fix locking within tcp_ipsec_pcbctl() to match ipsec4_pcbctl(), ipsec4_pcbctl()

IPSEC_PCBCTL() functions, which include tcp_ipsec_pcbctl(),
ipsec4_pcbctl(), and ipsec6_pcbctl(), should all have matching locking
semantics.

ipsec4_pcbctl() and ipsec6_pcbctl() expect the inp to be unlocked on
entry and exit and appear to be correctly implemented as such. But
tcp_ipsec_pcbctl() had other semantics. This patch fixes the semantics
for tcp_ipsec_pcbctl().

Submitted by:	Jason Eggleston <jason@eggnet.com>
MFH:		2 weeks
Sponsored by:	Limelight Networks
Differential Revision:	https://reviews.freebsd.org/D14623

1 files changed, 9 insertions, 7 deletions

diff --git a/sys/netipsec/xform_tcp.c b/sys/netipsec/xform_tcp.c
index 21eeb7483b265..b4979182b4707 100644
--- a/sys/netipsec/xform_tcp.c
+++ b/sys/netipsec/xform_tcp.c
@@ -80,23 +80,24 @@ tcp_ipsec_pcbctl(struct inpcb *inp, struct sockopt *sopt)
 	struct tcpcb *tp;
 	int error, optval;
 
-	INP_WLOCK_ASSERT(inp);
 	if (sopt->sopt_name != TCP_MD5SIG) {
-		INP_WUNLOCK(inp);
 		return (ENOPROTOOPT);
 	}
 
-	tp = intotcpcb(inp);
 	if (sopt->sopt_dir == SOPT_GET) {
+		INP_RLOCK(inp);
+		if (inp->inp_flags & (INP_TIMEWAIT | INP_DROPPED)) {
+			INP_RUNLOCK(inp);
+			return (ECONNRESET);
+		}
+		tp = intotcpcb(inp);
 		optval = (tp->t_flags & TF_SIGNATURE) ? 1 : 0;
-		INP_WUNLOCK(inp);
+		INP_RUNLOCK(inp);
 
 		/* On success return with released INP_WLOCK */
 		return (sooptcopyout(sopt, &optval, sizeof(optval)));
 	}
 
-	INP_WUNLOCK(inp);
-
 	error = sooptcopyin(sopt, &optval, sizeof(optval), sizeof(optval));
 	if (error != 0)
 		return (error);
@@ -107,12 +108,13 @@ tcp_ipsec_pcbctl(struct inpcb *inp, struct sockopt *sopt)
 		INP_WUNLOCK(inp);
 		return (ECONNRESET);
 	}
+	tp = intotcpcb(inp);
 	if (optval > 0)
 		tp->t_flags |= TF_SIGNATURE;
 	else
 		tp->t_flags &= ~TF_SIGNATURE;
 
-	/* On success return with acquired INP_WLOCK */
+	INP_WUNLOCK(inp);
 	return (error);
 }