Issuing FIOSETOWN and TIOCSPGRP ioctl commands on a tun(4) device leaks

device references causing a hang while trying to remove the same
interface since the reference count will never reach zero. Instead of
returning, break out of the switch in order to ensure that tun_put()
gets called.

ok deraadt@ mvs@

Reported-by: syzbot+2ca11c73711a1d0b5c6c@syzkaller.appspotmail.com

diff --git a/sys/net/if_tun.c b/sys/net/if_tun.c
index bb5e271..46a0a2d 100644 (file)
--- a/sys/net/if_tun.c
+++ b/sys/net/if_tun.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: if_tun.c,v 1.230 2021/02/20 04:39:16 dlg Exp $        */
+/*     $OpenBSD: if_tun.c,v 1.231 2021/03/09 20:05:14 anton Exp $      */
 /*     $NetBSD: if_tun.c,v 1.24 1996/05/07 02:40:48 thorpej Exp $      */
 
 /*
@@ -716,7 +716,8 @@ tun_dev_ioctl(dev_t dev, u_long cmd, void *data)
                break;
        case FIOSETOWN:
        case TIOCSPGRP:
-               return (sigio_setown(&sc->sc_sigio, cmd, data));
+               error = sigio_setown(&sc->sc_sigio, cmd, data);
+               break;
        case FIOGETOWN:
        case TIOCGPGRP:
                sigio_getown(&sc->sc_sigio, cmd, data);