git: cda061006a3f - stable/15 - netipsec/ipsec_offload.c: handle failures to install SA nicely

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Konstantin Belousov <kib_at_FreeBSD.org>
Date: Wed, 04 Mar 2026 01:20:20 UTC
The branch stable/15 has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=cda061006a3f84557c7f958049edfdd0985081e6

commit cda061006a3f84557c7f958049edfdd0985081e6
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2026-01-27 01:00:36 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2026-03-04 01:15:59 +0000

    netipsec/ipsec_offload.c: handle failures to install SA nicely
    
    (cherry picked from commit 477f020c7b5453bcd3bff7f1491e9830027b271e)
---
 sys/netipsec/ipsec_offload.c | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/sys/netipsec/ipsec_offload.c b/sys/netipsec/ipsec_offload.c
index 3583fc50f51b..09c57d0a54cc 100644
--- a/sys/netipsec/ipsec_offload.c
+++ b/sys/netipsec/ipsec_offload.c
@@ -308,23 +308,38 @@ ipsec_accel_sa_newkey_cb(if_t ifp, void *arg)
 			dprintf("ipsec_accel_sa_newkey: driver "
 			    "refused sa if %s spi %#x\n",
 			    if_name(ifp), be32toh(tq->sav->spi));
-			error = ipsec_accel_handle_sav(tq->sav,
-			    ifp, drv_spi, priv, IFP_HS_REJECTED, NULL);
-			/* XXXKIB */
 		} else {
 			dprintf("ipsec_accel_sa_newkey: driver "
 			    "error %d if %s spi %#x\n",
 			    error, if_name(ifp), be32toh(tq->sav->spi));
-			/* XXXKIB */
+		}
+		error = ipsec_accel_handle_sav(tq->sav, ifp, drv_spi, priv,
+		    IFP_HS_REJECTED, NULL);
+		if (error != 0) {
+			dprintf("ipsec_accel_sa_newkey: handle_sav REJECTED "
+			    "err %d if %s spi %#x\n", error,
+			    if_name(ifp), be32toh(tq->sav->spi));
+			free_unr(drv_spi_unr, drv_spi);
 		}
 	} else {
 		error = ipsec_accel_handle_sav(tq->sav, ifp,
 		    drv_spi, priv, IFP_HS_HANDLED, NULL);
 		if (error != 0) {
-			/* XXXKIB */
-			dprintf("ipsec_accel_sa_newkey: handle_sav "
+			dprintf("ipsec_accel_sa_newkey: handle_sav HANDLED "
 			    "err %d if %s spi %#x\n", error,
 			    if_name(ifp), be32toh(tq->sav->spi));
+			error = ifp->if_ipsec_accel_m->if_sa_deinstall(ifp,
+			    drv_spi, priv);
+			if (error == 0)
+				free_unr(drv_spi_unr, drv_spi);
+			/*
+			 * If driver refused to deinstall the SA, keep
+			 * drv_spi leaked so that it is not reused.
+			 * The SA is still programmed into the
+			 * hardware with the drv_spi ident, so it is
+			 * better to leak the drv_spi then reuse for
+			 * another SA and have issues due to aliasing.
+			 */
 		}
 	}
 out: