Module Name: src
Committed By: maxv
Date: Sun Jun 7 15:19:05 UTC 2020
Modified Files:
src/sys/kern: uipc_socket.c
Log Message:
Fix bohr bug triggered only once by syzkaller 2,5 months ago.
In sockopt_alloc(), 'sopt' may already have been initialized with
'sopt->sopt_data = sopt->sopt_buf'. If the allocation fails, we
end up with 'sopt->sopt_data = NULL', and later try to free this
NULL pointer in sockopt_destroy().
Fix that by not modifying 'sopt_data' if the allocation failed.
Difficult to reproduce in normal times, but fault(4) makes it
easy.
Reported-by: syzbot+380cb5d518742f063...@syzkaller.appspotmail.com
To generate a diff of this commit:
cvs rdiff -u -r1.289 -r1.290 src/sys/kern/uipc_socket.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/uipc_socket.c
diff -u src/sys/kern/uipc_socket.c:1.289 src/sys/kern/uipc_socket.c:1.290
--- src/sys/kern/uipc_socket.c:1.289 Sun Apr 26 14:21:14 2020
+++ src/sys/kern/uipc_socket.c Sun Jun 7 15:19:05 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: uipc_socket.c,v 1.289 2020/04/26 14:21:14 jakllsch Exp $ */
+/* $NetBSD: uipc_socket.c,v 1.290 2020/06/07 15:19:05 maxv Exp $ */
/*
* Copyright (c) 2002, 2007, 2008, 2009 The NetBSD Foundation, Inc.
@@ -71,7 +71,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uipc_socket.c,v 1.289 2020/04/26 14:21:14 jakllsch Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_socket.c,v 1.290 2020/06/07 15:19:05 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_compat_netbsd.h"
@@ -2039,13 +2039,15 @@ sogetopt(struct socket *so, struct socko
static int
sockopt_alloc(struct sockopt *sopt, size_t len, km_flag_t kmflag)
{
+ void *data;
KASSERT(sopt->sopt_size == 0);
if (len > sizeof(sopt->sopt_buf)) {
- sopt->sopt_data = kmem_zalloc(len, kmflag);
- if (sopt->sopt_data == NULL)
+ data = kmem_zalloc(len, kmflag);
+ if (data == NULL)
return ENOMEM;
+ sopt->sopt_data = data;
} else
sopt->sopt_data = sopt->sopt_buf;
