FreeBSD Bugzilla – Attachment 183913 Details for
Bug 220217
deadlock on enc and pf
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Proposed patch (untested)
enc_inp.diff (text/plain), 6.00 KB, created by
Andrey V. Elsukov
on 2017-06-29 13:42:28 UTC
(
hide
)
Description:
Proposed patch (untested)
Filename:
MIME Type:
Creator:
Andrey V. Elsukov
Created:
2017-06-29 13:42:28 UTC
Size:
6.00 KB
patch
obsolete
>Index: sys/netipsec/ipsec.h >=================================================================== >--- sys/netipsec/ipsec.h (revision 320469) >+++ sys/netipsec/ipsec.h (working copy) >@@ -253,8 +253,9 @@ struct ipsecstat { > #include <sys/counter.h> > > struct ipsec_ctx_data; >-#define IPSEC_INIT_CTX(_ctx, _mp, _sav, _af, _enc) do { \ >+#define IPSEC_INIT_CTX(_ctx, _mp, _inp, _sav, _af, _enc) do { \ > (_ctx)->mp = (_mp); \ >+ (_ctx)->inp = (_inp); \ > (_ctx)->sav = (_sav); \ > (_ctx)->af = (_af); \ > (_ctx)->enc = (_enc); \ >Index: sys/netipsec/ipsec_input.c >=================================================================== >--- sys/netipsec/ipsec_input.c (revision 320469) >+++ sys/netipsec/ipsec_input.c (working copy) >@@ -325,7 +325,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct seca > (prot == IPPROTO_UDP || prot == IPPROTO_TCP)) > udp_ipsec_adjust_cksum(m, sav, prot, skip); > >- IPSEC_INIT_CTX(&ctx, &m, sav, AF_INET, IPSEC_ENC_BEFORE); >+ IPSEC_INIT_CTX(&ctx, &m, NULL, sav, AF_INET, IPSEC_ENC_BEFORE); > if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) > goto bad; > ip = mtod(m, struct ip *); /* update pointer */ >@@ -416,7 +416,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct seca > goto bad; > } > >- IPSEC_INIT_CTX(&ctx, &m, sav, af, IPSEC_ENC_AFTER); >+ IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER); > if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) > goto bad; > >@@ -522,7 +522,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct seca > goto bad; > } > >- IPSEC_INIT_CTX(&ctx, &m, sav, af, IPSEC_ENC_BEFORE); >+ IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_BEFORE); > if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) > goto bad; > >@@ -593,7 +593,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct seca > else > #endif > af = AF_INET6; >- IPSEC_INIT_CTX(&ctx, &m, sav, af, IPSEC_ENC_AFTER); >+ IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER); > if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) > goto bad; > if (skip == 0) { >Index: sys/netipsec/ipsec_output.c >=================================================================== >--- sys/netipsec/ipsec_output.c (revision 320469) >+++ sys/netipsec/ipsec_output.c (working copy) >@@ -181,7 +181,8 @@ next: > * IPsec output logic for IPv4. > */ > static int >-ipsec4_perform_request(struct mbuf *m, struct secpolicy *sp, u_int idx) >+ipsec4_perform_request(struct mbuf *m, struct secpolicy *sp, >+ struct inpcb *inp, u_int idx) > { > struct ipsec_ctx_data ctx; > union sockaddr_union *dst; >@@ -211,7 +212,7 @@ static int > /* > * XXXAE: most likely ip_sum at this point is wrong. > */ >- IPSEC_INIT_CTX(&ctx, &m, sav, AF_INET, IPSEC_ENC_BEFORE); >+ IPSEC_INIT_CTX(&ctx, &m, inp, sav, AF_INET, IPSEC_ENC_BEFORE); > if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0) > goto bad; > >@@ -235,9 +236,10 @@ static int > /* XXXAE: IPSEC_OSTAT_INC(tunnel); */ > goto bad; > } >+ inp = NULL; > } > >- IPSEC_INIT_CTX(&ctx, &m, sav, dst->sa.sa_family, IPSEC_ENC_AFTER); >+ IPSEC_INIT_CTX(&ctx, &m, inp, sav, dst->sa.sa_family, IPSEC_ENC_AFTER); > if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0) > goto bad; > >@@ -285,7 +287,7 @@ ipsec4_process_packet(struct mbuf *m, struct secpo > struct inpcb *inp) > { > >- return (ipsec4_perform_request(m, sp, 0)); >+ return (ipsec4_perform_request(m, sp, inp, 0)); > } > > static int >@@ -491,7 +493,8 @@ next: > * IPsec output logic for IPv6. > */ > static int >-ipsec6_perform_request(struct mbuf *m, struct secpolicy *sp, u_int idx) >+ipsec6_perform_request(struct mbuf *m, struct secpolicy *sp, >+ struct inpcb *inp, u_int idx) > { > struct ipsec_ctx_data ctx; > union sockaddr_union *dst; >@@ -514,7 +517,7 @@ static int > ip6 = mtod(m, struct ip6_hdr *); > ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6)); > >- IPSEC_INIT_CTX(&ctx, &m, sav, AF_INET6, IPSEC_ENC_BEFORE); >+ IPSEC_INIT_CTX(&ctx, &m, inp, sav, AF_INET6, IPSEC_ENC_BEFORE); > if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0) > goto bad; > >@@ -540,9 +543,10 @@ static int > /* XXXAE: IPSEC_OSTAT_INC(tunnel); */ > goto bad; > } >+ inp = NULL; > } > >- IPSEC_INIT_CTX(&ctx, &m, sav, dst->sa.sa_family, IPSEC_ENC_AFTER); >+ IPSEC_INIT_CTX(&ctx, &m, inp, sav, dst->sa.sa_family, IPSEC_ENC_AFTER); > if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0) > goto bad; > >@@ -585,7 +589,7 @@ ipsec6_process_packet(struct mbuf *m, struct secpo > struct inpcb *inp) > { > >- return (ipsec6_perform_request(m, sp, 0)); >+ return (ipsec6_perform_request(m, sp, inp, 0)); > } > > static int >@@ -750,7 +754,7 @@ ipsec_process_done(struct mbuf *m, struct secpolic > case AF_INET: > key_freesav(&sav); > IPSECSTAT_INC(ips_out_bundlesa); >- return (ipsec4_perform_request(m, sp, idx)); >+ return (ipsec4_perform_request(m, sp, NULL, idx)); > /* NOTREACHED */ > #endif > #ifdef INET6 >@@ -757,7 +761,7 @@ ipsec_process_done(struct mbuf *m, struct secpolic > case AF_INET6: > key_freesav(&sav); > IPSEC6STAT_INC(ips_out_bundlesa); >- return (ipsec6_perform_request(m, sp, idx)); >+ return (ipsec6_perform_request(m, sp, NULL, idx)); > /* NOTREACHED */ > #endif /* INET6 */ > default: >Index: sys/net/if_enc.c >=================================================================== >--- sys/net/if_enc.c (revision 320469) >+++ sys/net/if_enc.c (working copy) >@@ -284,7 +284,7 @@ enc_hhook(int32_t hhook_type, int32_t hhook_id, vo > /* Make a packet looks like it was received on enc(4) */ > rcvif = (*ctx->mp)->m_pkthdr.rcvif; > (*ctx->mp)->m_pkthdr.rcvif = ifp; >- if (pfil_run_hooks(ph, ctx->mp, ifp, pdir, NULL) != 0 || >+ if (pfil_run_hooks(ph, ctx->mp, ifp, pdir, ctx->inp) != 0 || > *ctx->mp == NULL) { > *ctx->mp = NULL; /* consumed by filter */ > return (EACCES); >Index: sys/net/if_enc.h >=================================================================== >--- sys/net/if_enc.h (revision 320469) >+++ sys/net/if_enc.h (working copy) >@@ -33,6 +33,7 @@ > struct ipsec_ctx_data { > struct mbuf **mp; > struct secasvar *sav; >+ struct inpcb *inp; > uint8_t af; > #define IPSEC_ENC_BEFORE 0x01 > #define IPSEC_ENC_AFTER 0x02
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=183913">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 220217
: 183913