Subject: Re: CVS commit: syssrc/sys/netinet6
To: None <wrstuden@netbsd.org>
From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
List: source-changes
Date: 05/11/2002 05:04:35
----Next_Part(Sat_May_11_05:04:35_2002_343)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

From: Bill Studenmund <wrstuden@netbsd.org>
Subject: Re: CVS commit: syssrc/sys/netinet6
Date: Fri, 10 May 2002 08:17:27 -0700 (PDT)
> On Fri, 10 May 2002, Jun-ichiro itojun Hagino wrote:

> > Log Message:
> > disable ipsec policy caching on pcb, as it seems that there's some reference-
> > counting mistake that causes panic - see PR 15953 and 13813.
> >
> > i am unable to find the real cause of problem, so it is a shortterm workaround,
> > hopefully.
> 
> I looked into this at one point. One thing that would probably help is to
> add a macro for increasing the reference count. That way we can easily
> instrument checks on refrence adding in addition to reference releaseing.
> Tests like make sure we aren't about to overflow or we aren't adding a
> reference to something with 0 references.


I think this patch fix the problem.

---
YAMAMOTO Takashi<yamt@mwd.biglobe.ne.jp>

----Next_Part(Sat_May_11_05:04:35_2002_343)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="key.c.diff"

Index: key.c
===================================================================
RCS file: /cvs/cvsroot/syssrc/sys/netkey/key.c,v
retrieving revision 1.60
diff -u -p -r1.60 key.c
--- key.c	2002/03/21 02:27:50	1.60
+++ key.c	2002/05/10 19:59:40
@@ -961,10 +961,8 @@ key_delsp(sp)
 	if (sp == NULL)
 		panic("key_delsp: NULL pointer is passed.\n");
 
-	sp->state = IPSEC_SPSTATE_DEAD;
-
 	if (sp->refcnt > 0)
-		return; /* can't free */
+		panic("key_delsp: refcnt > 0");
 
 	s = splsoftnet();	/*called from softclock()*/
 	/* remove from SP index */
@@ -1558,6 +1556,7 @@ key_spdadd(so, m, mhp)
 		if (newsp) {
 			newsp->state = IPSEC_SPSTATE_DEAD;
 			key_freesp(newsp);
+			key_freesp(newsp);
 		}
 	} else {
 		if (newsp != NULL) {
@@ -1778,6 +1777,7 @@ key_spddelete(so, m, mhp)
 
 	sp->state = IPSEC_SPSTATE_DEAD;
 	key_freesp(sp);
+	key_freesp(sp);
 
 	/* invalidate all cached SPD pointers on pcb */
 	ipsec_invalpcbcacheall();
@@ -1843,6 +1843,7 @@ key_spddelete2(so, m, mhp)
 
 	sp->state = IPSEC_SPSTATE_DEAD;
 	key_freesp(sp);
+	key_freesp(sp);
 
 	/* invalidate all cached SPD pointers on pcb */
 	ipsec_invalpcbcacheall();
@@ -2051,8 +2052,16 @@ key_spdflush(so, m, mhp)
 		return key_senderror(so, m, EINVAL);
 
 	for (dir = 0; dir < IPSEC_DIR_MAX; dir++) {
-		LIST_FOREACH(sp, &sptree[dir], chain) {
+		struct secpolicy *nextsp;
+
+		for (sp = LIST_FIRST(&sptree[dir]);
+			 sp;
+			 sp = nextsp) {
+			nextsp = LIST_NEXT(sp, chain);
+			if (sp->state == IPSEC_SPSTATE_DEAD)
+				continue;
 			sp->state = IPSEC_SPSTATE_DEAD;
+			key_freesp(sp);
 		}
 	}
 
@@ -3842,7 +3851,7 @@ void
 key_timehandler(arg)
 	void *arg;
 {
-	u_int dir;
+/*	u_int dir; */
 	int s;
 	struct timeval tv;
 
@@ -3850,6 +3859,7 @@ key_timehandler(arg)
 
 	s = splsoftnet();	/*called from softclock()*/
 
+#if 0
 	/* SPD */
     {
 	struct secpolicy *sp, *nextsp;
@@ -3866,6 +3876,7 @@ key_timehandler(arg)
 		}
 	}
     }
+#endif
 
 	/* SAD */
     {

----Next_Part(Sat_May_11_05:04:35_2002_343)----