Module Name: src Committed By: maxv Date: Mon Feb 25 07:31:32 UTC 2019
Modified Files: src/sys/netinet6: udp6_usrreq.c Log Message: Fix the order in udp6_attach: soreserve should be called before in6_pcballoc, otherwise if it fails there is still a PCB attached, and we hit a KASSERT in socreate. In !DIAGNOSTIC this would have caused a memory leak. By the way I find the splsoftnet highly suspicious, in6_pcballoc already does that. Triggered by SyzKaller. Reported-by: syzbot+7bace612ca3cc3e12...@syzkaller.appspotmail.com To generate a diff of this commit: cvs rdiff -u -r1.146 -r1.147 src/sys/netinet6/udp6_usrreq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netinet6/udp6_usrreq.c diff -u src/sys/netinet6/udp6_usrreq.c:1.146 src/sys/netinet6/udp6_usrreq.c:1.147 --- src/sys/netinet6/udp6_usrreq.c:1.146 Mon Jan 28 12:53:01 2019 +++ src/sys/netinet6/udp6_usrreq.c Mon Feb 25 07:31:32 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: udp6_usrreq.c,v 1.146 2019/01/28 12:53:01 martin Exp $ */ +/* $NetBSD: udp6_usrreq.c,v 1.147 2019/02/25 07:31:32 maxv Exp $ */ /* $KAME: udp6_usrreq.c,v 1.86 2001/05/27 17:33:00 itojun Exp $ */ /* $KAME: udp6_output.c,v 1.43 2001/10/15 09:19:52 itojun Exp $ */ @@ -63,7 +63,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: udp6_usrreq.c,v 1.146 2019/01/28 12:53:01 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: udp6_usrreq.c,v 1.147 2019/02/25 07:31:32 maxv Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -1045,6 +1045,11 @@ udp6_attach(struct socket *so, int proto KASSERT(sotoin6pcb(so) == NULL); sosetlock(so); + error = soreserve(so, udp6_sendspace, udp6_recvspace); + if (error) { + return error; + } + /* * MAPPED_ADDR implementation spec: * Always attach for IPv6, and only when necessary for IPv4. @@ -1055,10 +1060,7 @@ udp6_attach(struct socket *so, int proto if (error) { return error; } - error = soreserve(so, udp6_sendspace, udp6_recvspace); - if (error) { - return error; - } + in6p = sotoin6pcb(so); in6p->in6p_cksum = -1; /* just to be sure */