CVS commit: src/sys

Ryota Ozaki Thu, 01 Jun 2017 20:42:06 -0700

Module Name:    src
Committed By:   ozaki-r
Date:           Fri Jun  2 03:41:21 UTC 2017


Modified Files:
        src/sys/netinet: in_pcb_hdr.h tcp_output.c
        src/sys/netipsec: ipsec.c ipsec.h

Log Message:
Assert inph_locked on ipsec_pcb_skip_ipsec (was IPSEC_PCB_SKIP_IPSEC)

The assertion confirms SP caches are accessed under inph lock (solock).


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 src/sys/netinet/in_pcb_hdr.h
cvs rdiff -u -r1.195 -r1.196 src/sys/netinet/tcp_output.c
cvs rdiff -u -r1.98 -r1.99 src/sys/netipsec/ipsec.c
cvs rdiff -u -r1.49 -r1.50 src/sys/netipsec/ipsec.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet/in_pcb_hdr.h
diff -u src/sys/netinet/in_pcb_hdr.h:1.12 src/sys/netinet/in_pcb_hdr.h:1.13
--- src/sys/netinet/in_pcb_hdr.h:1.12	Tue Apr 25 05:44:11 2017
+++ src/sys/netinet/in_pcb_hdr.h	Fri Jun  2 03:41:20 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: in_pcb_hdr.h,v 1.12 2017/04/25 05:44:11 ozaki-r Exp $	*/
+/*	$NetBSD: in_pcb_hdr.h,v 1.13 2017/06/02 03:41:20 ozaki-r Exp $	*/
 
 /*
  * Copyright (C) 2003 WIDE Project.
@@ -89,6 +89,7 @@ struct inpcb_hdr {
 LIST_HEAD(inpcbhead, inpcb_hdr);
 
 struct vestigial_inpcb;
+struct in6_addr;
 
 /* Hooks for vestigial pcb entries.
  * If vestigial entries exist for a table (TCP only)

Index: src/sys/netinet/tcp_output.c
diff -u src/sys/netinet/tcp_output.c:1.195 src/sys/netinet/tcp_output.c:1.196
--- src/sys/netinet/tcp_output.c:1.195	Fri Mar  3 07:13:06 2017
+++ src/sys/netinet/tcp_output.c	Fri Jun  2 03:41:20 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_output.c,v 1.195 2017/03/03 07:13:06 ozaki-r Exp $	*/
+/*	$NetBSD: tcp_output.c,v 1.196 2017/06/02 03:41:20 ozaki-r Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -135,7 +135,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tcp_output.c,v 1.195 2017/03/03 07:13:06 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_output.c,v 1.196 2017/06/02 03:41:20 ozaki-r Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -361,7 +361,7 @@ tcp_segsize(struct tcpcb *tp, int *txseg
 	if (inp) {
 #if defined(IPSEC)
 		if (ipsec_used &&
-		    !IPSEC_PCB_SKIP_IPSEC(inp->inp_sp, IPSEC_DIR_OUTBOUND))
+		    !ipsec_pcb_skip_ipsec(inp->inp_sp, IPSEC_DIR_OUTBOUND))
 			optlen += ipsec4_hdrsiz_tcp(tp);
 #endif
 		optlen += ip_optlen(inp);
@@ -372,7 +372,7 @@ tcp_segsize(struct tcpcb *tp, int *txseg
 	if (in6p && tp->t_family == AF_INET) {
 #if defined(IPSEC)
 		if (ipsec_used &&
-		    !IPSEC_PCB_SKIP_IPSEC(in6p->in6p_sp, IPSEC_DIR_OUTBOUND))
+		    !ipsec_pcb_skip_ipsec(in6p->in6p_sp, IPSEC_DIR_OUTBOUND))
 			optlen += ipsec4_hdrsiz_tcp(tp);
 #endif
 		/* XXX size -= ip_optlen(in6p); */
@@ -381,7 +381,7 @@ tcp_segsize(struct tcpcb *tp, int *txseg
 	if (in6p && tp->t_family == AF_INET6) {
 #if defined(IPSEC)
 		if (ipsec_used &&
-		    !IPSEC_PCB_SKIP_IPSEC(in6p->in6p_sp, IPSEC_DIR_OUTBOUND))
+		    !ipsec_pcb_skip_ipsec(in6p->in6p_sp, IPSEC_DIR_OUTBOUND))
 			optlen += ipsec6_hdrsiz_tcp(tp);
 #endif
 		optlen += ip6_optlen(in6p);
@@ -641,7 +641,7 @@ tcp_output(struct tcpcb *tp)
 #if defined(INET)
 	has_tso4 = tp->t_inpcb != NULL &&
 #if defined(IPSEC)
-	    (!ipsec_used || IPSEC_PCB_SKIP_IPSEC(tp->t_inpcb->inp_sp,
+	    (!ipsec_used || ipsec_pcb_skip_ipsec(tp->t_inpcb->inp_sp,
 	    IPSEC_DIR_OUTBOUND)) &&
 #endif
 	    (rt = rtcache_validate(&tp->t_inpcb->inp_route)) != NULL &&
@@ -654,7 +654,7 @@ tcp_output(struct tcpcb *tp)
 #if defined(INET6)
 	has_tso6 = tp->t_in6pcb != NULL &&
 #if defined(IPSEC)
-	    (!ipsec_used || IPSEC_PCB_SKIP_IPSEC(tp->t_in6pcb->in6p_sp,
+	    (!ipsec_used || ipsec_pcb_skip_ipsec(tp->t_in6pcb->in6p_sp,
 	    IPSEC_DIR_OUTBOUND)) &&
 #endif
 	    (rt = rtcache_validate(&tp->t_in6pcb->in6p_route)) != NULL &&

