From nobody Wed Sep 24 11:45:18 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cWw5C1qHlz67jG6;
	Wed, 24 Sep 2025 11:45:19 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cWw5C0mMWz3LDN;
	Wed, 24 Sep 2025 11:45:19 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1758714319;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=MNmwn0b+PM2unzXqAnI/hIBGdJUYpj2trZq9PUkcUAw=;
	b=OPsiq6Qty9QddxKc5oe8fxAY114PJB0JX6hR/wSDaHDPhoeIUVUQ5n3DWpedWWDE2mn/Zn
	zl2cE/ivAdTzfDHCpVn/NBEcpMtLXsez5UmbS+KHdtFxGxnRNJLKFbjuIxAw7na0gfXaO8
	5BgD9cMOLtAOr9TQzUOz7Mv39dqh/ddyGSOxP0lfwwv5GX4GpHKKlzR5f62XOEgPx9UrIn
	CLP+EBqDCrt3yB1+yfJgdvCAzczwwAmu9ItR2McwONlh4k/IX/dyjKuiWI3Bm6gPSqquRw
	fo535XLDLAiBsdtcJKNABrakVuGFJFMnYNinKsl58eziMBhbBh9+pnKSUj+tRA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1758714319;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=MNmwn0b+PM2unzXqAnI/hIBGdJUYpj2trZq9PUkcUAw=;
	b=pjFQzHTvB89TSIeBkL1r5ex56RFm51QTNSBqJj2qGPg7CqrqNV1ahYV9Oxj3OCGPS3VMUf
	IcE6KiuagbgzBrbqu4Wz+5HlikDAezIj8fo7/NnLoa2G2NFgD6EDS9NEsn1PS96NC7Ihq3
	Rc9SC69aqtbEmiXs1rerehZaE/lzTm13RCy4RkT9A9YZ/gn7hxFwFObgijgaFaZKhEPhBz
	mSRkvvDJuV6m83MropqvIopTsQPFoJf3LFxllPrJEcLsaYt++6KdqupgLVfadWruNXPIK6
	r6t7AX6nPydzoUzAGdJHDp8D49nXnR/CWo1Sx+6ktKV77TfpVUhk3Iw0R6ObCg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1758714319; a=rsa-sha256; cv=none;
	b=aeip8uEmOd4cyryZXQZFXWIXrSvzRwqNK1f4yavZapXbGS8Seo47IIkL7qIxTIcCHzlNyn
	giBogS32vLs7zcTW5iYFzDCXEDySBQFVsnhj/NcpN2L9vJnc3n5lcF1+DWWF05BoJVeguF
	wauTRE6RoPDLxDryTeKLvG50wxjnLcv0w0q2WuyRmvDUmyrYqSIe+g+fJUslSUrZVpZJB+
	yeKDjQYh1XHiwX7UdL7PUcQbUom2FtAefhpWdT6wboOST5zFWK5yvq2WmOVkviWQBHN8Hs
	d5+dm+Rwudj+D5036y/lf5urWynxbPGu6k7kFrg0jHu8a8TRXrPaJxLF8TntcQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cWw5C084QzVb7;
	Wed, 24 Sep 2025 11:45:19 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 58OBjIug083117;
	Wed, 24 Sep 2025 11:45:18 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 58OBjIjF083114;
	Wed, 24 Sep 2025 11:45:18 GMT
	(envelope-from git)
Date: Wed, 24 Sep 2025 11:45:18 GMT
Message-Id: <202509241145.58OBjIjF083114@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: dc0cf0648c8d - main - pf: check if a group has a kif
  before dereferencing it
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: dc0cf0648c8d28ab4914c798a4cff8256ae94ee5
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=dc0cf0648c8d28ab4914c798a4cff8256ae94ee5

commit dc0cf0648c8d28ab4914c798a4cff8256ae94ee5
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-09-02 08:46:26 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-09-24 11:44:54 +0000

    pf: check if a group has a kif before dereferencing it
    
    It's possible for interface groups to not have had a pfi_kkif assigned to
    them, so before we pass that pointer to pfi_kkif_update() we must check if it's
    actually set.
    
    We've seen panics such as this, where we get an address update for an interface
    that belongs to a group without associated pfi_kkif:
    
            Tracing pid 12 tid 100034 td 0xfffff80100d2a000
            kdb_enter() at kdb_enter+0x33/frame 0xfffffe0067eed340
            panic() at panic+0x43/frame 0xfffffe0067eed3a0
            trap_pfault() at trap_pfault+0x3c9/frame 0xfffffe0067eed3f0
            calltrap() at calltrap+0x8/frame 0xfffffe0067eed3f0
            --- trap 0xc, rip = 0xffffffff8102ebd5, rsp = 0xfffffe0067eed4c0, rbp = 0xfffffe0067eed500 ---
            pfi_kkif_update() at pfi_kkif_update+0x15/frame 0xfffffe0067eed500
            pfi_kkif_update() at pfi_kkif_update+0x1fc/frame 0xfffffe0067eed550
            pfi_ifaddr_event() at pfi_ifaddr_event+0x82/frame 0xfffffe0067eed5a0
            srcaddr_change_event() at srcaddr_change_event+0xa7/frame 0xfffffe0067eed610
            in6_update_ifa() at in6_update_ifa+0xd52/frame 0xfffffe0067eed790
            in6_ifadd() at in6_ifadd+0x29a/frame 0xfffffe0067eed8b0
            nd6_ra_input() at nd6_ra_input+0xf65/frame 0xfffffe0067eeda90
            icmp6_input() at icmp6_input+0x3c8/frame 0xfffffe0067eedc10
            ip6_input() at ip6_input+0xa15/frame 0xfffffe0067eedcf0
            sppp_input() at sppp_input+0x502/frame 0xfffffe0067eedd80
            pppoe_data_input() at pppoe_data_input+0x1e7/frame 0xfffffe0067eeddf0
            swi_net() at swi_net+0x128/frame 0xfffffe0067eede60
            ithread_loop() at ithread_loop+0x239/frame 0xfffffe0067eedef0
            fork_exit() at fork_exit+0x7b/frame 0xfffffe0067eedf30
            fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0067eedf30
    
    Note that pf doesn't assign pfi_kkif objects to groups created before pf has
    fully started (see V_pf_vnet_active check in pfi_attach_group_event()), which is
    one possible way for this to happen.
    
    Reported by:    garga
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf_if.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sys/netpfil/pf/pf_if.c b/sys/netpfil/pf/pf_if.c
index e2200c15c704..f3be036ef745 100644
--- a/sys/netpfil/pf/pf_if.c
+++ b/sys/netpfil/pf/pf_if.c
@@ -655,8 +655,10 @@ pfi_kkif_update(struct pfi_kkif *kif)
 	/* again for all groups kif is member of */
 	if (kif->pfik_ifp != NULL) {
 		CK_STAILQ_FOREACH(ifgl, &kif->pfik_ifp->if_groups, ifgl_next)
-			pfi_kkif_update((struct pfi_kkif *)
-			    ifgl->ifgl_group->ifg_pf_kif);
+			if (ifgl->ifgl_group->ifg_pf_kif) {
+				pfi_kkif_update((struct pfi_kkif *)
+				    ifgl->ifgl_group->ifg_pf_kif);
+			}
 	}
 }