Module Name: src
Committed By: ozaki-r
Date: Fri Jul 14 12:26:26 UTC 2017
Modified Files:
src/sys/netipsec: ipsec.h ipsec_output.c key.c key.h xform.h xform_ah.c
xform_esp.c xform_ipcomp.c xform_ipip.c xform_tcp.c
Log Message:
Prepare to stop using isr->sav
isr is a shared resource and using isr->sav as a temporal storage
for each packet processing is racy. And also having a reference from
isr to sav makes the lifetime of sav non-deterministic; such a reference
is removed when a packet is processed and isr->sav is overwritten by
new one. Let's have a sav locally for each packet processing instead of
using shared isr->sav.
However this change doesn't stop using isr->sav yet because there are
some users of isr->sav. isr->sav will be removed after the users find
a way to not use isr->sav.
To generate a diff of this commit:
cvs rdiff -u -r1.51 -r1.52 src/sys/netipsec/ipsec.h
cvs rdiff -u -r1.53 -r1.54 src/sys/netipsec/ipsec_output.c
cvs rdiff -u -r1.183 -r1.184 src/sys/netipsec/key.c
cvs rdiff -u -r1.22 -r1.23 src/sys/netipsec/key.h
cvs rdiff -u -r1.10 -r1.11 src/sys/netipsec/xform.h
cvs rdiff -u -r1.60 -r1.61 src/sys/netipsec/xform_ah.c
cvs rdiff -u -r1.61 -r1.62 src/sys/netipsec/xform_esp.c
cvs rdiff -u -r1.42 -r1.43 src/sys/netipsec/xform_ipcomp.c
cvs rdiff -u -r1.52 -r1.53 src/sys/netipsec/xform_ipip.c
cvs rdiff -u -r1.14 -r1.15 src/sys/netipsec/xform_tcp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/ipsec.h
diff -u src/sys/netipsec/ipsec.h:1.51 src/sys/netipsec/ipsec.h:1.52
--- src/sys/netipsec/ipsec.h:1.51 Wed Jul 5 03:44:59 2017
+++ src/sys/netipsec/ipsec.h Fri Jul 14 12:26:26 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.h,v 1.51 2017/07/05 03:44:59 ozaki-r Exp $ */
+/* $NetBSD: ipsec.h,v 1.52 2017/07/14 12:26:26 ozaki-r Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */
@@ -341,7 +341,7 @@ void ipsec4_common_input(struct mbuf *m,
int ipsec4_common_input_cb(struct mbuf *, struct secasvar *,
int, int);
int ipsec4_process_packet(struct mbuf *, struct ipsecrequest *);
-int ipsec_process_done (struct mbuf *, struct ipsecrequest *);
+int ipsec_process_done(struct mbuf *, struct ipsecrequest *, struct secasvar *);
#define ipsec_indone(m) \
(m_tag_find((m), PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
Index: src/sys/netipsec/ipsec_output.c
diff -u src/sys/netipsec/ipsec_output.c:1.53 src/sys/netipsec/ipsec_output.c:1.54
--- src/sys/netipsec/ipsec_output.c:1.53 Thu Jul 13 01:48:52 2017
+++ src/sys/netipsec/ipsec_output.c Fri Jul 14 12:26:26 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_output.c,v 1.53 2017/07/13 01:48:52 ozaki-r Exp $ */
+/* $NetBSD: ipsec_output.c,v 1.54 2017/07/14 12:26:26 ozaki-r Exp $ */
/*-
* Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,7 +29,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.53 2017/07/13 01:48:52 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.54 2017/07/14 12:26:26 ozaki-r Exp $");
/*
* IPsec output processing.
@@ -142,9 +142,9 @@ ipsec_reinject_ipstack(struct mbuf *m, i
}
int
-ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
+ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr,
+ struct secasvar *sav)
{
- struct secasvar *sav;
struct secasindex *saidx;
int error;
#ifdef INET
@@ -162,7 +162,6 @@ ipsec_process_done(struct mbuf *m, struc
KASSERT(m != NULL);
KASSERT(isr != NULL);
- sav = isr->sav;
KASSERT(sav != NULL);
saidx = &sav->sah->saidx;
@@ -293,7 +292,8 @@ ipsec_nextisr(
struct mbuf *m,
struct ipsecrequest *isr,
int af,
- int *error
+ int *error,
+ struct secasvar **ret
)
{
#define IPSEC_OSTAT(type) \
@@ -311,7 +311,7 @@ do { \
} \
} while (/*CONSTCOND*/0)
- struct secasvar *sav;
+ struct secasvar *sav = NULL;
struct secasindex *saidx;
IPSEC_SPLASSERT_SOFTNET("ipsec_nextisr");
@@ -380,7 +380,7 @@ again:
/*
* Lookup SA and validate it.
