Hi, ip_deliver() has been called without kernel lock from ip_ours() and ip6_ours() for a long time. It looks like these two callers in ip6 input were forgotten to be unlocked.
ok? bluhm Index: netinet6/ip6_input.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/ip6_input.c,v retrieving revision 1.237 diff -u -p -r1.237 ip6_input.c --- netinet6/ip6_input.c 3 Jun 2021 04:47:54 -0000 1.237 +++ netinet6/ip6_input.c 24 Dec 2021 14:18:08 -0000 @@ -404,12 +404,9 @@ ip6_input_if(struct mbuf **mp, int *offp } if (ours) { - if (af == AF_UNSPEC) { - KERNEL_LOCK(); + if (af == AF_UNSPEC) nxt = ip_deliver(mp, offp, nxt, AF_INET6); - KERNEL_UNLOCK(); - } goto out; } goto bad; @@ -508,11 +505,8 @@ ip6_input_if(struct mbuf **mp, int *offp goto out; if (ours) { - if (af == AF_UNSPEC) { - KERNEL_LOCK(); + if (af == AF_UNSPEC) nxt = ip_deliver(mp, offp, nxt, AF_INET6); - KERNEL_UNLOCK(); - } goto out; }