Module Name: src Committed By: ozaki-r Date: Fri Jul 14 12:26:26 UTC 2017
Modified Files: src/sys/netipsec: ipsec.h ipsec_output.c key.c key.h xform.h xform_ah.c xform_esp.c xform_ipcomp.c xform_ipip.c xform_tcp.c Log Message: Prepare to stop using isr->sav isr is a shared resource and using isr->sav as a temporal storage for each packet processing is racy. And also having a reference from isr to sav makes the lifetime of sav non-deterministic; such a reference is removed when a packet is processed and isr->sav is overwritten by new one. Let's have a sav locally for each packet processing instead of using shared isr->sav. However this change doesn't stop using isr->sav yet because there are some users of isr->sav. isr->sav will be removed after the users find a way to not use isr->sav. To generate a diff of this commit: cvs rdiff -u -r1.51 -r1.52 src/sys/netipsec/ipsec.h cvs rdiff -u -r1.53 -r1.54 src/sys/netipsec/ipsec_output.c cvs rdiff -u -r1.183 -r1.184 src/sys/netipsec/key.c cvs rdiff -u -r1.22 -r1.23 src/sys/netipsec/key.h cvs rdiff -u -r1.10 -r1.11 src/sys/netipsec/xform.h cvs rdiff -u -r1.60 -r1.61 src/sys/netipsec/xform_ah.c cvs rdiff -u -r1.61 -r1.62 src/sys/netipsec/xform_esp.c cvs rdiff -u -r1.42 -r1.43 src/sys/netipsec/xform_ipcomp.c cvs rdiff -u -r1.52 -r1.53 src/sys/netipsec/xform_ipip.c cvs rdiff -u -r1.14 -r1.15 src/sys/netipsec/xform_tcp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netipsec/ipsec.h diff -u src/sys/netipsec/ipsec.h:1.51 src/sys/netipsec/ipsec.h:1.52 --- src/sys/netipsec/ipsec.h:1.51 Wed Jul 5 03:44:59 2017 +++ src/sys/netipsec/ipsec.h Fri Jul 14 12:26:26 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.h,v 1.51 2017/07/05 03:44:59 ozaki-r Exp $ */ +/* $NetBSD: ipsec.h,v 1.52 2017/07/14 12:26:26 ozaki-r Exp $ */ /* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */ @@ -341,7 +341,7 @@ void ipsec4_common_input(struct mbuf *m, int ipsec4_common_input_cb(struct mbuf *, struct secasvar *, int, int); int ipsec4_process_packet(struct mbuf *, struct ipsecrequest *); -int ipsec_process_done (struct mbuf *, struct ipsecrequest *); +int ipsec_process_done(struct mbuf *, struct ipsecrequest *, struct secasvar *); #define ipsec_indone(m) \ (m_tag_find((m), PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) Index: src/sys/netipsec/ipsec_output.c diff -u src/sys/netipsec/ipsec_output.c:1.53 src/sys/netipsec/ipsec_output.c:1.54 --- src/sys/netipsec/ipsec_output.c:1.53 Thu Jul 13 01:48:52 2017 +++ src/sys/netipsec/ipsec_output.c Fri Jul 14 12:26:26 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_output.c,v 1.53 2017/07/13 01:48:52 ozaki-r Exp $ */ +/* $NetBSD: ipsec_output.c,v 1.54 2017/07/14 12:26:26 ozaki-r Exp $ */ /*- * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting @@ -29,7 +29,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.53 2017/07/13 01:48:52 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.54 2017/07/14 12:26:26 ozaki-r Exp $"); /* * IPsec output processing. @@ -142,9 +142,9 @@ ipsec_reinject_ipstack(struct mbuf *m, i } int -ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) +ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr, + struct secasvar *sav) { - struct secasvar *sav; struct secasindex *saidx; int error; #ifdef INET @@ -162,7 +162,6 @@ ipsec_process_done(struct mbuf *m, struc KASSERT(m != NULL); KASSERT(isr != NULL); - sav = isr->sav; KASSERT(sav != NULL); saidx = &sav->sah->saidx; @@ -293,7 +292,8 @@ ipsec_nextisr( struct mbuf *m, struct ipsecrequest *isr, int af, - int *error + int *error, + struct secasvar **ret ) { #define IPSEC_OSTAT(type) \ @@ -311,7 +311,7 @@ do { \ } \ } while (/*CONSTCOND*/0) - struct secasvar *sav; + struct secasvar *sav = NULL; struct secasindex *saidx; IPSEC_SPLASSERT_SOFTNET("ipsec_nextisr"); @@ -380,7 +380,7 @@ again: /* * Lookup SA and validate it. */ - *error = key_checkrequest(isr); + *error = key_checkrequest(isr, &sav); if (*error != 0) { /* * IPsec processing is required, but no SA found. @@ -392,7 +392,6 @@ again: IPSEC_STATINC(IPSEC_STAT_OUT_NOSA); goto bad; } - sav = isr->sav; /* sav may be NULL here if we have an USE rule */ if (sav == NULL) { KASSERTMSG(ipsec_get_reqlevel(isr) == IPSEC_LEVEL_USE, @@ -404,6 +403,7 @@ again: * It can happen when the last rules are USE rules * */ if (isr == NULL) { + *ret = NULL; *error = 0; return isr; } @@ -420,6 +420,7 @@ again: " to policy (check your sysctls)\n"); IPSEC_OSTAT(PDROPS); *error = EHOSTUNREACH; + KEY_FREESAV(&sav); goto bad; } @@ -428,6 +429,7 @@ again: * before they invoke the xform output method. */ KASSERT(sav->tdb_xform != NULL); + *ret = sav; return isr; bad: KASSERTMSG(*error != 0, "error return w/ no error code"); @@ -442,7 +444,7 @@ bad: int ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr) { - struct secasvar *sav; + struct secasvar *sav = NULL; struct ip *ip; int s, error, i, off; union sockaddr_union *dst; @@ -453,7 +455,7 @@ ipsec4_process_packet(struct mbuf *m, st s = splsoftnet(); /* insure SA contents don't change */ - isr = ipsec_nextisr(m, isr, AF_INET, &error); + isr = ipsec_nextisr(m, isr, AF_INET, &error, &sav); if (isr == NULL) { if (error != 0) { goto bad; @@ -466,7 +468,7 @@ ipsec4_process_packet(struct mbuf *m, st } } - sav = isr->sav; + KASSERT(sav != NULL); dst = &sav->sah->saidx.dst; /* @@ -476,7 +478,7 @@ ipsec4_process_packet(struct mbuf *m, st if (m->m_len < sizeof (struct ip) && (m = m_pullup(m, sizeof (struct ip))) == NULL) { error = ENOBUFS; - goto bad; + goto unrefsav; } ip = mtod(m, struct ip *); /* Honor system-wide control of how to handle IP_DF */ @@ -511,7 +513,7 @@ ipsec4_process_packet(struct mbuf *m, st if (m->m_len < sizeof (struct ip) && (m = m_pullup(m, sizeof (struct ip))) == NULL) { error = ENOBUFS; - goto bad; + goto unrefsav; } ip = mtod(m, struct ip *); ip->ip_len = htons(m->m_pkthdr.len); @@ -519,7 +521,7 @@ ipsec4_process_packet(struct mbuf *m, st ip->ip_sum = in_cksum(m, ip->ip_hl << 2); /* Encapsulate the packet */ - error = ipip_output(m, isr, &mp, 0, 0); + error = ipip_output(m, isr, sav, &mp, 0, 0); if (mp == NULL && !error) { /* Should never happen. */ IPSECLOG(LOG_DEBUG, @@ -532,7 +534,7 @@ ipsec4_process_packet(struct mbuf *m, st m_freem(mp); } m = NULL; /* ipip_output() already freed it */ - goto bad; + goto unrefsav; } m = mp, mp = NULL; /* @@ -546,7 +548,7 @@ ipsec4_process_packet(struct mbuf *m, st if (m->m_len < sizeof (struct ip) && (m = m_pullup(m, sizeof (struct ip))) == NULL) { error = ENOBUFS; - goto