git: e196b12f4d4d - main - ipsec: Drain async ipsec_offload work when destroying a vnet
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 30 Aug 2024 13:08:32 UTC
The branch main has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=e196b12f4d4d13982d42cf7841b77dca1405effa
commit e196b12f4d4d13982d42cf7841b77dca1405effa
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-08-30 00:44:45 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-08-30 13:08:20 +0000
ipsec: Drain async ipsec_offload work when destroying a vnet
The ipsec_offload code in some cases releases object references in an
asynchronous context where it needs to set the current VNET. Make sure
that all such work completes before the VNET is actually destroyed,
otherwise a use-after-free is possible.
Reported by: KASAN
Reviewed by: kib
Fixes: ef2a572bf6bd ("ipsec_offload: kernel infrastructure")
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D46483
---
sys/netipsec/ipsec_offload.c | 2 +-
sys/netipsec/key.c | 3 +++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/sys/netipsec/ipsec_offload.c b/sys/netipsec/ipsec_offload.c
index bbf98ac7a676..1ff91ec585c2 100644
--- a/sys/netipsec/ipsec_offload.c
+++ b/sys/netipsec/ipsec_offload.c
@@ -386,7 +386,7 @@ ipsec_accel_sa_newkey_impl(struct secasvar *sav)
TASK_INIT(&tq->install_task, 0, ipsec_accel_sa_newkey_act, tq);
tq->sav = sav;
- tq->install_vnet = curthread->td_vnet; /* XXXKIB liveness */
+ tq->install_vnet = curthread->td_vnet;
taskqueue_enqueue(taskqueue_thread, &tq->install_task);
}
diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
index 5a3e5727bc2e..ad1d6164f158 100644
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -8713,6 +8713,9 @@ key_vnet_destroy(void *arg __unused)
}
SAHTREE_WUNLOCK();
+ /* Wait for async work referencing this VNET to finish. */
+ ipsec_accel_sync();
+
key_freesah_flushed(&sahdrainq);
hashdestroy(V_sphashtbl, M_IPSEC_SP, V_sphash_mask);
hashdestroy(V_savhashtbl, M_IPSEC_SA, V_savhash_mask);