Index: src/sys/netipsec/ipsec.c
diff -u src/sys/netipsec/ipsec.c:1.98 src/sys/netipsec/ipsec.c:1.99
--- src/sys/netipsec/ipsec.c:1.98	Fri Jun  2 03:39:28 2017
+++ src/sys/netipsec/ipsec.c	Fri Jun  2 03:41:20 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.c,v 1.98 2017/06/02 03:39:28 ozaki-r Exp $	*/
+/*	$NetBSD: ipsec.c,v 1.99 2017/06/02 03:41:20 ozaki-r Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $	*/
 /*	$KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.98 2017/06/02 03:39:28 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.99 2017/06/02 03:41:20 ozaki-r Exp $");
 
 /*
  * IPsec controller part.
@@ -673,7 +673,7 @@ ipsec4_output(struct mbuf *m, struct inp
 		return 0;
 	}
 	s = splsoftnet();
-	if (inp && IPSEC_PCB_SKIP_IPSEC(inp->inp_sp, IPSEC_DIR_OUTBOUND)) {
+	if (inp && ipsec_pcb_skip_ipsec(inp->inp_sp, IPSEC_DIR_OUTBOUND)) {
 		splx(s);
 		return 0;
 	}
@@ -2281,7 +2281,7 @@ ipsec6_check_policy(struct mbuf *m, stru
 	if (!ipsec_outdone(m)) {
 		s = splsoftnet();
 		if (in6p != NULL &&
-		    IPSEC_PCB_SKIP_IPSEC(in6p->in6p_sp, IPSEC_DIR_OUTBOUND)) {
+		    ipsec_pcb_skip_ipsec(in6p->in6p_sp, IPSEC_DIR_OUTBOUND)) {
 			splx(s);
 			goto skippolicycheck;
 		}

Index: src/sys/netipsec/ipsec.h
diff -u src/sys/netipsec/ipsec.h:1.49 src/sys/netipsec/ipsec.h:1.50
--- src/sys/netipsec/ipsec.h:1.49	Fri Jun  2 03:39:28 2017
+++ src/sys/netipsec/ipsec.h	Fri Jun  2 03:41:20 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.h,v 1.49 2017/06/02 03:39:28 ozaki-r Exp $	*/
+/*	$NetBSD: ipsec.h,v 1.50 2017/06/02 03:41:20 ozaki-r Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $	*/
 
@@ -46,7 +46,9 @@
 #include <net/pfkeyv2.h>
 
 #ifdef _KERNEL
+#include <sys/socketvar.h>
 
+#include <netinet/in_pcb_hdr.h>
 #include <netipsec/keydb.h>
 
 /*
@@ -133,9 +135,17 @@ struct inpcbpolicy {
 	struct inpcb_hdr *sp_inph;	/* back pointer */
 };
 
-#define	IPSEC_PCB_SKIP_IPSEC(inpp, dir)					\
-	((inpp)->sp_cache[(dir)].cachehint == IPSEC_PCBHINT_NO &&	\
-	 (inpp)->sp_cache[(dir)].cachegen == ipsec_spdgen)
+extern u_int ipsec_spdgen;
+
+static inline bool
+ipsec_pcb_skip_ipsec(struct inpcbpolicy *pcbsp, int dir)
+{
+
+	KASSERT(inph_locked(pcbsp->sp_inph));
+
+	return pcbsp->sp_cache[(dir)].cachehint == IPSEC_PCBHINT_NO &&
+	    pcbsp->sp_cache[(dir)].cachegen == ipsec_spdgen;
+}
 
 /* SP acquiring list table. */
 struct secspacq {
@@ -257,8 +267,6 @@ void ipsec_pcbconn (struct inpcbpolicy *
 void ipsec_pcbdisconn (struct inpcbpolicy *);
 void ipsec_invalpcbcacheall (void);
 
-extern u_int ipsec_spdgen;
-
 struct tdb_ident;
 struct secpolicy *ipsec_getpolicy (const struct tdb_ident*, u_int);
 struct inpcb;

CVS commit: src/sys

Reply via email to