From: bluhm Date: Fri, 17 Jun 2022 13:40:21 +0000 (+0000) Subject: The timeout for ipsec acquire does not decrement the reference X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=2866e11049fcdea483901c93e12803c8c392d0b2;p=openbsd The timeout for ipsec acquire does not decrement the reference counter to 0 properly. We have one reference count for the lists, and one for the timeout handler. When the timout fires, it has to decrement the reference to itself. Then the ipa is removed from the lists and decremented again. from Stefan Butz; OK tobhe@ mvs@ --- diff --git a/sys/netinet/ip_spd.c b/sys/netinet/ip_spd.c index 625dc2f58c8..48cfb042da1 100644 --- a/sys/netinet/ip_spd.c +++ b/sys/netinet/ip_spd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_spd.c,v 1.116 2022/05/04 15:29:58 bluhm Exp $ */ +/* $OpenBSD: ip_spd.c,v 1.117 2022/06/17 13:40:21 bluhm Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) * @@ -714,7 +714,10 @@ ipsp_delete_acquire_timer(void *v) { struct ipsec_acquire *ipa = v; - ipsp_delete_acquire(ipa); + mtx_enter(&ipsec_acquire_mtx); + refcnt_rele(&ipa->ipa_refcnt); + ipsp_delete_acquire_locked(ipa); + mtx_leave(&ipsec_acquire_mtx); } /*