Don't acquire global locks for IPsec if NET_MPSAFE

Note that the change is just to make testing easy and IPsec isn't MP-safe yet.

sys/netinet/ip_input.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_input.c,v 1.359 2017/07/19 07:24:46 ozaki-r Exp $	*/
+/*	$NetBSD: ip_input.c,v 1.360 2017/07/27 06:59:28 ozaki-r Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.359 2017/07/19 07:24:46 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.360 2017/07/27 06:59:28 ozaki-r Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -754,13 +754,10 @@ ip_input(struct mbuf *m)
 #ifdef IPSEC
 		/* Check the security policy (SP) for the packet */
 		if (ipsec_used) {
-			SOFTNET_LOCK();
 			if (ipsec4_input(m, IP_FORWARDING |
 			    (ip_directedbcast ? IP_ALLOWBROADCAST : 0)) != 0) {
-				SOFTNET_UNLOCK();
 				goto out;
 			}
-			SOFTNET_UNLOCK();
 		}
 #endif
 		ip_forward(m, srcrt, ifp);
@@ -803,12 +800,9 @@ ours:
 	 */
 	if (ipsec_used &&
 	    (inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0) {
-		SOFTNET_LOCK();
 		if (ipsec4_input(m, 0) != 0) {
-			SOFTNET_UNLOCK();
 			goto out;
 		}
-		SOFTNET_UNLOCK();
 	}
 #endif
 

sys/netinet6/ip6_input.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_input.c,v 1.180 2017/07/06 17:14:35 christos Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.181 2017/07/27 06:59:28 ozaki-r Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.180 2017/07/06 17:14:35 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.181 2017/07/27 06:59:28 ozaki-r Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_gateway.h"
@@ -790,9 +790,7 @@ ip6_input(struct mbuf *m, struct ifnet *rcvif)
 			    & PR_LASTHDR) != 0) {
 				int error;
 
-				SOFTNET_LOCK();
 				error = ipsec6_input(m);
-				SOFTNET_UNLOCK();
 				if (error)
 					goto bad;
 			}

sys/netipsec/ipsec_output.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_output.c,v 1.56 2017/07/21 03:08:10 ozaki-r Exp $	*/
+/*	$NetBSD: ipsec_output.c,v 1.57 2017/07/27 06:59:28 ozaki-r Exp $	*/
 
 /*-
  * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,13 +29,14 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.56 2017/07/21 03:08:10 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.57 2017/07/27 06:59:28 ozaki-r Exp $");
 
 /*
  * IPsec output processing.
  */
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
+#include "opt_net_mpsafe.h"
 #endif
 
 #include <sys/param.h>
@@ -117,10 +118,14 @@ ipsec_reinject_ipstack(struct mbuf *m, int af)
 	switch (af) {
 #ifdef INET
 	case AF_INET:
+#ifndef NET_MPSAFE
 		KERNEL_LOCK(1, NULL);
+#endif
 		rv = ip_output(m, NULL, NULL, IP_RAWOUTPUT|IP_NOIPNEWID,
 		    NULL, NULL);
+#ifndef NET_MPSAFE
 		KERNEL_UNLOCK_ONE(NULL);
+#endif
 		return rv;
 
 #endif /* INET */
@@ -130,9 +135,13 @@ ipsec_reinject_ipstack(struct mbuf *m, int af)
 		 * We don't need massage, IPv6 header fields are always in
 		 * net endian.
 		 */
+#ifndef NET_MPSAFE
 		KERNEL_LOCK(1, NULL);
+#endif
 		rv = ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL);
+#ifndef NET_MPSAFE
 		KERNEL_UNLOCK_ONE(NULL);
+#endif
 		return rv;
 #endif /* INET6 */
 	}

sys/netipsec/ipsec_private.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_private.h,v 1.4 2017/04/19 03:39:14 ozaki-r Exp $	*/
+/*	$NetBSD: ipsec_private.h,v 1.5 2017/07/27 06:59:28 ozaki-r Exp $	*/
 
 /*-
  * Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -79,6 +79,28 @@ extern	percpu_t *pfkeystat_percpu;
 /* superuser opened socket? */
 #define IPSEC_PRIVILEGED_SO(so) ((so)->so_uidinfo->ui_uid == 0)
 
