diff options
author | Martin Pieuchot <mpi@cvs.openbsd.org> | 2017-08-22 15:02:35 +0000 |
---|---|---|
committer | Martin Pieuchot <mpi@cvs.openbsd.org> | 2017-08-22 15:02:35 +0000 |
commit | 7e0072c4beaa10376f11763a114c7c20c013f6c3 (patch) | |
tree | f4173a53bfbc9382658e2f86ac8740557fcf1a03 | |
parent | 33d6e799aa964c49fab45699f4f9a5cdba2a8ed7 (diff) |
Prevent a race against ipsec_in_use.
Problem reported and fix tested by Hrvoje Popovski.
ok bluhm@, visa@
-rw-r--r-- | sys/net/if.c | 31 | ||||
-rw-r--r-- | sys/netinet/ip_input.c | 7 | ||||
-rw-r--r-- | sys/netinet6/ip6_input.c | 7 |
3 files changed, 27 insertions, 18 deletions
diff --git a/sys/net/if.c b/sys/net/if.c index b4b419dd845..07eeb249264 100644 --- a/sys/net/if.c +++ b/sys/net/if.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if.c,v 1.511 2017/08/12 20:27:28 mpi Exp $ */ +/* $OpenBSD: if.c,v 1.512 2017/08/22 15:02:34 mpi Exp $ */ /* $NetBSD: if.c,v 1.35 1996/05/07 05:26:04 thorpej Exp $ */ /* @@ -887,19 +887,6 @@ if_input_process(void *xifidx) if (!ISSET(ifp->if_xflags, IFXF_CLONED)) add_net_randomness(ml_len(&ml)); -#ifdef IPSEC - /* - * IPsec is not ready to run without KERNEL_LOCK(). So all - * the traffic on your machine is punished if you have IPsec - * enabled. - */ - extern int ipsec_in_use; - if (ipsec_in_use) { - KERNEL_LOCK(); - locked = 1; - } -#endif /* IPSEC */ - /* * We grab the NET_LOCK() before processing any packet to * ensure there's no contention on the routing table lock. @@ -914,6 +901,22 @@ if_input_process(void *xifidx) */ NET_LOCK(); s = splnet(); + +#ifdef IPSEC + /* + * IPsec is not ready to run without KERNEL_LOCK(). So all + * the traffic on your machine is punished if you have IPsec + * enabled. + */ + extern int ipsec_in_use; + if (ipsec_in_use) { + NET_UNLOCK(); + KERNEL_LOCK(); + NET_LOCK(); + locked = 1; + } +#endif /* IPSEC */ + while ((m = ml_dequeue(&ml)) != NULL) { /* * Pass this mbuf to all input handlers of its diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 67f2f27d749..b7fd4dde46d 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_input.c,v 1.318 2017/08/11 21:24:20 mpi Exp $ */ +/* $OpenBSD: ip_input.c,v 1.319 2017/08/22 15:02:34 mpi Exp $ */ /* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */ /* @@ -1802,6 +1802,8 @@ ip_send_dispatch(void *xmq) if (ml_empty(&ml)) return; + NET_LOCK(); + #ifdef IPSEC /* * IPsec is not ready to run without KERNEL_LOCK(). So all @@ -1810,12 +1812,13 @@ ip_send_dispatch(void *xmq) */ extern int ipsec_in_use; if (ipsec_in_use) { + NET_UNLOCK(); KERNEL_LOCK(); + NET_LOCK(); locked = 1; } #endif /* IPSEC */ - NET_LOCK(); while ((m = ml_dequeue(&ml)) != NULL) { ip_output(m, NULL, NULL, 0, NULL, NULL, 0); } diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index db87b569dc0..ade41a8a03b 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_input.c,v 1.201 2017/08/11 21:24:20 mpi Exp $ */ +/* $OpenBSD: ip6_input.c,v 1.202 2017/08/22 15:02:34 mpi Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -1450,6 +1450,8 @@ ip6_send_dispatch(void *xmq) if (ml_empty(&ml)) return; + NET_LOCK(); + #ifdef IPSEC /* * IPsec is not ready to run without KERNEL_LOCK(). So all @@ -1458,12 +1460,13 @@ ip6_send_dispatch(void *xmq) */ extern int ipsec_in_use; if (ipsec_in_use) { + NET_UNLOCK(); KERNEL_LOCK(); + NET_LOCK(); locked = 1; } #endif /* IPSEC */ - NET_LOCK(); while ((m = ml_dequeue(&ml)) != NULL) { ip6_output(m, NULL, NULL, IPV6_MINMTU, NULL, NULL); } |