summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMartin Pieuchot <mpi@cvs.openbsd.org>2017-08-22 15:02:35 +0000
committerMartin Pieuchot <mpi@cvs.openbsd.org>2017-08-22 15:02:35 +0000
commit7e0072c4beaa10376f11763a114c7c20c013f6c3 (patch)
treef4173a53bfbc9382658e2f86ac8740557fcf1a03
parent33d6e799aa964c49fab45699f4f9a5cdba2a8ed7 (diff)
Prevent a race against ipsec_in_use.
Problem reported and fix tested by Hrvoje Popovski. ok bluhm@, visa@
-rw-r--r--sys/net/if.c31
-rw-r--r--sys/netinet/ip_input.c7
-rw-r--r--sys/netinet6/ip6_input.c7
3 files changed, 27 insertions, 18 deletions
diff --git a/sys/net/if.c b/sys/net/if.c
index b4b419dd845..07eeb249264 100644
--- a/sys/net/if.c
+++ b/sys/net/if.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: if.c,v 1.511 2017/08/12 20:27:28 mpi Exp $ */
+/* $OpenBSD: if.c,v 1.512 2017/08/22 15:02:34 mpi Exp $ */
/* $NetBSD: if.c,v 1.35 1996/05/07 05:26:04 thorpej Exp $ */
/*
@@ -887,19 +887,6 @@ if_input_process(void *xifidx)
if (!ISSET(ifp->if_xflags, IFXF_CLONED))
add_net_randomness(ml_len(&ml));
-#ifdef IPSEC
- /*
- * IPsec is not ready to run without KERNEL_LOCK(). So all
- * the traffic on your machine is punished if you have IPsec
- * enabled.
- */
- extern int ipsec_in_use;
- if (ipsec_in_use) {
- KERNEL_LOCK();
- locked = 1;
- }
-#endif /* IPSEC */
-
/*
* We grab the NET_LOCK() before processing any packet to
* ensure there's no contention on the routing table lock.
@@ -914,6 +901,22 @@ if_input_process(void *xifidx)
*/
NET_LOCK();
s = splnet();
+
+#ifdef IPSEC
+ /*
+ * IPsec is not ready to run without KERNEL_LOCK(). So all
+ * the traffic on your machine is punished if you have IPsec
+ * enabled.
+ */
+ extern int ipsec_in_use;
+ if (ipsec_in_use) {
+ NET_UNLOCK();
+ KERNEL_LOCK();
+ NET_LOCK();
+ locked = 1;
+ }
+#endif /* IPSEC */
+
while ((m = ml_dequeue(&ml)) != NULL) {
/*
* Pass this mbuf to all input handlers of its
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 67f2f27d749..b7fd4dde46d 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_input.c,v 1.318 2017/08/11 21:24:20 mpi Exp $ */
+/* $OpenBSD: ip_input.c,v 1.319 2017/08/22 15:02:34 mpi Exp $ */
/* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */
/*
@@ -1802,6 +1802,8 @@ ip_send_dispatch(void *xmq)
if (ml_empty(&ml))
return;
+ NET_LOCK();
+
#ifdef IPSEC
/*
* IPsec is not ready to run without KERNEL_LOCK(). So all
@@ -1810,12 +1812,13 @@ ip_send_dispatch(void *xmq)
*/
extern int ipsec_in_use;
if (ipsec_in_use) {
+ NET_UNLOCK();
KERNEL_LOCK();
+ NET_LOCK();
locked = 1;
}
#endif /* IPSEC */
- NET_LOCK();
while ((m = ml_dequeue(&ml)) != NULL) {
ip_output(m, NULL, NULL, 0, NULL, NULL, 0);
}
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index db87b569dc0..ade41a8a03b 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip6_input.c,v 1.201 2017/08/11 21:24:20 mpi Exp $ */
+/* $OpenBSD: ip6_input.c,v 1.202 2017/08/22 15:02:34 mpi Exp $ */
/* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */
/*
@@ -1450,6 +1450,8 @@ ip6_send_dispatch(void *xmq)
if (ml_empty(&ml))
return;
+ NET_LOCK();
+
#ifdef IPSEC
/*
* IPsec is not ready to run without KERNEL_LOCK(). So all
@@ -1458,12 +1460,13 @@ ip6_send_dispatch(void *xmq)
*/
extern int ipsec_in_use;
if (ipsec_in_use) {
+ NET_UNLOCK();
KERNEL_LOCK();
+ NET_LOCK();
locked = 1;
}
#endif /* IPSEC */
- NET_LOCK();
while ((m = ml_dequeue(&ml)) != NULL) {
ip6_output(m, NULL, NULL, IPV6_MINMTU, NULL, NULL);
}