git: 91c35dd76508 - main - ipsec: extend vnet coverage in esp_input/output_cb

From: Mateusz Guzik <mjg_at_FreeBSD.org>
Date: Sat, 19 Feb 2022 13:11:16 UTC
The branch main has been updated by mjg:

URL: https://cgit.FreeBSD.org/src/commit/?id=91c35dd765087622cb0f2a03874bef18bc39d850

commit 91c35dd765087622cb0f2a03874bef18bc39d850
Author:     Mateusz Guzik <mjg@FreeBSD.org>
AuthorDate: 2022-02-17 16:50:13 +0000
Commit:     Mateusz Guzik <mjg@FreeBSD.org>
CommitDate: 2022-02-19 13:10:21 +0000

    ipsec: extend vnet coverage in esp_input/output_cb
    
    key_delsav used to conditionally dereference vnet, leading to panics as
    it was getting unset too early.
    
    While the particular condition was removed, it makes sense to handle all
    operations of the sort with correct vnet set so change it.
    
    Reviewed by:    ae
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D34313
---
 sys/netipsec/xform_esp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index 7d489b69e9c2..ee363a7c911a 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -657,7 +657,6 @@ esp_input_cb(struct cryptop *crp)
 	CURVNET_RESTORE();
 	return error;
 bad:
-	CURVNET_RESTORE();
 	if (sav != NULL)
 		key_freesav(&sav);
 	if (m != NULL)
@@ -668,6 +667,7 @@ bad:
 		free(crp->crp_aad, M_ESP);
 		crypto_freereq(crp);
 	}
+	CURVNET_RESTORE();
 	return error;
 }
 /*
@@ -1043,12 +1043,12 @@ esp_output_cb(struct cryptop *crp)
 	CURVNET_RESTORE();
 	return (error);
 bad:
-	CURVNET_RESTORE();
 	free(xd, M_ESP);
 	free(crp->crp_aad, M_ESP);
 	crypto_freereq(crp);
 	key_freesav(&sav);
 	key_freesp(&sp);
+	CURVNET_RESTORE();
 	return (error);
 }