*/
- *error = key_checkrequest(isr);
+ *error = key_checkrequest(isr, &sav);
if (*error != 0) {
/*
* IPsec processing is required, but no SA found.
@@ -392,7 +392,6 @@ again:
IPSEC_STATINC(IPSEC_STAT_OUT_NOSA);
goto bad;
}
- sav = isr->sav;
/* sav may be NULL here if we have an USE rule */
if (sav == NULL) {
KASSERTMSG(ipsec_get_reqlevel(isr) == IPSEC_LEVEL_USE,
@@ -404,6 +403,7 @@ again:
* It can happen when the last rules are USE rules
* */
if (isr == NULL) {
+ *ret = NULL;
*error = 0;
return isr;
}
@@ -420,6 +420,7 @@ again:
" to policy (check your sysctls)\n");
IPSEC_OSTAT(PDROPS);
*error = EHOSTUNREACH;
+ KEY_FREESAV(&sav);
goto bad;
}
@@ -428,6 +429,7 @@ again:
* before they invoke the xform output method.
*/
KASSERT(sav->tdb_xform != NULL);
+ *ret = sav;
return isr;
bad:
KASSERTMSG(*error != 0, "error return w/ no error code");
@@ -442,7 +444,7 @@ bad:
int
ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr)
{
- struct secasvar *sav;
+ struct secasvar *sav = NULL;
struct ip *ip;
int s, error, i, off;
union sockaddr_union *dst;
@@ -453,7 +455,7 @@ ipsec4_process_packet(struct mbuf *m, st
s = splsoftnet(); /* insure SA contents don't change */
- isr = ipsec_nextisr(m, isr, AF_INET, &error);
+ isr = ipsec_nextisr(m, isr, AF_INET, &error, &sav);
if (isr == NULL) {
if (error != 0) {
goto bad;
@@ -466,7 +468,7 @@ ipsec4_process_packet(struct mbuf *m, st
}
}
- sav = isr->sav;
+ KASSERT(sav != NULL);
dst = &sav->sah->saidx.dst;
/*
@@ -476,7 +478,7 @@ ipsec4_process_packet(struct mbuf *m, st
if (m->m_len < sizeof (struct ip) &&
(m = m_pullup(m, sizeof (struct ip))) == NULL) {
error = ENOBUFS;
- goto bad;
+ goto unrefsav;
}
ip = mtod(m, struct ip *);
/* Honor system-wide control of how to handle IP_DF */
@@ -511,7 +513,7 @@ ipsec4_process_packet(struct mbuf *m, st
if (m->m_len < sizeof (struct ip) &&
(m = m_pullup(m, sizeof (struct ip))) == NULL) {
error = ENOBUFS;
- goto bad;
+ goto unrefsav;
}
ip = mtod(m, struct ip *);
ip->ip_len = htons(m->m_pkthdr.len);
@@ -519,7 +521,7 @@ ipsec4_process_packet(struct mbuf *m, st
ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
/* Encapsulate the packet */
- error = ipip_output(m, isr, &mp, 0, 0);
+ error = ipip_output(m, isr, sav, &mp, 0, 0);
if (mp == NULL && !error) {
/* Should never happen. */
IPSECLOG(LOG_DEBUG,
@@ -532,7 +534,7 @@ ipsec4_process_packet(struct mbuf *m, st
m_freem(mp);
}
m = NULL; /* ipip_output() already freed it */
- goto bad;
+ goto unrefsav;
}
m = mp, mp = NULL;
/*
@@ -546,7 +548,7 @@ ipsec4_process_packet(struct mbuf *m, st
if (m->m_len < sizeof (struct ip) &&
(m = m_pullup(m, sizeof (struct ip))) == NULL) {
error = ENOBUFS;
- goto bad;
+ goto unrefsav;
}
ip = mtod(m, struct ip *);
ip->ip_off |= htons(IP_DF);
@@ -572,12 +574,15 @@ ipsec4_process_packet(struct mbuf *m, st
