From owner-svn-src-projects@freebsd.org Tue Dec 27 11:31:19 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3A303C93741 for ; Tue, 27 Dec 2016 11:31:19 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E48F61630; Tue, 27 Dec 2016 11:31:18 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBRBVI1R055878; Tue, 27 Dec 2016 11:31:18 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBRBVH8p055875; Tue, 27 Dec 2016 11:31:17 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612271131.uBRBVH8p055875@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 27 Dec 2016 11:31:17 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310632 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Dec 2016 11:31:19 -0000 Author: ae Date: Tue Dec 27 11:31:17 2016 New Revision: 310632 URL: https://svnweb.freebsd.org/changeset/base/310632 Log: INPCB SP cache can hold cached pointer to default security policy. Bump SPDB generation id each time, when default security policy is initialized. This will prevent access to invalid cached pointers, when ipsec.ko module loaded/unloaded several times. Modified: projects/ipsec/sys/netipsec/ipsec.c projects/ipsec/sys/netipsec/key.c projects/ipsec/sys/netipsec/key.h Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Tue Dec 27 10:26:58 2016 (r310631) +++ projects/ipsec/sys/netipsec/ipsec.c Tue Dec 27 11:31:17 2016 (r310632) @@ -1381,6 +1381,9 @@ def_policy_init(const void *unused __unu bzero(&V_def_policy, sizeof(struct secpolicy)); V_def_policy.policy = IPSEC_POLICY_NONE; V_def_policy.refcnt = 1; + + /* Force INPCB SP cache invalidation */ + key_bumpspgen(); } VNET_SYSINIT(def_policy_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, def_policy_init, NULL); Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Dec 27 10:26:58 2016 (r310631) +++ projects/ipsec/sys/netipsec/key.c Tue Dec 27 11:31:17 2016 (r310632) @@ -747,6 +747,13 @@ key_getspgen(void) return (V_sp_genid); } +void +key_bumpspgen(void) +{ + + V_sp_genid++; +} + static int key_checksockaddrs(struct sockaddr *src, struct sockaddr *dst) { Modified: projects/ipsec/sys/netipsec/key.h ============================================================================== --- projects/ipsec/sys/netipsec/key.h Tue Dec 27 10:26:58 2016 (r310631) +++ projects/ipsec/sys/netipsec/key.h Tue Dec 27 11:31:17 2016 (r310632) @@ -53,6 +53,7 @@ void key_addref(struct secpolicy *); void key_freesp(struct secpolicy **); int key_spdacquire(struct secpolicy *); int key_havesp(u_int); +void key_bumpspgen(void); uint32_t key_getspgen(void); uint32_t key_newreqid(void);