Stop ipsec4_output returning SP to the caller

SP isn't used by the caller (ip_output) and also holding its
reference looks unnecessary.

sys/netinet/ip_output.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_output.c,v 1.277 2017/05/07 16:41:22 christos Exp $	*/
+/*	$NetBSD: ip_output.c,v 1.278 2017/05/10 09:34:51 ozaki-r Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.277 2017/05/07 16:41:22 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.278 2017/05/10 09:34:51 ozaki-r Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -239,9 +239,6 @@ ip_output(struct mbuf *m0, struct mbuf *opt, struct route *ro, int flags,
 	int isbroadcast;
 	int sw_csum;
 	u_long mtu;
-#ifdef IPSEC
-	struct secpolicy *sp = NULL;
-#endif
 	bool natt_frag = false;
 	bool rtmtu_nolock;
 	union {
@@ -588,7 +585,7 @@ sendit:
 		bool ipsec_done = false;
 
 		/* Perform IPsec processing, if any. */
-		error = ipsec4_output(m, inp, flags, &sp, &mtu, &natt_frag,
+		error = ipsec4_output(m, inp, flags, &mtu, &natt_frag,
 		    &ipsec_done);
 		if (error || ipsec_done)
 			goto done;
@@ -770,11 +767,6 @@ done:
 	if (ro == &iproute) {
 		rtcache_free(&iproute);
 	}
-#ifdef IPSEC
-	if (sp) {
-		KEY_FREESP(&sp);
-	}
-#endif
 	if (mifp != NULL) {
 		if_put(mifp, &psref);
 	}

sys/netipsec/ipsec.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.c,v 1.86 2017/05/08 06:39:23 ozaki-r Exp $	*/
+/*	$NetBSD: ipsec.c,v 1.87 2017/05/10 09:34:52 ozaki-r Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $	*/
 /*	$KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.86 2017/05/08 06:39:23 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.87 2017/05/10 09:34:52 ozaki-r Exp $");
 
 /*
  * IPsec controller part.
@@ -658,7 +658,7 @@ ipsec4_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error,
 
 int
 ipsec4_output(struct mbuf *m, struct inpcb *inp, int flags,
-    struct secpolicy **sp_out, u_long *mtu, bool *natt_frag, bool *done)
+    u_long *mtu, bool *natt_frag, bool *done)
 {
 	const struct ip *ip = mtod(m, const struct ip *);
 	struct secpolicy *sp = NULL;
@@ -707,7 +707,6 @@ ipsec4_output(struct mbuf *m, struct inpcb *inp, int flags,
 		/* No IPsec processing for this packet. */
 		return 0;
 	}
-	*sp_out = sp;
 
 	/*
 	 * NAT-T ESP fragmentation: do not do IPSec processing now,
@@ -718,6 +717,7 @@ ipsec4_output(struct mbuf *m, struct inpcb *inp, int flags,
 		if (ntohs(ip->ip_len) > sp->req->sav->esp_frag) {
 			*mtu = sp->req->sav->esp_frag;
 			*natt_frag = true;
+			KEY_FREESP(&sp);
 			splx(s);
 			return 0;
 		}
@@ -743,6 +743,7 @@ ipsec4_output(struct mbuf *m, struct inpcb *inp, int flags,
 	 */
 	if (error == ENOENT)
 		error = 0;
+	KEY_FREESP(&sp);
 	splx(s);
 	*done = true;
 	return error;

sys/netipsec/ipsec.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.h,v 1.45 2017/05/08 06:39:23 ozaki-r Exp $	*/
+/*	$NetBSD: ipsec.h,v 1.46 2017/05/10 09:34:52 ozaki-r Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $	*/
 
@@ -255,7 +255,7 @@ struct secpolicy *ipsec4_checkpolicy (struct mbuf *, u_int, u_int,
 struct secpolicy * ipsec_getpolicybyaddr(struct mbuf *, u_int,
 	int, int *);
 int ipsec4_output(struct mbuf *, struct inpcb *, int,
-	struct secpolicy **, u_long *, bool *, bool *);
+	u_long *, bool *, bool *);
 int ipsec4_input(struct mbuf *, int);
 int ipsec4_forward(struct mbuf *, int *);
 #ifdef INET6