From nobody Tue Dec  9 14:19:51 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dQgwS0sgNz6Kh81
	for <dev-commits-src-main@mlmmj.nyi.freebsd.org>; Tue, 09 Dec 2025 14:19:52 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dQgwR4j1Cz3gwt
	for <dev-commits-src-main@FreeBSD.org>; Tue, 09 Dec 2025 14:19:51 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1765289991;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=z2LvuF6DH38Ha/rvzVhXGfSqgDQVN4QlZsSoXJxAbpw=;
	b=KvaBHOkLW6+HcJL+jg3Qys7Q1h5YocmRJN3LQNaMP3r1r3/bCqysqdf8L1QYXHYw+5RyHK
	rMdLEfCrU4ntiPU0u7PUfEatn7D9mKhnOMgQlMI/HoHYCGulW1UjmR+sovyjezACTqsRcI
	qO/fuXMYVTLU6nJ6UnOCH/V4WiRbVqXfwW9+HlCoQ4Z3VmLyMp/MF5i25p+Fx1KCMoQUEx
	/Q/WKMbNFY4vMbW+bDTE2jgSrm6nNvoKy7DsjdTKe9RXQUeW8pqpQxmV8kOT/0CXgye3QA
	KvQ6m7cMD8dhF22K+MZegqRvHzwvqsP1nuhatahWd6YaJ4mAVx+VgeWnjz1IMg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1765289991;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=z2LvuF6DH38Ha/rvzVhXGfSqgDQVN4QlZsSoXJxAbpw=;
	b=OvYCkodF3e8NAOyHCuZLq/H/tC/fRyIPLj/t/+HkE8mo2cAAfR+8oD46ZoYgx1fyUIUOWt
	7FaCYH4+maWLtnjqB66Y1wkkKa9vAuymq8+h7waYkG81V/T+ge+ufbW2OyDOgccfhKfe0t
	S+xK6oPHp+D+V/FuWOBVx9bKhcFcWi2Eplvali+SiPLmolCyZ29Z0XEpd9JLB9MPDpwoyv
	x+vXXqDWbotktvexdRvtK1kYb9eRyYcmKNRK6kXbGvqF8Hh0wTDW3gFBAUXXR4TBudwuoH
	Xx/U4W+2fwNzSU7ycLrcx/nC2h+bADTtuWsNAKWRs2wO01f08+YjkiTCTKdX6Q==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1765289991; a=rsa-sha256; cv=none;
	b=DuSoSW3pffYvrudu3mEFONAlAMpOWgcf7v0Q6XolfeLWLZgI637DfWnwezPp79OAw1Q1cp
	icuiEHFh+x0SzTz+NbNl1mnFWl3NkYnfNvnX8xxBc8wYesCWu3Vq752JweKe3OdCU8zRRy
	1sUT6eXb5ZPETyTKPFPxI6bFcO9DL73bbv5JrLELQlqYXLxsoFvYG2GUm9JoSnVeATDo0x
	g8Oc5YI18p5Tw0oqFck+8pSQl8mJYe0TPhbemkph23ij7OhqFVXpDD4p/kWJHY+hFd269h
	NTWmuexN453tGZmtPLhtgftNgUikSOrSTAKA+U6Tz6p+OTq3cQfkozDsycdUIg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dQgwR3llsz12Rb
	for <dev-commits-src-main@FreeBSD.org>; Tue, 09 Dec 2025 14:19:51 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 282ee
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Tue, 09 Dec 2025 14:19:51 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: 5e2bbfe387f7 - main - if_ovpn: use epoch to free peers
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 5e2bbfe387f7eac8f802c4b6ad2114f0e17bb5f2
Auto-Submitted: auto-generated
Date: Tue, 09 Dec 2025 14:19:51 +0000
Message-Id: <69383007.282ee.46025830@gitrepo.freebsd.org>

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=5e2bbfe387f7eac8f802c4b6ad2114f0e17bb5f2

commit 5e2bbfe387f7eac8f802c4b6ad2114f0e17bb5f2
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-12-09 10:55:30 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-12-09 14:17:48 +0000

    if_ovpn: use epoch to free peers
    
    Avoid a possible use-after-free in the rx path.
    ovpn_decrypt_rx_cb() calls ovpn_finish_rx() which releases the lock,
    but continues to use the peer.
    Ensure that the peer cannot be freed until we're sure all potential
    users have stopped using it (i.e. have left net_epoch).
    
    Reported by:    Kevin Day <kevin@your.org>
    MFC after:      1 week
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/net/if_ovpn.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c
index 674df4d17eb4..ae09a1ce9db8 100644
--- a/sys/net/if_ovpn.c
+++ b/sys/net/if_ovpn.c
@@ -161,6 +161,7 @@ struct ovpn_kpeer {
 	struct callout		 ping_rcv;
 
 	counter_u64_t		 counters[OVPN_PEER_COUNTER_SIZE];
+	struct epoch_context	 epoch_ctx;
 };
 
 struct ovpn_counters {
@@ -568,6 +569,15 @@ ovpn_notify_float(struct ovpn_softc *sc, uint32_t peerid,
 	return (0);
 }
 
+static void
+_ovpn_free_peer(struct epoch_context *ctx) {
+	struct ovpn_kpeer *peer = __containerof(ctx, struct ovpn_kpeer,
+	    epoch_ctx);
+
+	uma_zfree_pcpu(pcpu_zone_4, peer->last_active);
+	free(peer, M_OVPN);
+}
+
 static void
 ovpn_peer_release_ref(struct ovpn_kpeer *peer, bool locked)
 {
@@ -606,8 +616,8 @@ ovpn_peer_release_ref(struct ovpn_kpeer *peer, bool locked)
 
 	callout_stop(&peer->ping_send);
 	callout_stop(&peer->ping_rcv);
-	uma_zfree_pcpu(pcpu_zone_4, peer->last_active);
-	free(peer, M_OVPN);
+
+	NET_EPOCH_CALL(_ovpn_free_peer, &peer->epoch_ctx);
 
 	if (! locked)
 		OVPN_WUNLOCK(sc);