Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: David Gwynne (dlgcvs.openbsd.org)
Date: Thu Sep 03 2009 - 02:47:27 CDT
Module name: src
Changes by: dlgcvs.openbsd.org 2009/09/03 01:47:27
sys/crypto : crypto.c cryptodev.h
crypto hardware (eg, hifn) establishes its interrupt handler at
IPL_NET. when the hardware finishes some work for the crypto subsystem
and therefore something in the kernel that wanted crypto done, it
calls crypto_done from that interrupt handler.
one of the things that uses crypto is ipsec. when crypto is done
for ipsec it then pushes the packet along the network stack. the
problem is that all the structures inside the network stack are
only protected at splsoftnet. we could be in the middle of modifications
to the pf state table or the pfsync queues when we get a hifn
interrupt and then go stomp on the same structures.
the solution is to defer the completions so they can do the right
this basically reverts r1.46 of src/sys/crypto/crypto.c.
found by naddy