bad; + goto unrefsav; } ip = mtod(m, struct ip *); ip->ip_off |= htons(IP_DF); @@ -572,12 +574,15 @@ ipsec4_process_packet(struct mbuf *m, st i = sizeof(struct ip6_hdr); off = offsetof(struct ip6_hdr, ip6_nxt); } - error = (*sav->tdb_xform->xf_output)(m, isr, NULL, i, off); + error = (*sav->tdb_xform->xf_output)(m, isr, sav, NULL, i, off); } else { - error = ipsec_process_done(m, isr); + error = ipsec_process_done(m, isr, sav); } + KEY_FREESAV(&sav); splx(s); return error; +unrefsav: + KEY_FREESAV(&sav); bad: splx(s); if (m) @@ -673,7 +678,7 @@ ipsec6_process_packet( struct ipsecrequest *isr ) { - struct secasvar *sav; + struct secasvar *sav = NULL; struct ip6_hdr *ip6; int s, error, i, off; union sockaddr_union *dst; @@ -683,7 +688,7 @@ ipsec6_process_packet( s = splsoftnet(); /* insure SA contents don't change */ - isr = ipsec_nextisr(m, isr, AF_INET6, &error); + isr = ipsec_nextisr(m, isr, AF_INET6, &error, &sav); if (isr == NULL) { if (error != 0) { /* XXX Should we send a notification ? */ @@ -697,7 +702,7 @@ ipsec6_process_packet( } } - sav = isr->sav; + KASSERT(sav != NULL); dst = &sav->sah->saidx.dst; ip6 = mtod(m, struct ip6_hdr *); /* XXX */ @@ -715,21 +720,21 @@ ipsec6_process_packet( if (m->m_len < sizeof(struct ip6_hdr)) { if ((m = m_pullup(m,sizeof(struct ip6_hdr))) == NULL) { error = ENOBUFS; - goto bad; + goto unrefsav; } } if (m->m_pkthdr.len - sizeof(*ip6) > IPV6_MAXPACKET) { /* No jumbogram support. */ error = ENXIO; /*XXX*/ - goto bad; + goto unrefsav; } ip6 = mtod(m, struct ip6_hdr *); ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6)); /* Encapsulate the packet */ - error = ipip_output(m, isr, &mp, 0, 0); + error = ipip_output(m, isr, sav, &mp, 0, 0); if (mp == NULL && !error) { /* Should never happen. */ IPSECLOG(LOG_DEBUG, @@ -743,7 +748,7 @@ ipsec6_process_packet( m_freem(mp); } m = NULL; /* ipip_output() already freed it */ - goto bad; + goto unrefsav; } m = mp; @@ -758,9 +763,12 @@ ipsec6_process_packet( } else { compute_ipsec_pos(m, &i, &off); } - error = (*sav->tdb_xform->xf_output)(m, isr, NULL, i, off); + error = (*sav->tdb_xform->xf_output)(m, isr, sav, NULL, i, off); + KEY_FREESAV(&sav); splx(s); return error; +unrefsav: + KEY_FREESAV(&sav); bad: splx(s); if (m) Index: src/sys/netipsec/key.c diff -u src/sys/netipsec/key.c:1.183 src/sys/netipsec/key.c:1.184 --- src/sys/netipsec/key.c:1.183 Fri Jul 14 01:30:08 2017 +++ src/sys/netipsec/key.c Fri Jul 14 12:26:26 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: key.c,v 1.183 2017/07/14 01:30:08 ozaki-r Exp $ */ +/* $NetBSD: key.c,v 1.184 2017/07/14 12:26:26 ozaki-r Exp $ */ /* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.183 2017/07/14 01:30:08 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.184 2017/07/14 12:26:26 ozaki-r Exp $"); /* * This code is referd to RFC 2367 @@ -837,7 +837,7 @@ done: * ENOENT: policy may be valid, but SA with REQUIRE is on acquiring. */ int -key_checkrequest(struct ipsecrequest *isr) +key_checkrequest(struct ipsecrequest *isr, struct secasvar **ret) { u_int level; int error; @@ -898,8 +898,11 @@ key_checkrequest(struct ipsecrequest *is KEY_FREESAV(&oldsav); /* When there is SA. */ - if (isr->sav != NULL) + if (isr->sav != NULL) { + *ret = isr->sav; + SA_ADDREF(*ret); return 0; + } /* there is no SA */ error = key_acquire(saidx, isr->sp); @@ -913,6 +916,7 @@ key_checkrequest(struct ipsecrequest *is if (level != IPSEC_LEVEL_REQUIRE) { /* XXX sigh, the interface to this routine is botched */ KASSERTMSG(isr->sav == NULL, "unexpected SA"); + *ret = NULL; return 0; } else { return ENOENT; Index: src/sys/netipsec/key.h diff -u src/sys/netipsec/key.h:1.22 src/sys/netipsec/key.h:1.23 --- src/sys/netipsec/key.h:1.22 Fri Jul 14 01:24:23 2017 +++ src/sys/netipsec/key.h Fri Jul 14 12:26:26 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: key.h,v 1.22 2017/07/14 01:24:23 ozaki-r Exp $ */ +/* $NetBSD: key.h,v 1.23 2017/07/14 12:26:26 ozaki-r Exp $ */ /* $FreeBSD: src/sys/netipsec/key.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $KAME: key.h,v 1.21 2001/07/27 03:51:30 itojun Exp $ */ @@ -93,7 +93,7 @@ void key_freesav(struct secasvar **, con key_freesav(psav, __func__, __LINE__) int key_checktunnelsanity (struct secasvar *, u_int, void *, void *); -int key_checkrequest(struct ipsecrequest *); +int key_checkrequest(struct ipsecrequest *, struct secasvar **); struct secpolicy *key_msg2sp (const struct sadb_x_policy *, size_t, int *); struct mbuf *key_sp2msg (const struct secpolicy *); Index: src/sys/netipsec/xform.h diff -u src/sys/netipsec/xform.h:1.10 src/sys/netipsec/xform.h:1.11 --- src/sys/netipsec/xform.h:1.10 Fri Jul 14 01:24:23 2017 +++ src/sys/netipsec/xform.h Fri Jul 14 12:26:26 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: xform.h,v 1.10 2017/07/14 01:24:23 ozaki-r Exp $ */ +/* $NetBSD: xform.h,v 1.11 2017/07/14 12:26:26 ozaki-r Exp $ */ /* $FreeBSD: src/sys/netipsec/xform.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipsp.h,v 1.119 2002/03/14 01:27:11 millert Exp $ */ /* @@ -93,7 +93,8 @@ struct xformsw { int (*xf_input)(struct mbuf*, struct secasvar*, /* input */ int, int); int (*xf_output)(struct mbuf*, /* output */ - struct ipsecrequest *, struct mbuf **, int, int); + struct ipsecrequest *, struct secasvar *, + struct mbuf **, int, int); struct xformsw *xf_next; /* list of registered xforms */ }; @@ -106,7 +107,7 @@ struct cryptoini; /* XF_IP4 */ extern int ip4_input6(struct mbuf **m, int *offp, int proto); extern void ip4_input(struct mbuf *m, int, int); -extern int ipip_output(struct mbuf *, struct ipsecrequest *, +extern int ipip_output(struct mbuf *, struct ipsecrequest *, struct secasvar *, struct mbuf **, int, int); /* XF_AH */ Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.60 src/sys/netipsec/xform_ah.c:1.61 --- src/sys/netipsec/xform_ah.c:1.60 Fri Jul 14 01:24:23 2017 +++ src/sys/netipsec/xform_ah.c Fri Jul 14 12:26:26 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.60 2017/07/14 01:24:23 ozaki-r Exp $ */ +/* $NetBSD: xform_ah.c,v 1.61 2017/07/14 12:26:26 ozaki-r Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.60 2017/07/14 01:24:23 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.61 2017/07/14 12:26:26 ozaki-r Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -955,13 +955,13 @@ static int ah_output( struct mbuf *m, struct ipsecrequest *isr, + struct secasvar *sav, struct mbuf **mp, int skip, int protoff ) { char buf[IPSEC_ADDRSTRLEN]; - struct secasvar *sav; const struct