From: Vitaliy Makkoveev <mvs@openbsd.org>
Subject: sysctl: move IPCTL_SOURCEROUTE out of netlock
To: Alexander Bluhm <bluhm@openbsd.org>, tech@openbsd.org
Date: Fri, 9 May 2025 15:19:51 +0300

Atomically accessed integer. sysctl_securelevel_int() is mp-safe.

Index: sys/netinet/ip_input.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_input.c,v
retrieving revision 1.406
diff -u -p -r1.406 ip_input.c
--- sys/netinet/ip_input.c	9 May 2025 14:43:47 -0000	1.406
+++ sys/netinet/ip_input.c	9 May 2025 20:16:49 -0000
@@ -95,7 +95,7 @@ int	ip_forwarding = 0;			/* [a] */
 int	ipmforwarding = 0;
 int	ipmultipath = 0;
 int	ip_sendredirects = 1;			/* [a] */
-int	ip_dosourceroute = 0;
+int	ip_dosourceroute = 0;			/* [a] */
 int	ip_defttl = IPDEFTTL;
 int	ip_mtudisc = 1;
 int	ip_mtudisc_timeout = IPMTUDISCTIMEOUT;
@@ -1241,7 +1241,7 @@ ip_dooptions(struct mbuf *m, struct ifne
 		 */
 		case IPOPT_LSRR:
 		case IPOPT_SSRR:
-			if (!ip_dosourceroute) {
+			if (atomic_load_int(&ip_dosourceroute) == 0) {
 				type = ICMP_UNREACH;
 				code = ICMP_UNREACH_SRCFAIL;
 				goto bad;
@@ -1463,7 +1463,7 @@ ip_srcroute(struct mbuf *m0)
 	struct ip_srcrt *isr;
 	struct m_tag *mtag;
 
-	if (!ip_dosourceroute)
+	if (atomic_load_int(&ip_dosourceroute) == 0)
 		return (NULL);
 
 	mtag = m_tag_find(m0, PACKET_TAG_SRCROUTE, NULL);
@@ -1736,11 +1736,8 @@ ip_sysctl(int *name, u_int namelen, void
 
 	switch (name[0]) {
 	case IPCTL_SOURCEROUTE:
-		NET_LOCK();
-		error = sysctl_securelevel_int(oldp, oldlenp, newp, newlen,
-		    &ip_dosourceroute);
-		NET_UNLOCK();
-		return (error);
+		return (sysctl_securelevel_int(oldp, oldlenp, newp, newlen,
+		    &ip_dosourceroute));
 	case IPCTL_MTUDISC:
 		NET_LOCK();
 		error = sysctl_int(oldp, oldlenp, newp, newlen, &ip_mtudisc);