From 81d388785584799f1b4735fcf03e81b3b07e79a2 Mon Sep 17 00:00:00 2001
From: mpi <mpi@openbsd.org>
Date: Mon, 22 Dec 2014 11:05:53 +0000
Subject: [PATCH] Make sure rtrequest1(9) is called under splsoftnet().

---
 sys/net/if_mpe.c       |  9 ++++++---
 sys/netinet/ip_icmp.c  | 11 ++++++++++-
 sys/netinet6/icmp6.c   | 14 +++++++++++++-
 sys/netinet6/nd6.c     |  8 ++++----
 sys/netinet6/nd6_rtr.c |  4 ++--
 5 files changed, 35 insertions(+), 11 deletions(-)

diff --git a/sys/net/if_mpe.c b/sys/net/if_mpe.c
index c998efd4d64..ab5fc9555f3 100644
--- a/sys/net/if_mpe.c
+++ b/sys/net/if_mpe.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: if_mpe.c,v 1.40 2014/12/19 17:14:39 tedu Exp $ */
+/* $OpenBSD: if_mpe.c,v 1.41 2014/12/22 11:05:53 mpi Exp $ */
 
 /*
  * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@spootnik.org>
@@ -265,13 +265,12 @@ out:
 int
 mpeioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 {
-	int			 error;
 	struct mpe_softc	*ifm;
 	struct ifreq		*ifr;
 	struct shim_hdr		 shim;
+	int			 s, error = 0;
 
 	ifr = (struct ifreq *)data;
-	error = 0;
 	switch (cmd) {
 	case SIOCSIFADDR:
 		if (!ISSET(ifp->if_flags, IFF_UP))
@@ -319,12 +318,14 @@ mpeioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 		if (error)
 			break;
 		ifm = ifp->if_softc;
+		s = splsoftnet();
 		if (ifm->sc_shim.shim_label) {
 			/* remove old MPLS route */
 			mpe_newlabel(ifp, RTM_DELETE, &ifm->sc_shim);
 		}
 		/* add new MPLS route */
 		error = mpe_newlabel(ifp, RTM_ADD, &shim);
+		splx(s);
 		if (error)
 			break;
 		ifm->sc_shim.shim_label = shim.shim_label;
@@ -335,7 +336,9 @@ mpeioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 		if (ifr->ifr_rdomainid != ifp->if_rdomain) {
 			if (ifm->sc_shim.shim_label) {
 				shim.shim_label = ifm->sc_shim.shim_label;
+				s = splsoftnet();
 				error = mpe_newlabel(ifp, RTM_ADD, &shim);
+				splx(s);
 			}
 		}
 		/* return with ENOTTY so that the parent handler finishes */
diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c
index d6ee15c9a17..640a2f1c374 100644
--- a/sys/netinet/ip_icmp.c
+++ b/sys/netinet/ip_icmp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_icmp.c,v 1.128 2014/12/08 10:51:00 mpi Exp $	*/
+/*	$OpenBSD: ip_icmp.c,v 1.129 2014/12/22 11:05:53 mpi Exp $	*/
 /*	$NetBSD: ip_icmp.c,v 1.19 1996/02/13 23:42:22 christos Exp $	*/
 
 /*
@@ -1026,11 +1026,13 @@ icmp_mtudisc_timeout(struct rtentry *rt, struct rttimer *r)
 {
 	if (rt == NULL)
 		panic("icmp_mtudisc_timeout:  bad route to timeout");
+
 	if ((rt->rt_flags & (RTF_DYNAMIC | RTF_HOST)) ==
 	    (RTF_DYNAMIC | RTF_HOST)) {
 		void *(*ctlfunc)(int, struct sockaddr *, u_int, void *);
 		struct sockaddr_in sa;
 		struct rt_addrinfo info;
+		int s;
 
 		memset(&info, 0, sizeof(info));
 		info.rti_info[RTAX_DST] = rt_key(rt);
@@ -1039,6 +1041,8 @@ icmp_mtudisc_timeout(struct rtentry *rt, struct rttimer *r)
 		info.rti_flags = rt->rt_flags;   
 
 		sa = *(struct sockaddr_in *)rt_key(rt);
+
+		s = splsoftnet();
 		rtrequest1(RTM_DELETE, &info, rt->rt_priority, NULL,
 		    r->rtt_tableid);
 