i = sizeof(struct ip6_hdr);
off = offsetof(struct ip6_hdr, ip6_nxt);
}
- error = (*sav->tdb_xform->xf_output)(m, isr, NULL, i, off);
+ error = (*sav->tdb_xform->xf_output)(m, isr, sav, NULL, i, off);
} else {
- error = ipsec_process_done(m, isr);
+ error = ipsec_process_done(m, isr, sav);
}
+ KEY_FREESAV(&sav);
splx(s);
return error;
+unrefsav:
+ KEY_FREESAV(&sav);
bad:
splx(s);
if (m)
@@ -673,7 +678,7 @@ ipsec6_process_packet(
struct ipsecrequest *isr
)
{
- struct secasvar *sav;
+ struct secasvar *sav = NULL;
struct ip6_hdr *ip6;
int s, error, i, off;
union sockaddr_union *dst;
@@ -683,7 +688,7 @@ ipsec6_process_packet(
s = splsoftnet(); /* insure SA contents don't change */
- isr = ipsec_nextisr(m, isr, AF_INET6, &error);
+ isr = ipsec_nextisr(m, isr, AF_INET6, &error, &sav);
if (isr == NULL) {
if (error != 0) {
/* XXX Should we send a notification ? */
@@ -697,7 +702,7 @@ ipsec6_process_packet(
}
}
- sav = isr->sav;
+ KASSERT(sav != NULL);
dst = &sav->sah->saidx.dst;
ip6 = mtod(m, struct ip6_hdr *); /* XXX */
@@ -715,21 +720,21 @@ ipsec6_process_packet(
if (m->m_len < sizeof(struct ip6_hdr)) {
if ((m = m_pullup(m,sizeof(struct ip6_hdr))) == NULL) {
error = ENOBUFS;
- goto bad;
+ goto unrefsav;
}
}
if (m->m_pkthdr.len - sizeof(*ip6) > IPV6_MAXPACKET) {
/* No jumbogram support. */
error = ENXIO; /*XXX*/
- goto bad;
+ goto unrefsav;
}
ip6 = mtod(m, struct ip6_hdr *);
ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6));
/* Encapsulate the packet */
- error = ipip_output(m, isr, &mp, 0, 0);
+ error = ipip_output(m, isr, sav, &mp, 0, 0);
if (mp == NULL && !error) {
/* Should never happen. */
IPSECLOG(LOG_DEBUG,
@@ -743,7 +748,7 @@ ipsec6_process_packet(
m_freem(mp);
}
m = NULL; /* ipip_output() already freed it */
- goto bad;
+ goto unrefsav;
}
m = mp;
@@ -758,9 +763,12 @@ ipsec6_process_packet(
} else {
compute_ipsec_pos(m, &i, &off);
}
- error = (*sav->tdb_xform->xf_output)(m, isr, NULL, i, off);
+ error = (*sav->tdb_xform->xf_output)(m, isr, sav, NULL, i, off);
+ KEY_FREESAV(&sav);
splx(s);
return error;
+unrefsav:
+ KEY_FREESAV(&sav);
bad:
splx(s);
if (m)
Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.183 src/sys/netipsec/key.c:1.184
--- src/sys/netipsec/key.c:1.183 Fri Jul 14 01:30:08 2017
+++ src/sys/netipsec/key.c Fri Jul 14 12:26:26 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: key.c,v 1.183 2017/07/14 01:30:08 ozaki-r Exp $ */
+/* $NetBSD: key.c,v 1.184 2017/07/14 12:26:26 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.183 2017/07/14 01:30:08 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.184 2017/07/14 12:26:26 ozaki-r Exp $");
/*
* This code is referd to RFC 2367
@@ -837,7 +837,7 @@ done:
* ENOENT: policy may be valid, but SA with REQUIRE is on acquiring.