+#ifdef _KERNEL_OPT
+#include "opt_net_mpsafe.h"
+#endif
+
+#ifdef NET_MPSAFE
+#define IPSEC_DECLARE_LOCK_VARIABLE
+#define IPSEC_ACQUIRE_GLOBAL_LOCKS()	do { } while (0)
+#define IPSEC_RELEASE_GLOBAL_LOCKS()	do { } while (0)
+#else
+#include <sys/socketvar.h> /* for softnet_lock */
+
+#define IPSEC_DECLARE_LOCK_VARIABLE	int __s
+#define IPSEC_ACQUIRE_GLOBAL_LOCKS()	do {					\
+					__s = splsoftnet();		\
+					mutex_enter(softnet_lock);	\
+				} while (0)
+#define IPSEC_RELEASE_GLOBAL_LOCKS()	do {					\
+					mutex_exit(softnet_lock);	\
+					splx(__s);			\
+				} while (0)
+#endif
+
 #endif /* _KERNEL */
 
 #endif /* !_NETIPSEC_IPSEC_PRIVATE_H_ */

sys/netipsec/key.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: key.c,v 1.194 2017/07/26 09:18:15 ozaki-r Exp $	*/
+/*	$NetBSD: key.c,v 1.195 2017/07/27 06:59:28 ozaki-r Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.194 2017/07/26 09:18:15 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.195 2017/07/27 06:59:28 ozaki-r Exp $");
 
 /*
  * This code is referd to RFC 2367
@@ -4540,11 +4540,10 @@ key_timehandler_spacq(time_t now)
 static void
 key_timehandler_work(struct work *wk, void *arg)
 {
-	int s;
 	time_t now = time_uptime;
+	IPSEC_DECLARE_LOCK_VARIABLE;
 
-	s = splsoftnet();
-	mutex_enter(softnet_lock);
+	IPSEC_ACQUIRE_GLOBAL_LOCKS();
 
 	key_timehandler_spd(now);
 	key_timehandler_sad(now);
@@ -4554,8 +4553,7 @@ key_timehandler_work(struct work *wk, void *arg)
 	/* do exchange to tick time !! */
 	callout_reset(&key_timehandler_ch, hz, key_timehandler, NULL);
 
-	mutex_exit(softnet_lock);
-	splx(s);
+	IPSEC_RELEASE_GLOBAL_LOCKS();
 	return;
 }
 

sys/netipsec/xform_ah.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ah.c,v 1.68 2017/07/20 08:07:14 ozaki-r Exp $	*/
+/*	$NetBSD: xform_ah.c,v 1.69 2017/07/27 06:59:28 ozaki-r Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.68 2017/07/20 08:07:14 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.69 2017/07/27 06:59:28 ozaki-r Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -53,7 +53,6 @@ __KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.68 2017/07/20 08:07:14 ozaki-r Exp $"
 #include <sys/syslog.h>
 #include <sys/kernel.h>
 #include <sys/sysctl.h>
-#include <sys/socketvar.h> /* for softnet_lock */
 #include <sys/pool.h>
 
 #include <net/if.h>
@@ -797,9 +796,10 @@ ah_input_cb(struct cryptop *crp)
 	struct secasindex *saidx;
 	uint8_t nxt;
 	char *ptr;
-	int s, authsize;
+	int authsize;
 	uint16_t dport;
 	uint16_t sport;
+	IPSEC_DECLARE_LOCK_VARIABLE;
 
 	KASSERT(crp->crp_opaque != NULL);
 	tc = crp->crp_opaque;
@@ -812,8 +812,7 @@ ah_input_cb(struct cryptop *crp)
 	/* find the source port for NAT-T */
 	nat_t_ports_get(m, &dport, &sport);
 
-	s = splsoftnet();
-	mutex_enter(softnet_lock);
+	IPSEC_ACQUIRE_GLOBAL_LOCKS();
 
 	sav = tc->tc_sav;
 	if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
@@ -839,8 +838,7 @@ ah_input_cb(struct cryptop *crp)
 			sav->tdb_cryptoid = crp->crp_sid;
 
 		if (crp->crp_etype == EAGAIN) {
-			mutex_exit(softnet_lock);
-			splx(s);
+			IPSEC_RELEASE_GLOBAL_LOCKS();
 			return crypto_dispatch(crp);
 		}
 
@@ -934,14 +932,12 @@ ah_input_cb(struct cryptop *crp)
 	IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff);
 
 	KEY_FREESAV(&sav);
-	mutex_exit(softnet_lock);
-	splx(s);
+	IPSEC_RELEASE_GLOBAL_LOCKS();
 	return error;
 bad:
 	if (sav)
 		KEY_FREESAV(&sav);
-	mutex_exit(softnet_lock);
-	splx(s);
+	IPSEC_RELEASE_GLOBAL_LOCKS();
 	if (m != NULL)
 		m_freem(m);
 	if (tc != NULL)
@@ -1182,7 +1178,8 @@ ah_output_cb(struct cryptop *crp)
 	struct secasvar *sav;
 	struct mbuf *m;
 	void *ptr;
-	int s, err;
+	int err;
+	IPSEC_DECLARE_LOCK_VARIABLE;
 
 	KASSERT(crp->crp_opaque != NULL);
 	tc = crp->crp_opaque;
@@ -1190,8 +1187,7 @@ ah_output_cb(struct cryptop *crp)
 	ptr = (tc + 1);
 	m = crp->crp_buf;
 
-	s = splsoftnet();
-	mutex_enter(softnet_lock);
+	IPSEC_ACQUIRE_GLOBAL_LOCKS();
 
 	isr = tc->tc_isr;
 	sav = tc->tc_sav;
@@ -1220,8 +1216,7 @@ ah_output_cb(struct cryptop *crp)
 			sav->tdb_cryptoid = crp->crp_sid;
 
 		if (crp->crp_etype == EAGAIN) {
-			mutex_exit(softnet_lock);
-			splx(s);
+			IPSEC_RELEASE_GLOBAL_LOCKS();
 			return crypto_dispatch(crp);
 		}
 
@@ -1261,15 +1256,13 @@ ah_output_cb(struct cryptop *crp)
 	err = ipsec_process_done(m, isr, sav);
 	KEY_FREESAV(&sav);
 	KEY_FREESP(&isr->sp);
-	mutex_exit(softnet_lock);
-	splx(s);
+	IPSEC_RELEASE_GLOBAL_LOCKS();
 	return err;
 bad:
 	if (sav)
 		KEY_FREESAV(&sav);
 	KEY_FREESP(&isr->sp);
-	mutex_exit(softnet_lock);
-	splx(s);
+	IPSEC_RELEASE_GLOBAL_LOCKS();
 	if (m)
 		m_freem(m);
 	pool_put(&ah_tdb_crypto_pool, tc);

sys/netipsec/xform_esp.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_esp.c,v 1.66 2017/07/20 08:07:14 ozaki-r Exp $	*/
+/*	$NetBSD: xform_esp.c,v 1.67 2017/07/27 06:59:28 ozaki-r Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
 
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.66 2017/07/20 08:07:14 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.67 2017/07/27 06:59:28 ozaki-r Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -53,7 +53,6 @@ __KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.66 2017/07/20 08:07:14 ozaki-r Exp $
 #include <sys/syslog.h>
 #include <sys/kernel.h>
 #include <sys/sysctl.h>
-#include <sys/socketvar.h> /* for softnet_lock */
 #include <sys/cprng.h>
 #include <sys/pool.h>
 
@@ -495,7 +494,7 @@ esp_input_cb(struct cryptop *crp)
 {
 	char buf[IPSEC_ADDRSTRLEN];
 	uint8_t lastthree[3], aalg[AH_ALEN_MAX];
-	int s, hlen, skip, protoff, error;
+	int hlen, skip, protoff, error;
 	struct mbuf *m;
 	const struct auth_hash *esph;
 	struct tdb_crypto *tc;
@@ -504,6 +503,7 @@ esp_input_cb(struct cryptop *crp)
 	void *ptr;
 	uint16_t dport;
 	uint16_t sport;
+	IPSEC_DECLARE_LOCK_VARIABLE;
 
