move ipsec security policy allocation into in_pcballoc, before

making pcbs available to the outside world.  otherwise, we will see
inpcb without ipsec security policy attached (-> panic() in ipsec.c).

Obtained from:	KAME
MFC after:	3 days

sys/netinet/in_pcb.c

@@ -142,6 +142,9 @@ in_pcballoc(so, pcbinfo, p)
 	struct proc *p;
 {
 	register struct inpcb *inp;
+#ifdef IPSEC
+	int error;
+#endif
 
 	inp = zalloc(pcbinfo->ipi_zone);
 	if (inp == NULL)
@@ -150,6 +153,13 @@ in_pcballoc(so, pcbinfo, p)
 	inp->inp_gencnt = ++pcbinfo->ipi_gencnt;
 	inp->inp_pcbinfo = pcbinfo;
 	inp->inp_socket = so;
+#ifdef IPSEC
+	error = ipsec_init_policy(so, &inp->inp_sp);
+	if (error != 0) {
+		zfree(pcbinfo->ipi_zone, inp);
+		return error;
+	}
+#endif /*IPSEC*/
 #if defined(INET6)
 	if (INP_SOCKAF(so) == AF_INET6 && !ip6_mapped_addr_on)
 		inp->inp_flags |= IN6P_IPV6_V6ONLY;

sys/netinet/ip_divert.c

@@ -361,13 +361,6 @@ div_attach(struct socket *so, int proto, struct proc *p)
 	/* The socket is always "connected" because
 	   we always know "where" to send the packet */
 	so->so_state |= SS_ISCONNECTED;
-#ifdef IPSEC
-	error = ipsec_init_policy(so, &inp->inp_sp);
-	if (error != 0) {
-		in_pcbdetach(inp);
-		return error;
-	}
-#endif /*IPSEC*/
 	return 0;
 }
 

sys/netinet/raw_ip.c

@@ -483,13 +483,6 @@ rip_attach(struct socket *so, int proto, struct proc *p)
 	inp->inp_vflag |= INP_IPV4;
 	inp->inp_ip_p = proto;
 	inp->inp_ip_ttl = ip_defttl;
-#ifdef IPSEC
-	error = ipsec_init_policy(so, &inp->inp_sp);
-	if (error != 0) {
-		in_pcbdetach(inp);
-		return error;
-	}
-#endif /*IPSEC*/
 	return 0;
 }
 

sys/netinet/tcp_usrreq.c

@@ -1028,18 +1028,6 @@ tcp_attach(so, p)
 	if (error)
 		return (error);
 	inp = sotoinpcb(so);
-#ifdef IPSEC
-	error = ipsec_init_policy(so, &inp->inp_sp);
-	if (error) {
-#ifdef INET6
-		if (isipv6)
-			in6_pcbdetach(inp);
-		else
-#endif
-		in_pcbdetach(inp);
-		return (error);
-	}
-#endif /*IPSEC*/
 #ifdef INET6
 	if (isipv6) {
 		inp->inp_vflag |= INP_IPV6;

sys/netinet/udp_usrreq.c

@@ -821,13 +821,6 @@ udp_attach(struct socket *so, int proto, struct proc *p)
 	inp = (struct inpcb *)so->so_pcb;
 	inp->inp_vflag |= INP_IPV4;
 	inp->inp_ip_ttl = ip_defttl;
-#ifdef IPSEC
-	error = ipsec_init_policy(so, &inp->inp_sp);
-	if (error != 0) {
-		in_pcbdetach(inp);
-		return error;
-	}
-#endif /*IPSEC*/
 	return 0;
 }
 

sys/netinet6/raw_ip6.c

@@ -567,13 +567,6 @@ rip6_attach(struct socket *so, int proto, struct proc *p)
 	inp->in6p_ip6_nxt = (long)proto;
 	inp->in6p_hops = -1;	/* use kernel default */
 	inp->in6p_cksum = -1;
-#ifdef IPSEC
-	error = ipsec_init_policy(so, &inp->in6p_sp);
-	if (error != 0) {
-		in6_pcbdetach(inp);
-		return (error);
-	}
-#endif /*IPSEC*/
 	MALLOC(inp->in6p_icmp6filt, struct icmp6_filter *,
 	       sizeof(struct icmp6_filter), M_PCB, M_NOWAIT);
 	ICMP6_FILTER_SETPASSALL(inp->in6p_icmp6filt);

sys/netinet6/udp6_usrreq.c

@@ -553,13 +553,6 @@ udp6_attach(struct socket *so, int proto, struct proc *p)
 	 * which may match an IPv4-mapped IPv6 address.
 	 */
 	inp->inp_ip_ttl = ip_defttl;
-#ifdef IPSEC
-	error = ipsec_init_policy(so, &inp->in6p_sp);
-	if (error != 0) {
-		in6_pcbdetach(inp);
-		return (error);
-	}
-#endif /*IPSEC*/
 	return 0;
 }