diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -367,6 +367,11 @@ (prot == IPPROTO_UDP || prot == IPPROTO_TCP)) udp_ipsec_adjust_cksum(m, sav, prot, skip); + /* + * Needed for ipsec_run_hooks and netisr_queue_src + */ + NET_EPOCH_ENTER(et); + IPSEC_INIT_CTX(&ctx, &m, NULL, sav, AF_INET, IPSEC_ENC_BEFORE); if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) goto bad; @@ -466,18 +471,18 @@ if (saidx->mode == IPSEC_MODE_TUNNEL) error = ipsec_if_input(m, sav, af); if (error == 0) { - NET_EPOCH_ENTER(et); error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m); - NET_EPOCH_EXIT(et); if (error) { IPSEC_ISTAT(sproto, qfull); DPRINTF(("%s: queue full; proto %u packet dropped\n", __func__, sproto)); } } + NET_EPOCH_EXIT(et); key_freesav(&sav); return (error); bad: + NET_EPOCH_EXIT(et); key_freesav(&sav); if (m != NULL) m_freem(m); @@ -560,6 +565,8 @@ sproto == IPPROTO_IPCOMP, ("unexpected security protocol %u", sproto)); + NET_EPOCH_ENTER(et); + /* Fix IPv6 header */ if (m->m_len < sizeof(struct ip6_hdr) && (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { @@ -690,12 +697,11 @@ */ nest = 0; nxt = nxt8; - NET_EPOCH_ENTER(et); while (nxt != IPPROTO_DONE) { if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) { IP6STAT_INC(ip6s_toomanyhdr); error = EINVAL; - goto bad_epoch; + goto bad; } /* @@ -706,7 +712,7 @@ IP6STAT_INC(ip6s_tooshort); in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); error = EINVAL; - goto bad_epoch; + goto bad; } /* * Enforce IPsec policy checking if we are seeing last header. @@ -716,16 +722,15 @@ if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && ipsec6_in_reject(m, NULL)) { error = EINVAL; - goto bad_epoch; + goto bad; } nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt); } NET_EPOCH_EXIT(et); key_freesav(&sav); return (0); -bad_epoch: - NET_EPOCH_EXIT(et); bad: + NET_EPOCH_EXIT(et); key_freesav(&sav); if (m) m_freem(m);