frag6_slowtimo: push NET_LOCK into frag6_freef around icmp6_error.

icmp6_error() still probably needs the NET_LOCK, as the call chain
icmp6_error -> icmp6_reflect -> rt_match -> rt_clone -> rtrequest
is possible.

The fragment discard loop in frag6_slowtimo and the other
cleanup bits in frag6_freef do not require it however.  So
push the lock down into frag6_freef around icmp6_error.

Prompted by mpi.  Discussed with bluhm and kn.  Regress test help
by bluhm.  Additional testing by kn.

ok kn@ visa@ mpi@

1 files changed, 6 insertions, 8 deletions

diff --git a/sys/netinet6/frag6.c b/sys/netinet6/frag6.c
index f3abef22fa1..38631a8159a 100644
--- a/sys/netinet6/frag6.c
+++ b/sys/netinet6/frag6.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: frag6.c,v 1.82 2018/02/01 21:11:33 bluhm Exp $	*/
+/*	$OpenBSD: frag6.c,v 1.83 2018/08/22 19:48:48 cheloha Exp $	*/
 /*	$KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $	*/
 
 /*
@@ -540,8 +540,10 @@ frag6_freef(struct ip6q *q6)
 			ip6->ip6_src = q6->ip6q_src;
 			ip6->ip6_dst = q6->ip6q_dst;
 
+			NET_LOCK();
 			icmp6_error(m, ICMP6_TIME_EXCEEDED,
 				    ICMP6_TIME_EXCEED_REASSEMBLY, 0);
+			NET_UNLOCK();
 		} else
 			m_freem(m);
 		pool_put(&ip6af_pool, af6);
@@ -599,12 +601,8 @@ frag6_slowtimo(void)
 
 	mtx_leave(&frag6_mutex);
 
-	if (!TAILQ_EMPTY(&rmq6)) {
-		NET_LOCK();
-		while ((q6 = TAILQ_FIRST(&rmq6)) != NULL) {
-			TAILQ_REMOVE(&rmq6, q6, ip6q_queue);
-			frag6_freef(q6);
-		}
-		NET_UNLOCK();
+	while ((q6 = TAILQ_FIRST(&rmq6)) != NULL) {
+		TAILQ_REMOVE(&rmq6, q6, ip6q_queue);
+		frag6_freef(q6);
 	}
 }