywdOh++PzHAtqdlnIU5nYT1Ct4Q6eUbrhgwG4dp43cHLbV+GXfZ441t
	yH18vcBtDHyakkmXaTN46StP8wyHG1o21GdwH4irZ1JLuwpqE9TWNYcZs7djIw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1765965930; a=rsa-sha256; cv=none;
	b=Xubgj7/DnxwxR9mqUGyLkZfzcf1LI6hCFebGRn5ssnixcLpcEJLnE5c5RTGMFLKzxP5MBM
	MtPVZuHGCbPkRzMyxu+cQeM8C9ep4Q1VDUFUw2/lxXrDuT3DFIJ91f9dtwFxdKUjD1CbOV
	Eni2y6x9Czdh0uhbojpGrbvz6J7irNm1ggBB5HufF7oc5yLMt9lBFWkXFhamkq0annsiA9
	0ko/6jUEnj8amd8ilYGqm2RqD7h90MvavSobbtHsRtzU9jJ8OxfodxUoTcBFfXLrH0r64O
	wbUCZ6CBPRV2Vw6xJNyK4kRDkREuW5I3Ck4ik37/obVWQytNMQdZyAnS3W059g==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dWTvG1fqBznPf
	for <dev-commits-src-all@FreeBSD.org>; Wed, 17 Dec 2025 10:05:30 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 8884
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Wed, 17 Dec 2025 10:05:30 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: 394d701c41ec - stable/15 - if_ovpn: use epoch to free peers
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/15
X-Git-Reftype: branch
X-Git-Commit: 394d701c41ec567cbb5ddaeeb5f718ea39cb9024
Auto-Submitted: auto-generated
Date: Wed, 17 Dec 2025 10:05:30 +0000
Message-Id: <6942806a.8884.73d8e741@gitrepo.freebsd.org>

The branch stable/15 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=394d701c41ec567cbb5ddaeeb5f718ea39cb9024

commit 394d701c41ec567cbb5ddaeeb5f718ea39cb9024
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-12-09 10:55:30 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-12-17 09:23:03 +0000

    if_ovpn: use epoch to free peers
    
    Avoid a possible use-after-free in the rx path.
    ovpn_decrypt_rx_cb() calls ovpn_finish_rx() which releases the lock,
    but continues to use the peer.
    Ensure that the peer cannot be freed until we're sure all potential
    users have stopped using it (i.e. have left net_epoch).
    
    Reported by:    Kevin Day <kevin@your.org>
    MFC after:      1 week
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    
    (cherry picked from commit 5e2bbfe387f7eac8f802c4b6ad2114f0e17bb5f2)
---
 sys/net/if_ovpn.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c
index 8ce3491d072e..5be05667857b 100644
--- a/sys/net/if_ovpn.c
+++ b/sys/net/if_ovpn.c
@@ -161,6 +161,7 @@ struct ovpn_kpeer {
 	struct callout		 ping_rcv;
 
 	counter_u64_t		 counters[OVPN_PEER_COUNTER_SIZE];
+	struct epoch_context	 epoch_ctx;
 };
 
 struct ovpn_counters {
@@ -568,6 +569,15 @@ ovpn_notify_float(struct ovpn_softc *sc, uint32_t peerid,
 	return (0);
 }
 
+static void
+_ovpn_free_peer(struct epoch_context *ctx) {
+	struct ovpn_kpeer *peer = __containerof(ctx, struct ovpn_kpeer,
+	    epoch_ctx);
+
+	uma_zfree_pcpu(pcpu_zone_4, peer->last_active);
+	free(peer, M_OVPN);
+}
+
 static void
 ovpn_peer_release_ref(struct ovpn_kpeer *peer, bool locked)
 {
@@ -606,8 +616,8 @@ ovpn_peer_release_ref(struct ovpn_kpeer *peer, bool locked)
 
 	callout_stop(&peer->ping_send);
 	callout_stop(&peer->ping_rcv);
-	uma_zfree_pcpu(pcpu_zone_4, peer->last_active);
-	free(peer, M_OVPN);
+
+	NET_EPOCH_CALL(_ovpn_free_peer, &peer->epoch_ctx);
 
 	if (! locked)
 		OVPN_WUNLOCK(sc);