pipex_destroy_session should be called under NET_LOCK but if it called
by this sequence: pppacclose -> pipex_iface_fini -> pipex_iface_stop
-> pipex_destroy_session, NET_LOCK is missing and kernel crashes.
pipex_iface_stop calls are protected by NET_LOCK, so it should be also
protected within pipex_iface_fini. This problem also desribed at
https://marc.info/?l=openbsd-misc&m=158496654715242&w=2
Index: sys/net/pipex.c
===================================================================
RCS file: /cvs/src/sys/net/pipex.c,v
retrieving revision 1.107
diff -u -p -r1.107 pipex.c
--- sys/net/pipex.c 31 Jan 2019 18:01:14 -0000 1.107
+++ sys/net/pipex.c 25 Mar 2020 10:02:40 -0000
@@ -197,7 +197,9 @@ void
pipex_iface_fini(struct pipex_iface_context *pipex_iface)
{
pool_put(&pipex_session_pool, pipex_iface->multicast_session);
+ NET_LOCK();
pipex_iface_stop(pipex_iface);
+ NET_UNLOCK();
}
int
