On Fri, Apr 21, 2023 at 02:18:54PM +0300, Vitaliy Makkoveev wrote: > It does read-olny access to tetlock protected data, so the radix tree > will not be modified during spd_table_walk() run. > > The second spd_table_walk() call in PF_KEY layer can't be performed with > shared netlock, because pfkeyv2_policy_flush() modifies tree and the > following tdb_walk() requires exclusive netlock.
Could you change NET_ASSERT_LOCKED in spd_table_add() and ipsec_delete_policy() to NET_ASSERT_LOCKED_EXCLUSIVE ? These are the corresponding functions to make spd_table_walk() safe with shared netlock. > ok? With that OK bluhm@ > Index: sys/net/pfkeyv2.c > =================================================================== > RCS file: /cvs/src/sys/net/pfkeyv2.c,v > retrieving revision 1.255 > diff -u -p -r1.255 pfkeyv2.c > --- sys/net/pfkeyv2.c 8 Jan 2023 10:26:36 -0000 1.255 > +++ sys/net/pfkeyv2.c 21 Apr 2023 11:08:13 -0000 > @@ -2711,10 +2711,10 @@ pfkeyv2_sysctl(int *name, u_int namelen, > break; > > case NET_KEY_SPD_DUMP: > - NET_LOCK(); > + NET_LOCK_SHARED(); > error = spd_table_walk(rdomain, > pfkeyv2_sysctl_policydumper, &w); > - NET_UNLOCK(); > + NET_UNLOCK_SHARED(); > if (oldp) > *oldlenp = w.w_where - oldp; > else