auth_hash *ahx; struct cryptodesc *crda; struct tdb_crypto *tc; @@ -974,7 +974,6 @@ ah_output( IPSEC_SPLASSERT_SOFTNET(__func__); - sav = isr->sav; KASSERT(sav != NULL); KASSERT(sav->tdb_authalgxform != NULL); ahx = sav->tdb_authalgxform; @@ -1202,7 +1201,6 @@ ah_output_cb(struct cryptop *crp) goto bad; } } - KASSERTMSG(isr->sav == sav, "SA changed"); /* Check for crypto errors. */ if (crp->crp_etype) { @@ -1256,7 +1254,7 @@ ah_output_cb(struct cryptop *crp) #endif /* NB: m is reclaimed by ipsec_process_done. */ - err = ipsec_process_done(m, isr); + err = ipsec_process_done(m, isr, sav); KEY_FREESAV(&sav); mutex_exit(softnet_lock); splx(s); Index: src/sys/netipsec/xform_esp.c diff -u src/sys/netipsec/xform_esp.c:1.61 src/sys/netipsec/xform_esp.c:1.62 --- src/sys/netipsec/xform_esp.c:1.61 Fri Jul 14 01:24:23 2017 +++ src/sys/netipsec/xform_esp.c Fri Jul 14 12:26:26 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_esp.c,v 1.61 2017/07/14 01:24:23 ozaki-r Exp $ */ +/* $NetBSD: xform_esp.c,v 1.62 2017/07/14 12:26:26 ozaki-r Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ @@ -39,7 +39,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.61 2017/07/14 01:24:23 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.62 2017/07/14 12:26:26 ozaki-r Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -698,6 +698,7 @@ static int esp_output( struct mbuf *m, struct ipsecrequest *isr, + struct secasvar *sav, struct mbuf **mp, int skip, int protoff @@ -709,7 +710,6 @@ esp_output( int hlen, rlen, padding, blks, alen, i, roff; struct mbuf *mo = NULL; struct tdb_crypto *tc; - struct secasvar *sav; struct secasindex *saidx; unsigned char *pad; uint8_t prot; @@ -720,8 +720,6 @@ esp_output( IPSEC_SPLASSERT_SOFTNET(__func__); - KASSERT(isr->sav != NULL); - sav = isr->sav; esph = sav->tdb_authalgxform; KASSERT(sav->tdb_encalgxform != NULL); espx = sav->tdb_encalgxform; @@ -981,8 +979,6 @@ esp_output_cb(struct cryptop *crp) goto bad; } } - KASSERTMSG(isr->sav == sav, - "SA changed was %p now %p", isr->sav, sav); /* Check for crypto errors. */ if (crp->crp_etype) { @@ -1037,7 +1033,7 @@ esp_output_cb(struct cryptop *crp) #endif /* NB: m is reclaimed by ipsec_process_done. */ - err = ipsec_process_done(m, isr); + err = ipsec_process_done(m, isr, sav); KEY_FREESAV(&sav); mutex_exit(softnet_lock); splx(s); Index: src/sys/netipsec/xform_ipcomp.c diff -u src/sys/netipsec/xform_ipcomp.c:1.42 src/sys/netipsec/xform_ipcomp.c:1.43 --- src/sys/netipsec/xform_ipcomp.c:1.42 Fri Jul 14 01:24:23 2017 +++ src/sys/netipsec/xform_ipcomp.c Fri Jul 14 12:26:26 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipcomp.c,v 1.42 2017/07/14 01:24:23 ozaki-r Exp $ */ +/* $NetBSD: xform_ipcomp.c,v 1.43 2017/07/14 12:26:26 ozaki-r Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */ @@ -30,7 +30,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.42 2017/07/14 01:24:23 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.43 2017/07/14 12:26:26 ozaki-r Exp $"); /* IP payload compression protocol (IPComp), see RFC 2393 */ #if defined(_KERNEL_OPT) @@ -376,13 +376,13 @@ static int ipcomp_output( struct mbuf *m, struct ipsecrequest *isr, + struct secasvar *sav, struct mbuf **mp, int skip, int protoff ) { char