@@ -1047,6 +1051,7 @@ icmp_mtudisc_timeout(struct rtentry *rt, struct rttimer *r)
 		if (ctlfunc)
 			(*ctlfunc)(PRC_MTUINC,(struct sockaddr *)&sa,
 			    r->rtt_tableid, NULL);
+		splx(s);
 	} else
 		if ((rt->rt_rmx.rmx_locks & RTV_MTU) == 0)
 			rt->rt_rmx.rmx_mtu = 0;
@@ -1075,9 +1080,11 @@ icmp_redirect_timeout(struct rtentry *rt, struct rttimer *r)
 {
 	if (rt == NULL)
 		panic("icmp_redirect_timeout:  bad route to timeout");
+
 	if ((rt->rt_flags & (RTF_DYNAMIC | RTF_HOST)) ==
 	    (RTF_DYNAMIC | RTF_HOST)) {
 		struct rt_addrinfo info;
+		int s;
 
 		memset(&info, 0, sizeof(info));
 		info.rti_info[RTAX_DST] = rt_key(rt);
@@ -1085,8 +1092,10 @@ icmp_redirect_timeout(struct rtentry *rt, struct rttimer *r)
 		info.rti_info[RTAX_GATEWAY] = rt->rt_gateway;
 		info.rti_flags = rt->rt_flags;   
 
+		s = splsoftnet();
 		rtrequest1(RTM_DELETE, &info, rt->rt_priority, NULL, 
 		    r->rtt_tableid);
+		splx(s);
 	}
 }
 
diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c
index 1bf0b5ffffc..0dcec2615a9 100644
--- a/sys/netinet6/icmp6.c
+++ b/sys/netinet6/icmp6.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: icmp6.c,v 1.151 2014/12/05 15:50:04 mpi Exp $	*/
+/*	$OpenBSD: icmp6.c,v 1.152 2014/12/22 11:05:53 mpi Exp $	*/
 /*	$KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $	*/
 
 /*
@@ -1948,13 +1948,17 @@ icmp6_mtudisc_clone(struct sockaddr *dst, u_int rdomain)
 	if ((rt->rt_flags & RTF_HOST) == 0) {
 		struct rt_addrinfo info;
 		struct rtentry *nrt;
+		int s;
 
 		bzero(&info, sizeof(info));
 		info.rti_flags = RTF_GATEWAY | RTF_HOST | RTF_DYNAMIC;
 		info.rti_info[RTAX_DST] = dst;
 		info.rti_info[RTAX_GATEWAY] = rt->rt_gateway;
+
+		s = splsoftnet();
 		error = rtrequest1(RTM_ADD, &info, rt->rt_priority, &nrt,
 		    rdomain);
+		splx(s);
 		if (error) {
 			rtfree(rt);
 			return NULL;
@@ -1981,14 +1985,18 @@ icmp6_mtudisc_timeout(struct rtentry *rt, struct rttimer *r)
 	if ((rt->rt_flags & (RTF_DYNAMIC | RTF_HOST)) ==
 	    (RTF_DYNAMIC | RTF_HOST)) {
 		struct rt_addrinfo info;
+		int s;
 
