From 7e7985c9c7b4d6568edebff7a2811e3e39f36ba6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Tue, 4 Apr 2023 08:17:45 +0000
Subject: [PATCH 1/2] Attach catzs to catz instead of doing this explicitly

Instead of explicitly adding a reference to catzs (catalog zones) when
calling the update callback, attach the catzs to the catz (catalog zone)
object to keep it referenced for the whole time the catz exists.

(cherry picked from commit 2ded876db257d93007ee68fe7a6e0511f0312a72)
---
 lib/dns/catz.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/lib/dns/catz.c b/lib/dns/catz.c
index 64d5f08027..f2c35f7612 100644
--- a/lib/dns/catz.c
+++ b/lib/dns/catz.c
@@ -831,8 +831,7 @@ dns_catz_new_zone(dns_catz_zones_t *catzs, dns_catz_zone_t **catzp,
 	REQUIRE(ISC_MAGIC_VALID(name, DNS_NAME_MAGIC));
 
 	catz = isc_mem_get(catzs->mctx, sizeof(*catz));
-	*catz = (dns_catz_zone_t){ .catzs = catzs,
-				   .active = true,
+	*catz = (dns_catz_zone_t){ .active = true,
 				   .version = DNS_CATZ_VERSION_UNDEFINED,
 				   .magic = DNS_CATZ_ZONE_MAGIC };
 
@@ -843,6 +842,7 @@ dns_catz_new_zone(dns_catz_zones_t *catzs, dns_catz_zone_t **catzp,
 		goto cleanup_timer;
 	}
 
+	dns_catz_zones_attach(catzs, &catz->catzs);
 	isc_mutex_init(&catz->lock);
 	isc_refcount_init(&catz->references, 1);
 	isc_ht_init(&catz->entries, catzs->mctx, 4, ISC_HT_CASE_SENSITIVE);
@@ -1007,7 +1007,7 @@ dns__catz_zone_destroy(dns_catz_zone_t *catz) {
 	dns_catz_options_free(&catz->defoptions, mctx);
 	dns_catz_options_free(&catz->zoneoptions, mctx);
 
-	catz->catzs = NULL;
+	dns_catz_zones_detach(&catz->catzs);
 	isc_refcount_destroy(&catz->references);
 
 	isc_mem_put(mctx, catz, sizeof(*catz));
@@ -2113,7 +2113,6 @@ dns__catz_timer_cb(isc_task_t *task, isc_event_t *event) {
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_MASTER,
 		      ISC_LOG_INFO, "catz: %s: reload start", domain);
 
-	dns_catz_ref_catzs(catz->catzs);
 	dns_catz_ref_catz(catz);
 	isc_nm_work_offload(isc_task_getnetmgr(catz->catzs->updater),
 			    dns__catz_update_cb, dns__catz_done_cb, catz);
@@ -2594,7 +2593,6 @@ done:
 		      isc_result_totext(result));
 
 	dns_catz_unref_catz(catz);
-	dns_catz_unref_catzs(catz->catzs);
 }
 
 void

From f2d5f9d8f1821aa01d7ad35c3d0d10d80772ba78 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Tue, 4 Apr 2023 08:24:15 +0000
Subject: [PATCH 2/2] Add a CHANGES note for [GL #3997]

(cherry picked from commit 4a0bd69056966eb56f7b2a613ddf90ee1343dc4e)
---
 CHANGES | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGES b/CHANGES
index 20241e39f5..cc153cb29d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+6145.	[bug]		Fix a possible use-after-free bug in the
+			dns__catz_done_cb() function. [GL #3997]
+
 6143.	[bug]		A reference counting problem on the error path in
 			the xfrin_connect_done() might cause an assertion
 			failure on shutdown.  [GL #3989]