Netlock should be grabbed before pppx_if_find() call in pppxwrite().

Otherwise this `pxi' can be killed by concurrent thread after context
switch caused by following netlock.

ok yasuoka@

diff --git a/sys/net/if_pppx.c b/sys/net/if_pppx.c
index 75be8ff..4280558 100644 (file)
--- a/sys/net/if_pppx.c
+++ b/sys/net/if_pppx.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: if_pppx.c,v 1.107 2021/02/01 07:44:58 mvs Exp $ */
+/*     $OpenBSD: if_pppx.c,v 1.108 2021/02/01 07:46:55 mvs Exp $ */
 
 /*
  * Copyright (c) 2010 Claudio Jeker <claudio@openbsd.org>
@@ -371,8 +371,12 @@ pppxwrite(dev_t dev, struct uio *uio, int ioflag)
        /* Find the interface */
        th = mtod(top, struct pppx_hdr *);
        m_adj(top, sizeof(struct pppx_hdr));
+
+       NET_LOCK();
+
        pxi = pppx_if_find(pxd, th->pppx_id, th->pppx_proto);
        if (pxi == NULL) {
+               NET_UNLOCK();
                m_freem(top);
                return (EINVAL);
        }
@@ -386,8 +390,6 @@ pppxwrite(dev_t dev, struct uio *uio, int ioflag)
        proto = ntohl(*(uint32_t *)(th + 1));
        m_adj(top, sizeof(uint32_t));
 
-       NET_LOCK();
-
        switch (proto) {
        case AF_INET:
                ipv4_input(&pxi->pxi_if, top);