From 43dfcaac64e41374816cb0077c75fe7397955f8c Mon Sep 17 00:00:00 2001 From: anton Date: Tue, 9 Mar 2021 20:05:14 +0000 Subject: [PATCH] Issuing FIOSETOWN and TIOCSPGRP ioctl commands on a tun(4) device leaks device references causing a hang while trying to remove the same interface since the reference count will never reach zero. Instead of returning, break out of the switch in order to ensure that tun_put() gets called. ok deraadt@ mvs@ Reported-by: syzbot+2ca11c73711a1d0b5c6c@syzkaller.appspotmail.com --- sys/net/if_tun.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sys/net/if_tun.c b/sys/net/if_tun.c index bb5e27116bc..46a0a2d4735 100644 --- a/sys/net/if_tun.c +++ b/sys/net/if_tun.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_tun.c,v 1.230 2021/02/20 04:39:16 dlg Exp $ */ +/* $OpenBSD: if_tun.c,v 1.231 2021/03/09 20:05:14 anton Exp $ */ /* $NetBSD: if_tun.c,v 1.24 1996/05/07 02:40:48 thorpej Exp $ */ /* @@ -716,7 +716,8 @@ tun_dev_ioctl(dev_t dev, u_long cmd, void *data) break; case FIOSETOWN: case TIOCSPGRP: - return (sigio_setown(&sc->sc_sigio, cmd, data)); + error = sigio_setown(&sc->sc_sigio, cmd, data); + break; case FIOGETOWN: case TIOCGPGRP: sigio_getown(&sc->sc_sigio, cmd, data); -- 2.20.1