In route detach we delete `rop_timeout' while `rop' is still linked to

`rtp_list' so it could be re-added by concurrent thread. Also
timeout_del(9) doesn't wait timeout proc to be finished and
timeout_del_barrier(9) should be used for that.

So use timeout_del_barrier(9) instead of timeout_del(9) and moved it
just after refcnt_finalize(9). This fixes potential use-after-free
issue in route_detach().

ok mpi@

diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c
index 3f8985d..3a1cf04 100644 (file)
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: rtsock.c,v 1.312 2021/05/01 16:13:13 mvs Exp $        */
+/*     $OpenBSD: rtsock.c,v 1.313 2021/05/16 13:09:39 mvs Exp $        */
 /*     $NetBSD: rtsock.c,v 1.18 1996/03/29 00:32:10 cgd Exp $  */
 
 /*
@@ -346,9 +346,7 @@ route_detach(struct socket *so)
 
        rw_enter(&rtptable.rtp_lk, RW_WRITE);
 
-       timeout_del(&rop->rop_timeout);
        rtptable.rtp_count--;
-
        SRPL_REMOVE_LOCKED(&rtptable.rtp_rc, &rtptable.rtp_list, rop, rtpcb,
            rop_list);
        rw_exit(&rtptable.rtp_lk);
@@ -357,6 +355,7 @@ route_detach(struct socket *so)
 
        /* wait for all references to drop */
        refcnt_finalize(&rop->rop_refcnt, "rtsockrefs");
+       timeout_del_barrier(&rop->rop_timeout);
 
        solock(so);