pf: always mark states as unlinked before detaching them

Users have reported crashes in pf_test_state_udp() where at least one state key is NULL. That suggests that pf_detach_state() ran concurrently with pf_test_state_udp(). pf_test_state_udp() holds the state lock (aka the id lock), but pf_detach_state() does not. The intent is that detached states are not returned by STATE_LOOKUP/ pf_find_state(), as the state's timeout is set to PFTM_UNLINKED and thus pf_find_state() does not find the state. There are other paths to pf_detach_state() (outside of pf_unlink_state()) though, where we did not set the timeout to PFTM_UNLINKED. Fix those, and assert that the timeout is set correctly when we enter pf_detach_state(). MFC after: 1 week See also: https://redmine.pfsense.org/issues/15413 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D45101 (cherry picked from commit 301ec2cebb)
2026-06-04 14:26:03 -04:00 · 2024-05-06 09:43:49 +02:00 · 2024-05-06 09:43:49 +02:00 · e73147fc7c
commit e73147fc7c
parent 7465f9fc06
1 changed files with 4 additions and 0 deletions
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@ -1325,6 +1325,7 @@ keyattach:
 						    sk : NULL);
 						printf("\n");
 					}
+					s->timeout = PFTM_UNLINKED;
 					PF_HASHROW_UNLOCK(ih);
 					KEYS_UNLOCK();
 					uma_zfree(V_pf_state_key_z, sk);
@ -1392,6 +1393,8 @@ pf_detach_state(struct pf_kstate *s)
 	struct pf_state_key *sks = s->key[PF_SK_STACK];
 	struct pf_keyhash *kh;

+	MPASS(s->timeout >= PFTM_MAX);
+
 	pf_sctp_multihome_detach_addr(s);

 	if (sks != NULL) {
@ -1517,6 +1520,7 @@ pf_state_insert(struct pfi_kkif *kif, struct pfi_kkif *orig_kif,
 			break;

 	if (cur != NULL) {
+		s->timeout = PFTM_UNLINKED;
 		PF_HASHROW_UNLOCK(ih);
 		if (V_pf_status.debug >= PF_DEBUG_MISC) {
 			printf("pf: state ID collision: "