Fix assertion for write netlock in rip6_input(). ip6_input() has

shared net lock.  ip_deliver() needs exclusive net lock.  Instead
of calling ip_deliver() directly, use ip6_ours() to queue the packet.
Move the write lock assertion into ip_deliver() to catch such bugs
earlier.
The assertion was only triggered with IPv6 multicast forwarding or
router alert hop by hop option.  Found by regress test.
OK kn@ mvs@

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index e4b18ee..081ed00 100644 (file)
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ip_input.c,v 1.372 2022/06/29 09:01:48 mvs Exp $      */
+/*     $OpenBSD: ip_input.c,v 1.373 2022/07/24 22:38:25 bluhm Exp $    */
 /*     $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $   */
 
 /*
@@ -556,8 +556,6 @@ ip_local(struct mbuf **mp, int *offp, int nxt, int af)
        struct ipqent *ipqe;
        int mff, hlen;
 
-       NET_ASSERT_WLOCKED();
-
        hlen = ip->ip_hl << 2;
 
        /*
@@ -674,6 +672,8 @@ ip_deliver(struct mbuf **mp, int *offp, int nxt, int af)
        int nest = 0;
 #endif /* INET6 */
 
+       NET_ASSERT_WLOCKED();
+
        /* pf might have modified stuff, might have to chksum */
        switch (af) {
        case AF_INET:

diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index 2fa6349..7f3b8a6 100644 (file)
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ip6_input.c,v 1.248 2022/06/29 22:45:24 bluhm Exp $   */
+/*     $OpenBSD: ip6_input.c,v 1.249 2022/07/24 22:38:25 bluhm Exp $   */
 /*     $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $     */
 
 /*
@@ -448,8 +448,7 @@ ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp)
 
                        if (ours) {
                                if (af == AF_UNSPEC)
-                                       nxt = ip_deliver(mp, offp, nxt,
-                                           AF_INET6);
+                                       nxt = ip6_ours(mp, offp, nxt, af);
                                goto out;
                        }
                        goto bad;
@@ -550,7 +549,7 @@ ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp)
 
        if (ours) {
                if (af == AF_UNSPEC)
-                       nxt = ip_deliver(mp, offp, nxt, AF_INET6);
+                       nxt = ip6_ours(mp, offp, nxt, af);
                goto out;
        }
 
@@ -584,8 +583,6 @@ ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp)
 int
 ip6_local(struct mbuf **mp, int *offp, int nxt, int af)
 {
-       NET_ASSERT_WLOCKED();
-
        nxt = ip6_hbhchcheck(mp, offp, NULL);
        if (nxt == IPPROTO_DONE)
                return IPPROTO_DONE;