pipex_destroy_session should be called under NET_LOCK but if it called by this sequence: pppacclose -> pipex_iface_fini -> pipex_iface_stop -> pipex_destroy_session, NET_LOCK is missing and kernel crashes. pipex_iface_stop calls are protected by NET_LOCK, so it should be also protected within pipex_iface_fini. This problem also desribed at https://marc.info/?l=openbsd-misc&m=158496654715242&w=2
Index: sys/net/pipex.c =================================================================== RCS file: /cvs/src/sys/net/pipex.c,v retrieving revision 1.107 diff -u -p -r1.107 pipex.c --- sys/net/pipex.c 31 Jan 2019 18:01:14 -0000 1.107 +++ sys/net/pipex.c 25 Mar 2020 10:02:40 -0000 @@ -197,7 +197,9 @@ void pipex_iface_fini(struct pipex_iface_context *pipex_iface) { pool_put(&pipex_session_pool, pipex_iface->multicast_session); + NET_LOCK(); pipex_iface_stop(pipex_iface); + NET_UNLOCK(); } int