NetBSD Problem Report #59681
From www@netbsd.org Wed Oct 1 10:56:34 2025
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
client-signature RSA-PSS (2048 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 4F0CF1A9239
for <gnats-bugs@gnats.NetBSD.org>; Wed, 1 Oct 2025 10:56:34 +0000 (UTC)
Message-Id: <20251001105633.54A361A923C@mollari.NetBSD.org>
Date: Wed, 1 Oct 2025 10:56:33 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: npf: missing locking around inpcb_lookup in uid/gid checks
X-Send-Pr-Version: www-1.0
>Number: 59681
>Category: kern
>Synopsis: npf: missing locking around inpcb_lookup in uid/gid checks
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: joe
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Oct 01 11:00:00 +0000 2025
>Closed-Date: Mon Oct 13 09:35:35 +0000 2025
>Last-Modified: Mon Oct 13 09:35:35 +0000 2025
>Originator: Taylor R Campbell
>Release: current, 11
>Organization:
The NpfBSD User Group
>Environment:
>Description:
The inpcb_lookup function is not currently MP-safe -- it
requires softnet_lock. However, the new npf uid/gid checks
call it without first taking softnet_lock.
>How-To-Repeat:
code inspection
>Fix:
1. mutex_enter/exit(softnet_lock)
2. sprinkle assertions
>Release-Note:
>Audit-Trail:
From: Taylor R Campbell <riastradh@NetBSD.org>
To: gnats-bugs@NetBSD.org, netbsd-bugs@NetBSD.org
Cc:
Subject: Re: kern/59681: npf: missing locking around inpcb_lookup in uid/gid checks
Date: Wed, 1 Oct 2025 12:04:40 +0000
Longer-term, we need to make inpcb access work under pserialize(9).
But that's a larger change that requires some care -- e.g., we really
don't want to do a pserialize_perform for every socket close, so we'll
need to queue them for batches of garbage collection of some sort.
For now, and particularly for correctness in netbsd-11, we'll just
need to take softnet_lock.
From: Emmanuel Nyarko <emmankoko519@gmail.com>
To: gnats-bugs@netbsd.org
Cc: kern-bug-people@netbsd.org,
gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: Re: kern/59681: npf: missing locking around inpcb_lookup in uid/gid
checks
Date: Wed, 1 Oct 2025 13:45:58 +0000
Hi,
--- sys/net/npf/npf_socket.c 2 Jun 2025 13:19:27 -0000 1.3
+++ sys/net/npf/npf_socket.c 1 Oct 2025 13:29:20 -0000
@@ -92,6 +92,7 @@
KASSERT(npf_iscached(npc, NPC_IP46));
+ mutex_enter(softnet_lock);
if (npf_iscached(npc, NPC_IP4)) {
so = npf_ip_socket(npc, dir);
#if defined(INET6)
@@ -104,6 +105,8 @@
return -1;
*rid = get_rid(so->so_cred);
+ mutex_exit(softnet_lock);
+
return 0;
}
should be fine?
Emmanuel
Responsible-Changed-From-To: kern-bug-people->joe
Responsible-Changed-By: riastradh@NetBSD.org
Responsible-Changed-When: Thu, 02 Oct 2025 12:20:38 +0000
Responsible-Changed-Why:
Yes, that patch looks fine -- provided the tests still pass, of course!
State-Changed-From-To: open->analyzed
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Thu, 02 Oct 2025 12:20:38 +0000
State-Changed-Why:
joe's job
From: "Emmanuel" <joe@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59681 CVS commit: src/sys/net/npf
Date: Fri, 3 Oct 2025 22:42:59 +0000
Module Name: src
Committed By: joe
Date: Fri Oct 3 22:42:59 UTC 2025
Modified Files:
src/sys/net/npf: npf_socket.c
Log Message:
hold locks in socket access in npf PR kern/59681
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 src/sys/net/npf/npf_socket.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: analyzed->needs-pullups
State-Changed-By: martin@NetBSD.org
State-Changed-When: Fri, 10 Oct 2025 12:13:40 +0000
State-Changed-Why:
Fixed in HEAD, needs pullup to -11
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59681 CVS commit: [netbsd-11] src/sys/net/npf
Date: Mon, 13 Oct 2025 09:22:02 +0000
Module Name: src
Committed By: martin
Date: Mon Oct 13 09:22:02 UTC 2025
Modified Files:
src/sys/net/npf [netbsd-11]: npf_socket.c
Log Message:
Pull up following revision(s) (requested by joe in ticket #52):
sys/net/npf/npf_socket.c: revision 1.4
hold locks in socket access in npf PR kern/59681
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.3.2.1 src/sys/net/npf/npf_socket.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: needs-pullups->closed
State-Changed-By: martin@NetBSD.org
State-Changed-When: Mon, 13 Oct 2025 09:35:35 +0000
State-Changed-Why:
pullups done
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2025
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home