*/
int
-key_checkrequest(struct ipsecrequest *isr)
+key_checkrequest(struct ipsecrequest *isr, struct secasvar **ret)
{
u_int level;
int error;
@@ -898,8 +898,11 @@ key_checkrequest(struct ipsecrequest *is
KEY_FREESAV(&oldsav);
/* When there is SA. */
- if (isr->sav != NULL)
+ if (isr->sav != NULL) {
+ *ret = isr->sav;
+ SA_ADDREF(*ret);
return 0;
+ }
/* there is no SA */
error = key_acquire(saidx, isr->sp);
@@ -913,6 +916,7 @@ key_checkrequest(struct ipsecrequest *is
if (level != IPSEC_LEVEL_REQUIRE) {
/* XXX sigh, the interface to this routine is botched */
KASSERTMSG(isr->sav == NULL, "unexpected SA");
+ *ret = NULL;
return 0;
} else {
return ENOENT;
Index: src/sys/netipsec/key.h
diff -u src/sys/netipsec/key.h:1.22 src/sys/netipsec/key.h:1.23
--- src/sys/netipsec/key.h:1.22 Fri Jul 14 01:24:23 2017
+++ src/sys/netipsec/key.h Fri Jul 14 12:26:26 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: key.h,v 1.22 2017/07/14 01:24:23 ozaki-r Exp $ */
+/* $NetBSD: key.h,v 1.23 2017/07/14 12:26:26 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/key.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $KAME: key.h,v 1.21 2001/07/27 03:51:30 itojun Exp $ */
@@ -93,7 +93,7 @@ void key_freesav(struct secasvar **, con
key_freesav(psav, __func__, __LINE__)
int key_checktunnelsanity (struct secasvar *, u_int, void *, void *);
-int key_checkrequest(struct ipsecrequest *);
+int key_checkrequest(struct ipsecrequest *, struct secasvar **);
struct secpolicy *key_msg2sp (const struct sadb_x_policy *, size_t, int *);
struct mbuf *key_sp2msg (const struct secpolicy *);
Index: src/sys/netipsec/xform.h
diff -u src/sys/netipsec/xform.h:1.10 src/sys/netipsec/xform.h:1.11
--- src/sys/netipsec/xform.h:1.10 Fri Jul 14 01:24:23 2017
+++ src/sys/netipsec/xform.h Fri Jul 14 12:26:26 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: xform.h,v 1.10 2017/07/14 01:24:23 ozaki-r Exp $ */
+/* $NetBSD: xform.h,v 1.11 2017/07/14 12:26:26 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/xform.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ipsp.h,v 1.119 2002/03/14 01:27:11 millert Exp $ */
/*
@@ -93,7 +93,8 @@ struct xformsw {
int (*xf_input)(struct mbuf*, struct secasvar*, /* input */
int, int);
int (*xf_output)(struct mbuf*, /* output */
- struct ipsecrequest *, struct mbuf **, int, int);
+ struct ipsecrequest *, struct secasvar *,
+ struct mbuf **, int, int);
struct xformsw *xf_next; /* list of registered xforms */
};
@@ -106,7 +107,7 @@ struct cryptoini;
/* XF_IP4 */
extern int ip4_input6(struct mbuf **m, int *offp, int proto);
extern void ip4_input(struct mbuf *m, int, int);
-extern int ipip_output(struct mbuf *, struct ipsecrequest *,
+extern int ipip_output(struct mbuf *, struct ipsecrequest *, struct secasvar *,
struct mbuf **, int, int);
/* XF_AH */
Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.60 src/sys/netipsec/xform_ah.c:1.61
--- src/sys/netipsec/xform_ah.c:1.60 Fri Jul 14 01:24:23 2017
+++ src/sys/netipsec/xform_ah.c Fri Jul 14 12:26:26 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ah.c,v 1.60 2017/07/14 01:24:23 ozaki-r Exp $ */
+/* $NetBSD: xform_ah.c,v 1.61 2017/07/14 12:26:26 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
/*