buf[IPSEC_ADDRSTRLEN]; - struct secasvar *sav; const struct comp_algo *ipcompx; int error, ralen, hlen, maxpacketsize; struct cryptodesc *crdc; @@ -390,8 +390,7 @@ ipcomp_output( struct tdb_crypto *tc; IPSEC_SPLASSERT_SOFTNET(__func__); - KASSERT(isr->sav != NULL); - sav = isr->sav; + KASSERT(sav != NULL); KASSERT(sav->tdb_compalgxform != NULL); ipcompx = sav->tdb_compalgxform; @@ -400,7 +399,7 @@ ipcomp_output( /* Don't process the packet if it is too short */ if (ralen < ipcompx->minlen) { IPCOMP_STATINC(IPCOMP_STAT_MINLEN); - return ipsec_process_done(m,isr); + return ipsec_process_done(m, isr, sav); } hlen = IPCOMP_HLENGTH; @@ -547,7 +546,6 @@ ipcomp_output_cb(struct cryptop *crp) goto bad; } } - KASSERTMSG(isr->sav == sav, "SA changed"); /* Check for crypto errors */ if (crp->crp_etype) { @@ -651,7 +649,7 @@ ipcomp_output_cb(struct cryptop *crp) crypto_freereq(crp); /* NB: m is reclaimed by ipsec_process_done. */ - error = ipsec_process_done(m, isr); + error = ipsec_process_done(m, isr, sav); KEY_FREESAV(&sav); mutex_exit(softnet_lock); splx(s); Index: src/sys/netipsec/xform_ipip.c diff -u src/sys/netipsec/xform_ipip.c:1.52 src/sys/netipsec/xform_ipip.c:1.53 --- src/sys/netipsec/xform_ipip.c:1.52 Fri Jul 14 01:24:23 2017 +++ src/sys/netipsec/xform_ipip.c Fri Jul 14 12:26:26 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipip.c,v 1.52 2017/07/14 01:24:23 ozaki-r Exp $ */ +/* $NetBSD: xform_ipip.c,v 1.53 2017/07/14 12:26:26 ozaki-r Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */ @@ -39,7 +39,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.52 2017/07/14 01:24:23 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.53 2017/07/14 12:26:26 ozaki-r Exp $"); /* * IP-inside-IP processing @@ -397,13 +397,13 @@ int ipip_output( struct mbuf *m, struct ipsecrequest *isr, + struct secasvar *sav, struct mbuf **mp, int skip, int protoff ) { char buf[IPSEC_ADDRSTRLEN]; - struct secasvar *sav; uint8_t tp, otos; struct secasindex *saidx; int error; @@ -416,9 +416,7 @@ ipip_output( #endif /* INET6 */ IPSEC_SPLASSERT_SOFTNET(__func__); - - KASSERT(isr->sav != NULL); - sav = isr->sav; + KASSERT(sav != NULL); /* XXX Deal with empty TDB source/destination addresses. */ Index: src/sys/netipsec/xform_tcp.c diff -u src/sys/netipsec/xform_tcp.c:1.14 src/sys/netipsec/xform_tcp.c:1.15 --- src/sys/netipsec/xform_tcp.c:1.14 Fri Jul 14 01:24:23 2017 +++ src/sys/netipsec/xform_tcp.c Fri Jul 14 12:26:26 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_tcp.c,v 1.14 2017/07/14 01:24:23 ozaki-r Exp $ */ +/* $NetBSD: xform_tcp.c,v 1.15 2017/07/14 12:26:26 ozaki-r Exp $ */ /* $FreeBSD: sys/netipsec/xform_tcp.c,v 1.1.2.1 2004/02/14 22:24:09 bms Exp $ */ /* @@ -31,7 +31,7 @@ /* TCP MD5 Signature Option (RFC2385) */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: xform_tcp.c,v 1.14 2017/07/14 01:24:23 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_tcp.c,v 1.15 2017/07/14 12:26:26 ozaki-r Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -155,7 +155,7 @@ tcpsignature_input(struct mbuf *m, struc */ static int tcpsignature_output(struct mbuf *m, struct ipsecrequest *isr, - struct mbuf **mp, int skip, int protoff) + struct secasvar *sav, struct mbuf **mp, int skip, int protoff) { return (EINVAL);