From 2866e11049fcdea483901c93e12803c8c392d0b2 Mon Sep 17 00:00:00 2001 From: bluhm Date: Fri, 17 Jun 2022 13:40:21 +0000 Subject: [PATCH] The timeout for ipsec acquire does not decrement the reference counter to 0 properly. We have one reference count for the lists, and one for the timeout handler. When the timout fires, it has to decrement the reference to itself. Then the ipa is removed from the lists and decremented again. from Stefan Butz; OK tobhe@ mvs@ --- sys/netinet/ip_spd.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/sys/netinet/ip_spd.c b/sys/netinet/ip_spd.c index 625dc2f58c8..48cfb042da1 100644 --- a/sys/netinet/ip_spd.c +++ b/sys/netinet/ip_spd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_spd.c,v 1.116 2022/05/04 15:29:58 bluhm Exp $ */ +/* $OpenBSD: ip_spd.c,v 1.117 2022/06/17 13:40:21 bluhm Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) * @@ -714,7 +714,10 @@ ipsp_delete_acquire_timer(void *v) { struct ipsec_acquire *ipa = v; - ipsp_delete_acquire(ipa); + mtx_enter(&ipsec_acquire_mtx); + refcnt_rele(&ipa->ipa_refcnt); + ipsp_delete_acquire_locked(ipa); + mtx_leave(&ipsec_acquire_mtx); } /* -- 2.20.1