pfsync_state_import() must not be called with the pf state lock held,

since the actual modification of the state table is done by a call to
pf_state_insert(), which takes the pf state lock itself.  Other calls
to pfsync_state_import() also only have the pf lock.

Reported-by: syzbot+d6ea8620b43dc69ecbc6@syzkaller.appspotmail.com
ok bluhm@

diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index 10ada90..ae7bb00 100644 (file)
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pf_ioctl.c,v 1.362 2021/02/09 14:06:19 patrick Exp $ */
+/*     $OpenBSD: pf_ioctl.c,v 1.363 2021/02/09 23:37:54 patrick Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -1725,9 +1725,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
                }
                NET_LOCK();
                PF_LOCK();
-               PF_STATE_ENTER_WRITE();
                error = pfsync_state_import(sp, PFSYNC_SI_IOCTL);
-               PF_STATE_EXIT_WRITE();
                PF_UNLOCK();
                NET_UNLOCK();
                break;