From owner-freebsd-bugs@FreeBSD.ORG  Mon Apr  6 22:10:01 2009
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3EDBD10657A8
	for <freebsd-bugs@hub.freebsd.org>;
	Mon,  6 Apr 2009 22:10:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 0FEE08FC1C
	for <freebsd-bugs@hub.freebsd.org>;
	Mon,  6 Apr 2009 22:10:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n36MA0uA058726
	for <freebsd-bugs@freefall.freebsd.org>; Mon, 6 Apr 2009 22:10:00 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n36MA0aI058725;
	Mon, 6 Apr 2009 22:10:00 GMT (envelope-from gnats)
Resent-Date: Mon, 6 Apr 2009 22:10:00 GMT
Resent-Message-Id: <200904062210.n36MA0aI058725@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Mark Andrews <Mark_Andrews@isc.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 80D751065736
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon,  6 Apr 2009 22:00:18 +0000 (UTC)
	(envelope-from Mark_Andrews@isc.org)
Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5])
	by mx1.freebsd.org (Postfix) with ESMTP id 66AE78FC25
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon,  6 Apr 2009 22:00:18 +0000 (UTC)
	(envelope-from Mark_Andrews@isc.org)
Received: from drugs.dv.isc.org (drugs.dv.isc.org
	[IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified))
	by farside.isc.org (Postfix) with ESMTP id CC281E60F1
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon,  6 Apr 2009 22:00:17 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1])
	by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id n36M0Fw5003743
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue, 7 Apr 2009 08:00:15 +1000 (EST)
	(envelope-from marka@drugs.dv.isc.org)
Received: (from marka@localhost)
	by drugs.dv.isc.org (8.14.3/8.14.3/Submit) id n36M0Fud003742;
	Tue, 7 Apr 2009 08:00:15 +1000 (EST) (envelope-from marka)
Message-Id: <200904062200.n36M0Fud003742@drugs.dv.isc.org>
Date: Tue, 7 Apr 2009 08:00:15 +1000 (EST)
From: Mark Andrews <Mark_Andrews@isc.org>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: kern/133445: Unbalanced kernel lock in src/sys/netinet/ip_output.c
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Mark Andrews <Mark_Andrews@isc.org>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2009 22:10:02 -0000


>Number:         133445
>Category:       kern
>Synopsis:       Unbalanced kernel lock in src/sys/netinet/ip_output.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 06 22:10:00 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Mark Andrews
>Release:        FreeBSD 6.4-STABLE i386
>Organization:
ISC
>Environment:
System: FreeBSD drugs.dv.isc.org 6.4-STABLE FreeBSD 6.4-STABLE #30: Mon Feb 9 12:22:29 EST 2009 marka@drugs.dv.isc.org:/usr/obj/usr/src/sys/DRUGS i386


>Description:

	There is a missing INP_INFO_WUNLOCK(pcbinfo); before the
	final break; in this case statement.  Looking at other code
	here it looks like INP_LOCK(inp); is supposed to be being
	set around the ipsec4_set_policy() call and isn't.  I suspect
	a bad MFC.

	Mark

$FreeBSD: src/sys/netinet/ip_output.c,v 1.242.2.20 2009/03/24 10:15:35 obrien Exp $

#if defined(IPSEC) || defined(FAST_IPSEC)
                case IP_IPSEC_POLICY:
                {
                        caddr_t req;
                        size_t len = 0;
                        int priv;
                        struct mbuf *m;
                        int optname;

                        if ((error = soopt_getm(sopt, &m)) != 0) /* XXX */
                                break;
                        if ((error = soopt_mcopyin(sopt, m)) != 0) /* XXX */
                                break;
                        priv = (sopt->sopt_td != NULL &&
                                suser(sopt->sopt_td) != 0) ? 0 : 1;
                        req = mtod(m, caddr_t);
                        len = m->m_len;
                        optname = sopt->sopt_name;
                        INP_INFO_WLOCK(pcbinfo);
                        if (so->so_pcb == NULL) {
                                INP_INFO_WUNLOCK(pcbinfo);
                                m_free(m);
                                error = EINVAL;
                                break;
                        }
                        error = ipsec4_set_policy(inp, optname, req, len, priv);
                        m_freem(m);
                        break;
                }
#endif /*IPSEC*/

	
>How-To-Repeat:
	By ispection.
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted: