# DF-0272 — `ifnet_mtx` leak via SIOCGIFGROUP / SIOCAIFGROUP / SIOCDIFGROUP / SIOCSIFDESCR

Unprivileged local DoS. One syscall from uid 1001 permanently wedges the
entire DragonFlyBSD network subsystem; reboot required.

## Build

```
cc -O2 -Wall -o poc poc.c        # or: ./build.sh
```

## Run (as unprivileged user — maxx uid 1001)

```
./poc                            # or: ./run.sh
```

## Expected on the vulnerable master DEV kernel

```
[*] lo0 real group_len=32
[+] trigger ioctl (len=33) rc=-1 errno=22 (Invalid argument)
[!] child PID <n> still alive after 6 s — DEADLOCK CONFIRMED
```

At that point `ifnet_mtx` is permanently held by the (long-returned)
triggering thread. Any subsequent network operation that needs
`ifnet_lock()` blocks forever in D-state and is unkillable:

- `ifconfig lo0` from a **fresh** SSH session hangs forever (verified —
  `timeout 4 ifconfig` cannot interrupt; the SSH session had to be torn
  down by the harness at 120 s).
- `route`, interface up/down, packet socket operations — all blocked.

Recovery: `dfbsd-qemu/vm.sh reset`.

On a **fixed** kernel (with `fix.diff` applied) the trigger still returns
EINVAL, but the lock is released and the second ioctl returns immediately
— the PoC prints `RESULT: NO_DEADLOCK` and exits cleanly.

## Mechanism (one-liner)

`ifioctl()` takes `ifnet_mtx` at sys/net/if.c:2029 and unlocks at
sys/net/if.c:2450; six `return (error)` branches inside that region skip
the unlock. `SIOCGIFGROUP` (sys/net/if.c:2403-2407) is the easiest
unprivileged path — no `caps_priv_check` at all.

See `VERDICT.md` for the full line-by-line trace and `fix.diff` for the
verified one-line-per-site fix.