 		bzero(&info, sizeof(info));
 		info.rti_flags = rt->rt_flags;
 		info.rti_info[RTAX_DST] = rt_key(rt);
 		info.rti_info[RTAX_GATEWAY] = rt->rt_gateway;
 		info.rti_info[RTAX_NETMASK] = rt_mask(rt);
+
+		s = splsoftnet();
 		rtrequest1(RTM_DELETE, &info, rt->rt_priority, NULL,
 		    r->rtt_tableid);
+		splx(s);
 	} else {
 		if (!(rt->rt_rmx.rmx_locks & RTV_MTU))
 			rt->rt_rmx.rmx_mtu = 0;
@@ -2003,14 +2011,18 @@ icmp6_redirect_timeout(struct rtentry *rt, struct rttimer *r)
 	if ((rt->rt_flags & (RTF_GATEWAY | RTF_DYNAMIC | RTF_HOST)) ==
 	    (RTF_GATEWAY | RTF_DYNAMIC | RTF_HOST)) {
 		struct rt_addrinfo info;
+		int s;
 
 		bzero(&info, sizeof(info));
 		info.rti_flags = rt->rt_flags;
 		info.rti_info[RTAX_DST] = rt_key(rt);
 		info.rti_info[RTAX_GATEWAY] = rt->rt_gateway;
 		info.rti_info[RTAX_NETMASK] = rt_mask(rt);
+
+		s = splsoftnet();
 		rtrequest1(RTM_DELETE, &info, rt->rt_priority, NULL,
 		    r->rtt_tableid);
+		splx(s);
 	}
 }
 
diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c
index 529f077fbbf..7cb3cbd40fa 100644
--- a/sys/netinet6/nd6.c
+++ b/sys/netinet6/nd6.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: nd6.c,v 1.127 2014/11/20 13:54:24 mpi Exp $	*/
+/*	$OpenBSD: nd6.c,v 1.128 2014/12/22 11:05:53 mpi Exp $	*/
 /*	$KAME: nd6.c,v 1.280 2002/06/08 19:52:07 itojun Exp $	*/
 
 /*
@@ -803,15 +803,15 @@ nd6_free(struct rtentry *rt, int gc)
 	struct llinfo_nd6 *ln = (struct llinfo_nd6 *)rt->rt_llinfo, *next;
 	struct in6_addr in6 = satosin6(rt_key(rt))->sin6_addr;
 	struct nd_defrouter *dr;
+	int s;
 
 	/*
 	 * we used to have pfctlinput(PRC_HOSTDEAD) here.
 	 * even though it is not harmful, it was not really necessary.
 	 */
 
+	s = splsoftnet();
 	if (!ip6_forwarding) {
-		int s;
-		s = splsoftnet();
 		dr = defrouter_lookup(&satosin6(rt_key(rt))->sin6_addr,
 		    rt->rt_ifp);
 
@@ -876,7 +876,6 @@ nd6_free(struct rtentry *rt, int gc)
 			 */
 			defrouter_select();
 		}
-		splx(s);
 	}
 
 	/*
@@ -897,6 +896,7 @@ nd6_free(struct rtentry *rt, int gc)
 	info.rti_info[RTAX_NETMASK] = rt_mask(rt);
 	rtrequest1(RTM_DELETE, &info, rt->rt_priority, NULL,
 	    rt->rt_ifp->if_rdomain);
+	splx(s);
 
 	return (next);
 }
diff --git a/sys/netinet6/nd6_rtr.c b/sys/netinet6/nd6_rtr.c
index 0494cc08814..c77c9cbbdec 100644
--- a/sys/netinet6/nd6_rtr.c
+++ b/sys/netinet6/nd6_rtr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: nd6_rtr.c,v 1.94 2014/12/17 09:57:13 mpi Exp $	*/
+/*	$OpenBSD: nd6_rtr.c,v 1.95 2014/12/22 11:05:53 mpi Exp $	*/
 /*	$KAME: nd6_rtr.c,v 1.97 2001/02/07 11:09:13 itojun Exp $	*/
 
 /*
@@ -1121,11 +1121,11 @@ prelist_remove(struct nd_prefix *pr)
 		log(LOG_WARNING, "prelist_remove: negative count on %s\n",
 		    pr->ndpr_ifp->if_xname);
 	}
-	splx(s);
 
 	free(pr, M_IP6NDP, 0);
 
 	pfxlist_onlink_check();
+	splx(s);
 }
 
 /*
-- 
2.20.1