 	KASSERT(crp->crp_desc != NULL);
 	KASSERT(crp->crp_opaque != NULL);
@@ -516,8 +516,7 @@ esp_input_cb(struct cryptop *crp)
 	/* find the source port for NAT-T */
 	nat_t_ports_get(m, &dport, &sport);
 
-	s = splsoftnet();
-	mutex_enter(softnet_lock);
+	IPSEC_ACQUIRE_GLOBAL_LOCKS();
 
 	sav = tc->tc_sav;
 	if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
@@ -550,8 +549,7 @@ esp_input_cb(struct cryptop *crp)
 
 		if (crp->crp_etype == EAGAIN) {
 			KEY_FREESAV(&sav);
-			mutex_exit(softnet_lock);
-			splx(s);
+			IPSEC_RELEASE_GLOBAL_LOCKS();
 			return crypto_dispatch(crp);
 		}
 
@@ -675,14 +673,12 @@ esp_input_cb(struct cryptop *crp)
 	IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff);
 
 	KEY_FREESAV(&sav);
-	mutex_exit(softnet_lock);
-	splx(s);
+	IPSEC_RELEASE_GLOBAL_LOCKS();
 	return error;
 bad:
 	if (sav)
 		KEY_FREESAV(&sav);
-	mutex_exit(softnet_lock);
-	splx(s);
+	IPSEC_RELEASE_GLOBAL_LOCKS();
 	if (m != NULL)
 		m_freem(m);
 	if (tc != NULL)
@@ -956,14 +952,14 @@ esp_output_cb(struct cryptop *crp)
 	struct ipsecrequest *isr;
 	struct secasvar *sav;
 	struct mbuf *m;
-	int s, err, error;
+	int err, error;
+	IPSEC_DECLARE_LOCK_VARIABLE;
 
 	KASSERT(crp->crp_opaque != NULL);
 	tc = crp->crp_opaque;
 	m = crp->crp_buf;
 
-	s = splsoftnet();
-	mutex_enter(softnet_lock);
+	IPSEC_ACQUIRE_GLOBAL_LOCKS();
 
 	isr = tc->tc_isr;
 	sav = tc->tc_sav;
@@ -997,8 +993,7 @@ esp_output_cb(struct cryptop *crp)
 			sav->tdb_cryptoid = crp->crp_sid;
 
 		if (crp->crp_etype == EAGAIN) {
-			mutex_exit(softnet_lock);
-			splx(s);
+			IPSEC_RELEASE_GLOBAL_LOCKS();
 			return crypto_dispatch(crp);
 		}
 
@@ -1038,15 +1033,13 @@ esp_output_cb(struct cryptop *crp)
 	err = ipsec_process_done(m, isr, sav);
 	KEY_FREESAV(&sav);
 	KEY_FREESP(&isr->sp);
-	mutex_exit(softnet_lock);
-	splx(s);
+	IPSEC_RELEASE_GLOBAL_LOCKS();
 	return err;
 bad:
 	if (sav)
 		KEY_FREESAV(&sav);
 	KEY_FREESP(&isr->sp);
-	mutex_exit(softnet_lock);
-	splx(s);
+	IPSEC_RELEASE_GLOBAL_LOCKS();
 	if (m)
 		m_freem(m);
 	pool_put(&esp_tdb_crypto_pool, tc);

sys/netipsec/xform_ipcomp.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ipcomp.c,v 1.47 2017/07/20 08:07:14 ozaki-r Exp $	*/
+/*	$NetBSD: xform_ipcomp.c,v 1.48 2017/07/27 06:59:28 ozaki-r Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
 
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.47 2017/07/20 08:07:14 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.48 2017/07/27 06:59:28 ozaki-r Exp $");
 
 /* IP payload compression protocol (IPComp), see RFC 2393 */
 #if defined(_KERNEL_OPT)
@@ -44,7 +44,6 @@ __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.47 2017/07/20 08:07:14 ozaki-r Ex
 #include <sys/kernel.h>
 #include <sys/protosw.h>
 #include <sys/sysctl.h>
-#include <sys/socketvar.h> /* for softnet_lock */
 #include <sys/pool.h>
 
