The crypto layer needs the kernel lock. ah_zeroize() takes it when

called from tdb_walk().  tdb_walk() needs mutex tdb_sadb_mtx to
protect the loop traversal.  First take the kernel lock in tdb_walk()
to preserve lock order.
found by witness
OK tobhe@ mvs@

diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c
index 25801a5..05b3987 100644 (file)
--- a/sys/netinet/ip_ipsp.c
+++ b/sys/netinet/ip_ipsp.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ip_ipsp.c,v 1.248 2021/10/25 18:25:01 bluhm Exp $     */
+/*     $OpenBSD: ip_ipsp.c,v 1.249 2021/10/27 16:58:44 bluhm Exp $     */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -540,6 +540,11 @@ tdb_walk(u_int rdomain, int (*walker)(struct tdb *, void *, int), void *arg)
        int i, rval = 0;
        struct tdb *tdbp, *next;
 
+       /*
+        * The walker may aquire the kernel lock.  Grab it here to keep
+        * the lock order.
+        */
+       KERNEL_LOCK();
        mtx_enter(&tdb_sadb_mtx);
        for (i = 0; i <= tdb_hashmask; i++) {
                for (tdbp = tdbh[i]; rval == 0 && tdbp != NULL; tdbp = next) {
@@ -555,6 +560,7 @@ tdb_walk(u_int rdomain, int (*walker)(struct tdb *, void *, int), void *arg)
                }
        }
        mtx_leave(&tdb_sadb_mtx);
+       KERNEL_UNLOCK();
 
        return rval;
 }