From nobody Tue Aug 12 12:56:16 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4c1Whw6W3Qz64jXS;
	Tue, 12 Aug 2025 12:56:16 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4c1Whw2PDgz3KW2;
	Tue, 12 Aug 2025 12:56:16 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1755003376;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=c3mNY61GmS2tbC9O5hyt4grvI0wFWT0qNWs24ELTs4w=;
	b=v3HawsqdT1qvKx32wVg903DvDzpKnL8G7LIwiy5U8QV3FmPGmOtxts1Ck6I/14dPC8uh0b
	8u3+BgYjTu0dcLS+r9BPDNOmcLgrcVBn7fRhbiP4L27usnlLRk+nwk0REJIhMaqUo6C3AJ
	H3OzOuHFbg+MVzie7ENjotm81LrnEBrYedzBrUmv0RQuS1h4WSg7NM3n0eu1AEirVvZcQN
	h4za6O8B6eJKh7kSCEHMi2i8FhQyTsMKaM9abj3nD3d79ptg9p2SKKcFSW/aLMxrJuMT6y
	KIFX11MkLak5OZVDb4V9uPUxbJufhyIS24IZhgFbB8XAJDEKv02U660tUySq0Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1755003376;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=c3mNY61GmS2tbC9O5hyt4grvI0wFWT0qNWs24ELTs4w=;
	b=g8T+cgzMsAgEaS/aHStnCX2C/iujobdm3X6LnXcYgdGNgm4VCj2PJ8tnY9x72urLvpafQB
	3GibWqLUX9Is06gGrDoJZAzPCol697gwxYdz51SA9j4uRVe3SGmSBeJ2A4lk1YxuIb/JnN
	WYPG6RMNQs9R5SlpN2b2HQPxa3Dz/EadjTOKUwU2lZI+GSLuEnDxs/XosA5CZPWsODVg7m
	wfvCv8aiLuGs6lkDDjnesX8jC3PIPVUHJ9NBDzR+J+D12zAlMGzFa659aeEHHq2OcWjJVd
	5DyjAZ910KlUEtMC+w+aP18kSxHZA+c3NWNdLUMKcpeZJ9Ch1n+P8VJYr883lA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1755003376; a=rsa-sha256; cv=none;
	b=V5f9/ecNaK3MKevhG+dQrAw5DgfmUXoOtRWjyTJmWxLzh7P6boEebya0kQcTmX7VZV3iE/
	LaR+B/N1xNSNvnE9wo39uZUvgPmmFaspYVacSgh3MvjJNLhosOcC3klkUX1TR7M34DkyEX
	NhEoZ28uDStqfaPNIm9tKOh6oL3aT1mRdjSg9+/nF9rRL1zQfXN+Hp/5VkwPtXuWszyvqL
	ERts6qeH8lG2BYh37LbKbH/CmCi/a+PJZiyhfklzudkRCNNzQVu19fPM7jwcGvN9yHSg4Q
	PH/oCQ1FAJpOWR06wNx5SsQgk6H3G64Z8kCGmjEGyesPhrVZG/YDDwOQ702zfQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4c1Whw1W48zfb8;
	Tue, 12 Aug 2025 12:56:16 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 57CCuG6C088514;
	Tue, 12 Aug 2025 12:56:16 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 57CCuGER088511;
	Tue, 12 Aug 2025 12:56:16 GMT
	(envelope-from git)
Date: Tue, 12 Aug 2025 12:56:16 GMT
Message-Id: <202508121256.57CCuGER088511@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 4d84cefbba2c - stable/14 - udp: Fix a inpcb refcount
  leak in the tunnel receive path
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: 4d84cefbba2cad514d581d5dfaac7a2ac3ce2912
Auto-Submitted: auto-generated

The branch stable/14 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=4d84cefbba2cad514d581d5dfaac7a2ac3ce2912

commit 4d84cefbba2cad514d581d5dfaac7a2ac3ce2912
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-07-25 13:10:24 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-08-12 12:49:43 +0000

    udp: Fix a inpcb refcount leak in the tunnel receive path
    
    When the socket has a tunneling function attached, udp_append() drops
    the inpcb lock before calling it.  To keep the inpcb alive, we bump the
    refcount.  After commit 742e7210d00b we only dropped the reference if
    the tunnel consumed the packet, but it needs to be dropped in either
    case.  if_ovpn is the only driver that can trigger this bug.
    
    Fixes:          742e7210d00b ("udp: allow udp_tun_func_t() to indicate it did not eat the packet")
    Reviewed by:    kp
    MFC after:      2 weeks
    Sponsored by:   Stormshield
    Sponsored by:   Klara, Inc.
    Differential Revision:  https://reviews.freebsd.org/D51505
    
    (cherry picked from commit e1751ef896119d7372035b1b60f18a6342bd0e3b)
---
 sys/netinet/udp_usrreq.c   | 11 ++++++++---
 sys/netinet6/udp6_usrreq.c | 11 ++++++++---
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index d65343fc9997..adf8f0afc125 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -245,7 +245,6 @@ udp_append(struct inpcb *inp, struct ip *ip, struct mbuf *n, int off,
 	struct sockaddr_in6 udp_in6;
 #endif
 	struct udpcb *up;
-	bool filtered;
 
 	INP_LOCK_ASSERT(inp);
 
@@ -254,13 +253,19 @@ udp_append(struct inpcb *inp, struct ip *ip, struct mbuf *n, int off,
 	 */
 	up = intoudpcb(inp);
 	if (up->u_tun_func != NULL) {
+		bool filtered;
+
 		in_pcbref(inp);
 		INP_RUNLOCK(inp);
 		filtered = (*up->u_tun_func)(n, off, inp, (struct sockaddr *)&udp_in[0],
 		    up->u_tun_ctx);
 		INP_RLOCK(inp);
-		if (filtered)
-			return (in_pcbrele_rlocked(inp));
+		if (in_pcbrele_rlocked(inp))
+			return (1);
+		if (filtered) {
+			INP_RUNLOCK(inp);
+			return (1);
+		}
 	}
 
 	off += sizeof(struct udphdr);
diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c
index 8ab159b4e622..4a82315ea2f0 100644
--- a/sys/netinet6/udp6_usrreq.c
+++ b/sys/netinet6/udp6_usrreq.c
@@ -143,7 +143,6 @@ udp6_append(struct inpcb *inp, struct mbuf *n, int off,
 	struct socket *so;
 	struct mbuf *opts = NULL, *tmp_opts;
 	struct udpcb *up;
-	bool filtered;
 
 	INP_LOCK_ASSERT(inp);
 
@@ -152,13 +151,19 @@ udp6_append(struct inpcb *inp, struct mbuf *n, int off,
 	 */
 	up = intoudpcb(inp);
 	if (up->u_tun_func != NULL) {
+		bool filtered;
+
 		in_pcbref(inp);
 		INP_RUNLOCK(inp);
 		filtered = (*up->u_tun_func)(n, off, inp,
 		    (struct sockaddr *)&fromsa[0], up->u_tun_ctx);
 		INP_RLOCK(inp);
-		if (filtered)
-			return (in_pcbrele_rlocked(inp));
+		if (in_pcbrele_rlocked(inp))
+			return (1);
+		if (filtered) {
+			INP_RUNLOCK(inp);
+			return (1);
+		}
 	}
 #if defined(IPSEC) || defined(IPSEC_SUPPORT)
 	/* Check AH/ESP integrity. */