 #include <netinet/in.h>
@@ -239,11 +238,12 @@ ipcomp_input_cb(struct cryptop *crp)
 	struct mbuf *m;
 	struct secasvar *sav;
 	struct secasindex *saidx __diagused;
-	int s, hlen = IPCOMP_HLENGTH, error, clen;
+	int hlen = IPCOMP_HLENGTH, error, clen;
 	uint8_t nproto;
 	void *addr;
 	uint16_t dport;
 	uint16_t sport;
+	IPSEC_DECLARE_LOCK_VARIABLE;
 
 	KASSERT(crp->crp_opaque != NULL);
 	tc = crp->crp_opaque;
@@ -254,8 +254,7 @@ ipcomp_input_cb(struct cryptop *crp)
 	/* find the source port for NAT-T */
 	nat_t_ports_get(m, &dport, &sport);
 
-	s = splsoftnet();
-	mutex_enter(softnet_lock);
+	IPSEC_ACQUIRE_GLOBAL_LOCKS();
 
 	sav = tc->tc_sav;
 	if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
@@ -283,8 +282,7 @@ ipcomp_input_cb(struct cryptop *crp)
 
 		if (crp->crp_etype == EAGAIN) {
 			KEY_FREESAV(&sav);
-			mutex_exit(softnet_lock);
-			splx(s);
+			IPSEC_RELEASE_GLOBAL_LOCKS();
 			return crypto_dispatch(crp);
 		}
 
@@ -350,14 +348,12 @@ ipcomp_input_cb(struct cryptop *crp)
 	IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff);
 
 	KEY_FREESAV(&sav);
-	mutex_exit(softnet_lock);
-	splx(s);
+	IPSEC_RELEASE_GLOBAL_LOCKS();
 	return error;
 bad:
 	if (sav)
 		KEY_FREESAV(&sav);
-	mutex_exit(softnet_lock);
-	splx(s);
+	IPSEC_RELEASE_GLOBAL_LOCKS();
 	if (m)
 		m_freem(m);
 	if (tc != NULL)
@@ -519,10 +515,11 @@ ipcomp_output_cb(struct cryptop *crp)
 	struct ipsecrequest *isr;
 	struct secasvar *sav;
 	struct mbuf *m, *mo;
-	int s, error, skip, rlen, roff;
+	int error, skip, rlen, roff;
 	uint8_t prot;
 	uint16_t cpi;
 	struct ipcomp * ipcomp;
+	IPSEC_DECLARE_LOCK_VARIABLE;
 
 	KASSERT(crp->crp_opaque != NULL);
 	tc = crp->crp_opaque;
@@ -530,8 +527,7 @@ ipcomp_output_cb(struct cryptop *crp)
 	skip = tc->tc_skip;
 	rlen = crp->crp_ilen - skip;
 
-	s = splsoftnet();
-	mutex_enter(softnet_lock);
+	IPSEC_ACQUIRE_GLOBAL_LOCKS();
 
 	isr = tc->tc_isr;
 	sav = tc->tc_sav;
@@ -561,8 +557,7 @@ ipcomp_output_cb(struct cryptop *crp)
 			sav->tdb_cryptoid = crp->crp_sid;
 
 		if (crp->crp_etype == EAGAIN) {
-			mutex_exit(softnet_lock);
-			splx(s);
+			IPSEC_RELEASE_GLOBAL_LOCKS();
 			return crypto_dispatch(crp);
 		}
 		IPCOMP_STATINC(IPCOMP_STAT_NOXFORM);
@@ -652,15 +647,13 @@ ipcomp_output_cb(struct cryptop *crp)
 	error = ipsec_process_done(m, isr, sav);
 	KEY_FREESAV(&sav);
 	KEY_FREESP(&isr->sp);
-	mutex_exit(softnet_lock);
-	splx(s);
+	IPSEC_RELEASE_GLOBAL_LOCKS();
 	return error;
 bad:
 	if (sav)
 		KEY_FREESAV(&sav);
 	KEY_FREESP(&isr->sp);
-	mutex_exit(softnet_lock);
-	splx(s);
+	IPSEC_RELEASE_GLOBAL_LOCKS();
 	if (m)
 		m_freem(m);
 	pool_put(&ipcomp_tdb_crypto_pool, tc);