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.60 2017/07/14 01:24:23 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.61 2017/07/14 12:26:26 ozaki-r Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -955,13 +955,13 @@ static int
ah_output(
struct mbuf *m,
struct ipsecrequest *isr,
+ struct secasvar *sav,
struct mbuf **mp,
int skip,
int protoff
)
{
char buf[IPSEC_ADDRSTRLEN];
- struct secasvar *sav;
const struct auth_hash *ahx;
struct cryptodesc *crda;
struct tdb_crypto *tc;
@@ -974,7 +974,6 @@ ah_output(
IPSEC_SPLASSERT_SOFTNET(__func__);
- sav = isr->sav;
KASSERT(sav != NULL);
KASSERT(sav->tdb_authalgxform != NULL);
ahx = sav->tdb_authalgxform;
@@ -1202,7 +1201,6 @@ ah_output_cb(struct cryptop *crp)
goto bad;
}
}
- KASSERTMSG(isr->sav == sav, "SA changed");
/* Check for crypto errors. */
if (crp->crp_etype) {
@@ -1256,7 +1254,7 @@ ah_output_cb(struct cryptop *crp)
#endif
/* NB: m is reclaimed by ipsec_process_done. */
- err = ipsec_process_done(m, isr);
+ err = ipsec_process_done(m, isr, sav);
KEY_FREESAV(&sav);
mutex_exit(softnet_lock);
splx(s);
Index: src/sys/netipsec/xform_esp.c
diff -u src/sys/netipsec/xform_esp.c:1.61 src/sys/netipsec/xform_esp.c:1.62
--- src/sys/netipsec/xform_esp.c:1.61 Fri Jul 14 01:24:23 2017
+++ src/sys/netipsec/xform_esp.c Fri Jul 14 12:26:26 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_esp.c,v 1.61 2017/07/14 01:24:23 ozaki-r Exp $ */
+/* $NetBSD: xform_esp.c,v 1.62 2017/07/14 12:26:26 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.61 2017/07/14 01:24:23 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.62 2017/07/14 12:26:26 ozaki-r Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -698,6 +698,7 @@ static int
esp_output(
struct mbuf *m,
struct ipsecrequest *isr,
+ struct secasvar *sav,
struct mbuf **mp,
int skip,
int protoff
@@ -709,7 +710,6 @@ esp_output(
int hlen, rlen, padding, blks, alen, i, roff;
struct mbuf *mo = NULL;
struct tdb_crypto *tc;
- struct secasvar *sav;
struct secasindex *saidx;
unsigned char *pad;
uint8_t prot;
@@ -720,8 +720,6 @@ esp_output(
IPSEC_SPLASSERT_SOFTNET(__func__);
- KASSERT(isr->sav != NULL);
- sav = isr->sav;
esph = sav->tdb_authalgxform;
KASSERT(sav->tdb_encalgxform != NULL);
espx = sav->tdb_encalgxform;
@@ -981,8 +979,6 @@ esp_output_cb(struct cryptop *crp)
goto bad;
}
}
- KASSERTMSG(isr->sav == sav,
- "SA changed was %p now %p", isr->sav, sav);
/* Check for crypto errors. */
if (crp->crp_etype) {
@@ -1037,7 +1033,7 @@ esp_output_cb(struct cryptop *crp)
#endif
/* NB: m is reclaimed by ipsec_process_done. */
- err = ipsec_process_done(m, isr);
+ err = ipsec_process_done(m, isr, sav);
KEY_FREESAV(&sav);
mutex_exit(softnet_lock);
splx(s);
Index: src/sys/netipsec/xform_ipcomp.c
diff -u src/sys/netipsec/xform_ipcomp.c:1.42 src/sys/netipsec/xform_ipcomp.c:1.43
--- src/sys/netipsec/xform_ipcomp.c:1.42 Fri Jul 14 01:24:23 2017
+++ src/sys/netipsec/xform_ipcomp.c Fri Jul 14 12:26:26 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ipcomp.c,v 1.42 2017/07/14 01:24:23 ozaki-r Exp $ */
+/* $NetBSD: xform_ipcomp.c,v 1.43 2017/07/14 12:26:26 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.42 2017/07/14 01:24:23 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.43 2017/07/14 12:26:26 ozaki-r Exp $");
/* IP payload compression protocol (IPComp), see RFC 2393 */
#if defined(_KERNEL_OPT)
@@ -376,13 +376,13 @@ static int
