kern/133445: Unbalanced kernel lock in src/sys/netinet/ip_output.c

Mon Apr 6 15:10:02 PDT 2009

>Number:         133445
>Category:       kern
>Synopsis:       Unbalanced kernel lock in src/sys/netinet/ip_output.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 06 22:10:00 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Mark Andrews
>Release:        FreeBSD 6.4-STABLE i386
>Organization:
ISC
>Environment:
System: FreeBSD drugs.dv.isc.org 6.4-STABLE FreeBSD 6.4-STABLE #30: Mon Feb 9 12:22:29 EST 2009 marka at drugs.dv.isc.org:/usr/obj/usr/src/sys/DRUGS i386


>Description:

	There is a missing INP_INFO_WUNLOCK(pcbinfo); before the
	final break; in this case statement.  Looking at other code
	here it looks like INP_LOCK(inp); is supposed to be being
	set around the ipsec4_set_policy() call and isn't.  I suspect
	a bad MFC.

	Mark

$FreeBSD: src/sys/netinet/ip_output.c,v 1.242.2.20 2009/03/24 10:15:35 obrien Exp $

#if defined(IPSEC) || defined(FAST_IPSEC)
                case IP_IPSEC_POLICY:
                {
                        caddr_t req;
                        size_t len = 0;
                        int priv;
                        struct mbuf *m;
                        int optname;

                        if ((error = soopt_getm(sopt, &m)) != 0) /* XXX */
                                break;
                        if ((error = soopt_mcopyin(sopt, m)) != 0) /* XXX */
                                break;
                        priv = (sopt->sopt_td != NULL &&
                                suser(sopt->sopt_td) != 0) ? 0 : 1;
                        req = mtod(m, caddr_t);
                        len = m->m_len;
                        optname = sopt->sopt_name;
                        INP_INFO_WLOCK(pcbinfo);
                        if (so->so_pcb == NULL) {
                                INP_INFO_WUNLOCK(pcbinfo);
                                m_free(m);
                                error = EINVAL;
                                break;
                        }
                        error = ipsec4_set_policy(inp, optname, req, len, priv);
                        m_freem(m);
                        break;
                }
#endif /*IPSEC*/

	
>How-To-Repeat:
	By ispection.
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted: