CVS commit: src/sys

["Ryota Ozaki" <ozaki-r%netbsd.org@localhost>]

Module Name:    src
Committed By:   ozaki-r
Date:           Wed Aug  2 01:28:03 UTC 2017

Modified Files:
        src/sys/netinet6: ip6_forward.c ip6_output.c
        src/sys/netipsec: ipsec.c ipsec.h key.c key.h xform_ah.c xform_esp.c
            xform_ipcomp.c
        src/sys/rump/librump/rumpnet: net_stub.c

Log Message:
Make IPsec SPD MP-safe

We use localcount(9), not psref(9), to make the sptree and secpolicy (SP)
entries MP-safe because SPs need to be referenced over opencrypto
processing that executes a callback in a different context.

SPs on sockets aren't managed by the sptree and can be destroyed in softint.
localcount_drain cannot be used in softint so we delay the destruction of
such SPs to a thread context. To do so, a list to manage such SPs is added
(key_socksplist) and key_timehandler_spd deletes dead SPs in the list.

For more details please read the locking notes in key.c.

Proposed on tech-kern@ and tech-net@


To generate a diff of this commit:
cvs rdiff -u -r1.87 -r1.88 src/sys/netinet6/ip6_forward.c
cvs rdiff -u -r1.192 -r1.193 src/sys/netinet6/ip6_output.c
cvs rdiff -u -r1.112 -r1.113 src/sys/netipsec/ipsec.c
cvs rdiff -u -r1.57 -r1.58 src/sys/netipsec/ipsec.h
cvs rdiff -u -r1.196 -r1.197 src/sys/netipsec/key.c
cvs rdiff -u -r1.25 -r1.26 src/sys/netipsec/key.h
cvs rdiff -u -r1.69 -r1.70 src/sys/netipsec/xform_ah.c
cvs rdiff -u -r1.67 -r1.68 src/sys/netipsec/xform_esp.c
cvs rdiff -u -r1.48 -r1.49 src/sys/netipsec/xform_ipcomp.c
cvs rdiff -u -r1.26 -r1.27 src/sys/rump/librump/rumpnet/net_stub.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.