From owner-svn-src-all@freebsd.org Thu Mar 19 21:38:53 2020 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6AC67271548; Thu, 19 Mar 2020 21:38:53 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48k0f50Qxqz4m65; Thu, 19 Mar 2020 21:38:52 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9D6281949E; Thu, 19 Mar 2020 21:38:52 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 02JLcqGE098556; Thu, 19 Mar 2020 21:38:52 GMT (envelope-from markj@FreeBSD.org) Received: (from markj@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 02JLcqsu098555; Thu, 19 Mar 2020 21:38:52 GMT (envelope-from markj@FreeBSD.org) Message-Id: <202003192138.02JLcqsu098555@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: markj set sender to markj@FreeBSD.org using -f From: Mark Johnston Date: Thu, 19 Mar 2020 21:38:52 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r359154 - head/sys/netinet6 X-SVN-Group: head X-SVN-Commit-Author: markj X-SVN-Commit-Paths: head/sys/netinet6 X-SVN-Commit-Revision: 359154 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2020 21:38:53 -0000 Author: markj Date: Thu Mar 19 21:38:52 2020 New Revision: 359154 URL: https://svnweb.freebsd.org/changeset/base/359154 Log: Fix synchronization in the IPV6_2292PKTOPTIONS set handler. The inpcb needs to be locked when we update output packet options. Otherwise it is possible for the IPV6_2292PKTOPTIONS handler to free packet option structures while another thread is reading or updating them. Note that the option handler is still kind of broken. For instance it frees all options before performing privilege checks for individual options. However, this can be fixed separately. Reported by: syzbot+52eb0fd4ddc119787f9d@syzkaller.appspotmail.com Reviewed by: bz, tuexen MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D24125 Modified: head/sys/netinet6/ip6_output.c Modified: head/sys/netinet6/ip6_output.c ============================================================================== --- head/sys/netinet6/ip6_output.c Thu Mar 19 21:05:11 2020 (r359153) +++ head/sys/netinet6/ip6_output.c Thu Mar 19 21:38:52 2020 (r359154) @@ -1694,8 +1694,10 @@ ip6_ctloutput(struct socket *so, struct sockopt *sopt) error = soopt_mcopyin(sopt, m); /* XXX */ if (error != 0) break; - error = ip6_pcbopts(&inp->in6p_outputopts, - m, so, sopt); + INP_WLOCK(inp); + error = ip6_pcbopts(&inp->in6p_outputopts, m, + so, sopt); + INP_WUNLOCK(inp); m_freem(m); /* XXX */ break; } @@ -2458,8 +2460,11 @@ ip6_pcbopts(struct ip6_pktopts **pktopt, struct mbuf * printf("ip6_pcbopts: all specified options are cleared.\n"); #endif ip6_clearpktopts(opt, -1); - } else - opt = malloc(sizeof(*opt), M_IP6OPT, M_WAITOK); + } else { + opt = malloc(sizeof(*opt), M_IP6OPT, M_NOWAIT); + if (opt == NULL) + return (ENOMEM); + } *pktopt = NULL; if (!m || m->m_len == 0) {