On Fri, Apr 10, 2020 at 01:30:47PM -0600, Theo de Raadt wrote: > Why did it take almost a year to find this? > > Or is this bug due to ioctl(2) becoming UNLOCKED on 2020/02/22?
This is not related to ioctl(2) becoming UNLOCKED. Lower-layer ioctl code, soo_ioctl() included, lock the kernel when needed. However, most .if_ioctl backends need NET_LOCK() in addition to KERNEL_LOCK(). In most cases, that is satisfied by ifioctl() which acquires the lock before invoking .if_ioctl(). bridge_ioctl() nullifies this by releasing NET_LOCK().
