Hello Anton,
On Thu, Oct 22, 2020 at 08:11:41AM +0200, Anton Lindqvist wrote:
> Hi,
>
> On Wed, Oct 21, 2020 at 02:08:05AM -0600, Alexandr Nedvedicky wrote:
> > CVSROOT: /cvs
> > Module name: src
> > Changes by: sas...@cvs.openbsd.org 2020/10/21 02:08:05
> >
> > Modified files:
> > sys/net : pf_ioctl.c pf_osfp.c
> >
> > Log message:
> > - move NET_LOCK() further down in pf_ioctl.c. Also move memory allocations
> > outside of NET_LOCK()/PF_LOCK() scope in easy spots.
> >
> > OK kn@
>
> Did see the following panic that was found by syzkaller after this
> commit? Looks related.
>
> https://syzkaller.appspot.com/bug?id=69aa91faa159a435b46d162e23268acd07fc8fb3
yes, this is mine. forgotten NET_UNLOCK() in error path.
according to reproduce patch below will make syzkaller happy.
thanks for keeping syzkaller alive.
I'm going to send diff below to hackers as a confession of my
sloppiness.
regards
sashan
--------8<---------------8<---------------8<------------------8<--------
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index 3a117a7d1c7..58628519216 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1783,16 +1783,17 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags,
struct proc *p)
if (state->timeout != PFTM_UNLINKED) {
if ((nr+1) * sizeof(*p) > ps->ps_len)
break;
pf_state_export(pstore, state);
error = copyout(pstore, p, sizeof(*p));
if (error) {
free(pstore, M_TEMP, sizeof(*pstore));
PF_STATE_EXIT_READ();
+ NET_UNLOCK();
goto fail;
}
p++;
nr++;
}
state = TAILQ_NEXT(state, entry_list);
}
PF_STATE_EXIT_READ();
