Set `if_snd' queue maximum length to 1. This enforces calls of

pppx_if_qstart() and pppac_qstart() with netlock held. Otherwise we can't
be sure about netlock status while performing these handlers.

Problem reported by Glen Faustino.

ok yasuoka@

1 files changed, 7 insertions, 5 deletions

diff --git a/sys/net/if_pppx.c b/sys/net/if_pppx.c
index cdd784e4e3a..1a52581c3f6 100644
--- a/sys/net/if_pppx.c
+++ b/sys/net/if_pppx.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_pppx.c,v 1.104 2020/08/30 19:48:16 mvs Exp $ */
+/*	$OpenBSD: if_pppx.c,v 1.105 2020/09/20 12:27:40 mvs Exp $ */
 
 /*
  * Copyright (c) 2010 Claudio Jeker <claudio@openbsd.org>
@@ -658,6 +658,8 @@ pppx_add_session(struct pppx_dev *pxd, struct pipex_session_req *req)
 	ifp->if_softc = pxi;
 	/* ifp->if_rdomain = req->pr_rdomain; */
 	if_counters_alloc(ifp);
+	/* XXXSMP: be sure pppx_if_qstart() called with NET_LOCK held */
+	ifq_set_maxlen(&ifp->if_snd, 1);
 
 	/* XXXSMP breaks atomicity */
 	NET_UNLOCK();
@@ -799,14 +801,13 @@ pppx_if_qstart(struct ifqueue *ifq)
 	struct mbuf *m;
 	int proto;
 
-	NET_LOCK();
+	NET_ASSERT_LOCKED();
 	while ((m = ifq_dequeue(ifq)) != NULL) {
 		proto = *mtod(m, int *);
 		m_adj(m, sizeof(proto));
 
 		pipex_ppp_output(m, pxi->pxi_session, proto);
 	}
-	NET_UNLOCK();
 }
 
 int
@@ -1043,6 +1044,8 @@ pppacopen(dev_t dev, int flags, int mode, struct proc *p)
 	ifp->if_output = pppac_output;
 	ifp->if_qstart = pppac_qstart;
 	ifp->if_ioctl = pppac_ioctl;
+	/* XXXSMP: be sure pppac_qstart() called with NET_LOCK held */
+	ifq_set_maxlen(&ifp->if_snd, 1);
 
 	if_counters_alloc(ifp);
 	if_attach(ifp);
@@ -1438,7 +1441,7 @@ pppac_qstart(struct ifqueue *ifq)
 	struct ip ip;
 	int rv;
 
-	NET_LOCK();
+	NET_ASSERT_LOCKED();
 	while ((m = ifq_dequeue(ifq)) != NULL) {
 #if NBPFILTER > 0
 		if (ifp->if_bpf) {
@@ -1487,7 +1490,6 @@ bad:
 			m_freem(m);
 		continue;
 	}
-	NET_UNLOCK();
 
 	if (!mq_empty(&sc->sc_mq)) {
 		wakeup(sc);