Check if solock of PCB is held when SP caches in the PCB are accessed

To this end, a back pointer from inpcbpolicy to inpcb_hdr is added.
2017-04-25 05:44:11 +00:00 · 2017-04-25 05:44:11 +00:00 · 5cfcce1f60
parent a06215af07
commit 5cfcce1f60
5 changed files with 21 additions and 8 deletions
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@ -1,4 +1,4 @@
-/*	$NetBSD: in_pcb.c,v 1.177 2017/04/20 08:45:09 ozaki-r Exp $	*/
+/*	$NetBSD: in_pcb.c,v 1.178 2017/04/25 05:44:11 ozaki-r Exp $	*/

 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -93,7 +93,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in_pcb.c,v 1.177 2017/04/20 08:45:09 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in_pcb.c,v 1.178 2017/04/25 05:44:11 ozaki-r Exp $");

 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@ -211,6 +211,7 @@ in_pcballoc(struct socket *so, void *v)
 			pool_put(&inpcb_pool, inp);
 			return error;
 		}
+		inp->inp_sp->sp_inph = (struct inpcb_hdr *)inp;
 	}
 #endif
 	so->so_pcb = inp;
--- a/sys/netinet/in_pcb_hdr.h
+++ b/sys/netinet/in_pcb_hdr.h
@ -1,4 +1,4 @@
-/*	$NetBSD: in_pcb_hdr.h,v 1.11 2014/05/30 01:39:03 christos Exp $	*/
+/*	$NetBSD: in_pcb_hdr.h,v 1.12 2017/04/25 05:44:11 ozaki-r Exp $	*/

 /*
 * Copyright (C) 2003 WIDE Project.
@ -84,6 +84,7 @@ struct inpcb_hdr {
 };

 #define	sotoinpcb_hdr(so)	((struct inpcb_hdr *)(so)->so_pcb)
+#define	inph_locked(inph)	(solocked((inph)->inph_socket))

 LIST_HEAD(inpcbhead, inpcb_hdr);

--- a/sys/netinet6/in6_pcb.c
+++ b/sys/netinet6/in6_pcb.c
@ -1,4 +1,4 @@
-/*	$NetBSD: in6_pcb.c,v 1.160 2017/04/20 08:45:09 ozaki-r Exp $	*/
+/*	$NetBSD: in6_pcb.c,v 1.161 2017/04/25 05:44:11 ozaki-r Exp $	*/
 /*	$KAME: in6_pcb.c,v 1.84 2001/02/08 18:02:08 itojun Exp $	*/

 /*
@ -62,7 +62,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in6_pcb.c,v 1.160 2017/04/20 08:45:09 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in6_pcb.c,v 1.161 2017/04/25 05:44:11 ozaki-r Exp $");

 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@ -178,6 +178,7 @@ in6_pcballoc(struct socket *so, void *v)
 			pool_put(&in6pcb_pool, in6p);
 			return error;
 		}
+		in6p->in6p_sp->sp_inph = (struct inpcb_hdr *)in6p;
 	}
 #endif /* IPSEC */
 	s = splsoftnet();
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.c,v 1.83 2017/04/21 08:39:06 ozaki-r Exp $	*/
+/*	$NetBSD: ipsec.c,v 1.84 2017/04/25 05:44:11 ozaki-r Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $	*/
 /*	$KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $	*/

@ -32,7 +32,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.83 2017/04/21 08:39:06 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.84 2017/04/25 05:44:11 ozaki-r Exp $");

 /*
 * IPsec controller part.
@ -214,6 +214,7 @@ ipsec_checkpcbcache(struct mbuf *m, struct inpcbpolicy *pcbsp, int dir)
 	KASSERT(IPSEC_DIR_IS_VALID(dir));
 	KASSERT(pcbsp != NULL);
 	KASSERT(dir < sizeof(pcbsp->sp_cache)/sizeof(pcbsp->sp_cache[0]));
+	KASSERT(inph_locked(pcbsp->sp_inph));

 	/* SPD table change invalidate all the caches. */
 	if (ipsec_spdgen != pcbsp->sp_cache[dir].cachegen) {
@ -270,6 +271,7 @@ ipsec_fillpcbcache(struct inpcbpolicy *pcbsp, struct mbuf *m,

 	KASSERT(IPSEC_DIR_IS_INOROUT(dir));
 	KASSERT(dir < sizeof(pcbsp->sp_cache)/sizeof(pcbsp->sp_cache[0]));
+	KASSERT(inph_locked(pcbsp->sp_inph));

 	if (pcbsp->sp_cache[dir].cachesp)
 		KEY_FREESP(&pcbsp->sp_cache[dir].cachesp);
@ -313,6 +315,8 @@ ipsec_invalpcbcache(struct inpcbpolicy *pcbsp, int dir)
 {
 	int i;

+	KASSERT(inph_locked(pcbsp->sp_inph));
+
 	for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) {
 		if (dir != IPSEC_DIR_ANY && i != dir)
 			continue;
@ -331,6 +335,8 @@ void
 ipsec_pcbconn(struct inpcbpolicy *pcbsp)
 {

+	KASSERT(inph_locked(pcbsp->sp_inph));
+
 	pcbsp->sp_cacheflags |= IPSEC_PCBSP_CONNECTED;
 	ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
 }
@ -339,6 +345,8 @@ void
 ipsec_pcbdisconn(struct inpcbpolicy *pcbsp)
 {

+	KASSERT(inph_locked(pcbsp->sp_inph));
+
 	pcbsp->sp_cacheflags &= ~IPSEC_PCBSP_CONNECTED;
 	ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
 }
@ -447,6 +455,7 @@ ipsec_getpolicybysock(struct mbuf *m, u_int dir, struct inpcb_hdr *inph,
 	KASSERTMSG(IPSEC_DIR_IS_INOROUT(dir), "invalid direction %u", dir);

 	KASSERT(inph->inph_socket != NULL);
+	KASSERT(inph_locked(inph));

 	/* XXX FIXME inpcb/in6pcb  vs socket*/
 	af = inph->inph_af;
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.h,v 1.43 2017/04/20 08:46:07 ozaki-r Exp $	*/
+/*	$NetBSD: ipsec.h,v 1.44 2017/04/25 05:44:11 ozaki-r Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $	*/

@ -130,6 +130,7 @@ struct inpcbpolicy {
 	} sp_cache[3];			/* XXX 3 == IPSEC_DIR_MAX */
 	int sp_cacheflags;
 #define	IPSEC_PCBSP_CONNECTED	1
+	struct inpcb_hdr *sp_inph;	/* back pointer */
 };

 #define	IPSEC_PCB_SKIP_IPSEC(inpp, dir)					\