git: 477f020c7b54 - main - netipsec/ipsec_offload.c: handle failures to install SA nicely

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Konstantin Belousov <kib_at_FreeBSD.org>
Date: Wed, 25 Feb 2026 17:20:19 UTC
The branch main has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=477f020c7b5453bcd3bff7f1491e9830027b271e

commit 477f020c7b5453bcd3bff7f1491e9830027b271e
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2026-01-27 01:00:36 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2026-02-25 17:19:36 +0000

    netipsec/ipsec_offload.c: handle failures to install SA nicely
    
    If driver refused to install SA, record rejected handle for SA on the
    interface always, not only for EOPNOTSUPP case.  The
    ipsec_accel_output() function did the right thing if there is no
    rejection handle, but not having the handle allows further attempts to
    install the SA on the interface.
    
    If driver installed the SA, but ipsec_accel_handle_sav() returned error,
    uninstall the SA from the interface.  Hardware must not be set up to
    process packets for which kernel expects no processing is done.
    
    In both cases, free the drv_spi if a handle was not installed.  But keep
    drv_spi allocated if the deinstall returned an error from the driver.
    
    Reviewed by:    slavash
    Tested by:      Wafa Hamzah <wafah@nvidia.com>
    Sponsored by:   NVidia networking
    MFC after:      1 week
---
 sys/netipsec/ipsec_offload.c | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/sys/netipsec/ipsec_offload.c b/sys/netipsec/ipsec_offload.c
index 632e99b8cfce..23d36c395c43 100644
--- a/sys/netipsec/ipsec_offload.c
+++ b/sys/netipsec/ipsec_offload.c
@@ -308,23 +308,38 @@ ipsec_accel_sa_newkey_cb(if_t ifp, void *arg)
 			dprintf("ipsec_accel_sa_newkey: driver "
 			    "refused sa if %s spi %#x\n",
 			    if_name(ifp), be32toh(tq->sav->spi));
-			error = ipsec_accel_handle_sav(tq->sav,
-			    ifp, drv_spi, priv, IFP_HS_REJECTED, NULL);
-			/* XXXKIB */
 		} else {
 			dprintf("ipsec_accel_sa_newkey: driver "
 			    "error %d if %s spi %#x\n",
 			    error, if_name(ifp), be32toh(tq->sav->spi));
-			/* XXXKIB */
+		}
+		error = ipsec_accel_handle_sav(tq->sav, ifp, drv_spi, priv,
+		    IFP_HS_REJECTED, NULL);
+		if (error != 0) {
+			dprintf("ipsec_accel_sa_newkey: handle_sav REJECTED "
+			    "err %d if %s spi %#x\n", error,
+			    if_name(ifp), be32toh(tq->sav->spi));
+			free_unr(drv_spi_unr, drv_spi);
 		}
 	} else {
 		error = ipsec_accel_handle_sav(tq->sav, ifp,
 		    drv_spi, priv, IFP_HS_HANDLED, NULL);
 		if (error != 0) {
-			/* XXXKIB */
-			dprintf("ipsec_accel_sa_newkey: handle_sav "
+			dprintf("ipsec_accel_sa_newkey: handle_sav HANDLED "
 			    "err %d if %s spi %#x\n", error,
 			    if_name(ifp), be32toh(tq->sav->spi));
+			error = ifp->if_ipsec_accel_m->if_sa_deinstall(ifp,
+			    drv_spi, priv);
+			if (error == 0)
+				free_unr(drv_spi_unr, drv_spi);
+			/*
+			 * If driver refused to deinstall the SA, keep
+			 * drv_spi leaked so that it is not reused.
+			 * The SA is still programmed into the
+			 * hardware with the drv_spi ident, so it is
+			 * better to leak the drv_spi then reuse for
+			 * another SA and have issues due to aliasing.
+			 */
 		}
 	}
 out: