summaryrefslogtreecommitdiff
path: root/sys/arch/amd64
diff options
context:
space:
mode:
authorDavid Gwynne <dlg@cvs.openbsd.org>2024-11-17 12:21:49 +0000
committerDavid Gwynne <dlg@cvs.openbsd.org>2024-11-17 12:21:49 +0000
commit4ecbbc09b86badfd4a091455e0cfb5d77d931c4b (patch)
treec64dba9695caa935c201672f52501448e4f64ba4 /sys/arch/amd64
parentb35763eebd3158c664a4430599eff4543aa370de (diff)
make sure bpfsdetach is holding a bpf_d ref when invalidating stuff.
when bpfsdetach is called by an interface being destroyed, it iterates over the bpf descriptors using the interface and calls vdevgone and klist_invalidate against them. however, i'm not sure the reference the interface holds against the bpf_d is accounted for properly, so vdevgone might drop it to 0 and free it, which makes the klist_invalidate a use after free. avoid this by taking a bpf_d ref before calling vdevgone and klist_invalidate so the memory can't be freed out from under the feet of bpfsdetach. Reported-by: syzbot+b3927f8ad162452a2f39@syzkaller.appspotmail.com i wasn't able to reproduce whatever syzkaller did. it's possible this is a double free, but we'll wait and see if it pops up again. ok mpi@
Diffstat (limited to 'sys/arch/amd64')
0 files changed, 0 insertions, 0 deletions