ipcomp_output(
struct mbuf *m,
struct ipsecrequest *isr,
+ struct secasvar *sav,
struct mbuf **mp,
int skip,
int protoff
)
{
char buf[IPSEC_ADDRSTRLEN];
- struct secasvar *sav;
const struct comp_algo *ipcompx;
int error, ralen, hlen, maxpacketsize;
struct cryptodesc *crdc;
@@ -390,8 +390,7 @@ ipcomp_output(
struct tdb_crypto *tc;
IPSEC_SPLASSERT_SOFTNET(__func__);
- KASSERT(isr->sav != NULL);
- sav = isr->sav;
+ KASSERT(sav != NULL);
KASSERT(sav->tdb_compalgxform != NULL);
ipcompx = sav->tdb_compalgxform;
@@ -400,7 +399,7 @@ ipcomp_output(
/* Don't process the packet if it is too short */
if (ralen < ipcompx->minlen) {
IPCOMP_STATINC(IPCOMP_STAT_MINLEN);
- return ipsec_process_done(m,isr);
+ return ipsec_process_done(m, isr, sav);
}
hlen = IPCOMP_HLENGTH;
@@ -547,7 +546,6 @@ ipcomp_output_cb(struct cryptop *crp)
goto bad;
}
}
- KASSERTMSG(isr->sav == sav, "SA changed");
/* Check for crypto errors */
if (crp->crp_etype) {
@@ -651,7 +649,7 @@ ipcomp_output_cb(struct cryptop *crp)
crypto_freereq(crp);
/* NB: m is reclaimed by ipsec_process_done. */
- error = ipsec_process_done(m, isr);
+ error = ipsec_process_done(m, isr, sav);
KEY_FREESAV(&sav);
mutex_exit(softnet_lock);
splx(s);
Index: src/sys/netipsec/xform_ipip.c
diff -u src/sys/netipsec/xform_ipip.c:1.52 src/sys/netipsec/xform_ipip.c:1.53
--- src/sys/netipsec/xform_ipip.c:1.52 Fri Jul 14 01:24:23 2017
+++ src/sys/netipsec/xform_ipip.c Fri Jul 14 12:26:26 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ipip.c,v 1.52 2017/07/14 01:24:23 ozaki-r Exp $ */
+/* $NetBSD: xform_ipip.c,v 1.53 2017/07/14 12:26:26 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.52 2017/07/14 01:24:23 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.53 2017/07/14 12:26:26 ozaki-r Exp $");
/*
* IP-inside-IP processing
@@ -397,13 +397,13 @@ int
ipip_output(
struct mbuf *m,
struct ipsecrequest *isr,
+ struct secasvar *sav,
struct mbuf **mp,
int skip,
int protoff
)
{
char buf[IPSEC_ADDRSTRLEN];
- struct secasvar *sav;
uint8_t tp, otos;
struct secasindex *saidx;
int error;
@@ -416,9 +416,7 @@ ipip_output(
#endif /* INET6 */
IPSEC_SPLASSERT_SOFTNET(__func__);
-
- KASSERT(isr->sav != NULL);
- sav = isr->sav;
+ KASSERT(sav != NULL);
/* XXX Deal with empty TDB source/destination addresses. */
Index: src/sys/netipsec/xform_tcp.c
diff -u src/sys/netipsec/xform_tcp.c:1.14 src/sys/netipsec/xform_tcp.c:1.15
--- src/sys/netipsec/xform_tcp.c:1.14 Fri Jul 14 01:24:23 2017
+++ src/sys/netipsec/xform_tcp.c Fri Jul 14 12:26:26 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_tcp.c,v 1.14 2017/07/14 01:24:23 ozaki-r Exp $ */
+/* $NetBSD: xform_tcp.c,v 1.15 2017/07/14 12:26:26 ozaki-r Exp $ */
/* $FreeBSD: sys/netipsec/xform_tcp.c,v 1.1.2.1 2004/02/14 22:24:09 bms Exp $ */
/*
@@ -31,7 +31,7 @@
/* TCP MD5 Signature Option (RFC2385) */
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_tcp.c,v 1.14 2017/07/14 01:24:23 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_tcp.c,v 1.15 2017/07/14 12:26:26 ozaki-r Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -155,7 +155,7 @@ tcpsignature_input(struct mbuf *m, struc
*/
static int
tcpsignature_output(struct mbuf *m, struct ipsecrequest *isr,
- struct mbuf **mp, int skip, int protoff)
+ struct secasvar *sav, struct mbuf **mp, int skip, int protoff)
{
return (EINVAL);
