git: cda061006a3f - stable/15 - netipsec/ipsec_offload.c: handle failures to install SA nicely

Tue, 03 Mar 2026 17:20:51 -0800 

The branch stable/15 has been updated by kib:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=cda061006a3f84557c7f958049edfdd0985081e6

commit cda061006a3f84557c7f958049edfdd0985081e6
Author:     Konstantin Belousov <[email protected]>
AuthorDate: 2026-01-27 01:00:36 +0000
Commit:     Konstantin Belousov <[email protected]>
CommitDate: 2026-03-04 01:15:59 +0000

    netipsec/ipsec_offload.c: handle failures to install SA nicely
    
    (cherry picked from commit 477f020c7b5453bcd3bff7f1491e9830027b271e)
---
 sys/netipsec/ipsec_offload.c | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/sys/netipsec/ipsec_offload.c b/sys/netipsec/ipsec_offload.c
index 3583fc50f51b..09c57d0a54cc 100644
--- a/sys/netipsec/ipsec_offload.c
+++ b/sys/netipsec/ipsec_offload.c
@@ -308,23 +308,38 @@ ipsec_accel_sa_newkey_cb(if_t ifp, void *arg)
                        dprintf("ipsec_accel_sa_newkey: driver "
                            "refused sa if %s spi %#x\n",
                            if_name(ifp), be32toh(tq->sav->spi));
-                       error = ipsec_accel_handle_sav(tq->sav,
-                           ifp, drv_spi, priv, IFP_HS_REJECTED, NULL);
-                       /* XXXKIB */
                } else {
                        dprintf("ipsec_accel_sa_newkey: driver "
                            "error %d if %s spi %#x\n",
                            error, if_name(ifp), be32toh(tq->sav->spi));
-                       /* XXXKIB */
+               }
+               error = ipsec_accel_handle_sav(tq->sav, ifp, drv_spi, priv,
+                   IFP_HS_REJECTED, NULL);
+               if (error != 0) {
+                       dprintf("ipsec_accel_sa_newkey: handle_sav REJECTED "
+                           "err %d if %s spi %#x\n", error,
+                           if_name(ifp), be32toh(tq->sav->spi));
+                       free_unr(drv_spi_unr, drv_spi);
                }
        } else {
                error = ipsec_accel_handle_sav(tq->sav, ifp,
                    drv_spi, priv, IFP_HS_HANDLED, NULL);
                if (error != 0) {
-                       /* XXXKIB */
-                       dprintf("ipsec_accel_sa_newkey: handle_sav "
+                       dprintf("ipsec_accel_sa_newkey: handle_sav HANDLED "
                            "err %d if %s spi %#x\n", error,
                            if_name(ifp), be32toh(tq->sav->spi));
+                       error = ifp->if_ipsec_accel_m->if_sa_deinstall(ifp,
+                           drv_spi, priv);
+                       if (error == 0)
+                               free_unr(drv_spi_unr, drv_spi);
+                       /*
+                        * If driver refused to deinstall the SA, keep
+                        * drv_spi leaked so that it is not reused.
+                        * The SA is still programmed into the
+                        * hardware with the drv_spi ident, so it is
+                        * better to leak the drv_spi then reuse for
+                        * another SA and have issues due to aliasing.
+                        */
                }
        }
 out:

Reply via email to