The branch main has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=477f020c7b5453bcd3bff7f1491e9830027b271e
commit 477f020c7b5453bcd3bff7f1491e9830027b271e Author: Konstantin Belousov <[email protected]> AuthorDate: 2026-01-27 01:00:36 +0000 Commit: Konstantin Belousov <[email protected]> CommitDate: 2026-02-25 17:19:36 +0000 netipsec/ipsec_offload.c: handle failures to install SA nicely If driver refused to install SA, record rejected handle for SA on the interface always, not only for EOPNOTSUPP case. The ipsec_accel_output() function did the right thing if there is no rejection handle, but not having the handle allows further attempts to install the SA on the interface. If driver installed the SA, but ipsec_accel_handle_sav() returned error, uninstall the SA from the interface. Hardware must not be set up to process packets for which kernel expects no processing is done. In both cases, free the drv_spi if a handle was not installed. But keep drv_spi allocated if the deinstall returned an error from the driver. Reviewed by: slavash Tested by: Wafa Hamzah <[email protected]> Sponsored by: NVidia networking MFC after: 1 week --- sys/netipsec/ipsec_offload.c | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/sys/netipsec/ipsec_offload.c b/sys/netipsec/ipsec_offload.c index 632e99b8cfce..23d36c395c43 100644 --- a/sys/netipsec/ipsec_offload.c +++ b/sys/netipsec/ipsec_offload.c @@ -308,23 +308,38 @@ ipsec_accel_sa_newkey_cb(if_t ifp, void *arg) dprintf("ipsec_accel_sa_newkey: driver " "refused sa if %s spi %#x\n", if_name(ifp), be32toh(tq->sav->spi)); - error = ipsec_accel_handle_sav(tq->sav, - ifp, drv_spi, priv, IFP_HS_REJECTED, NULL); - /* XXXKIB */ } else { dprintf("ipsec_accel_sa_newkey: driver " "error %d if %s spi %#x\n", error, if_name(ifp), be32toh(tq->sav->spi)); - /* XXXKIB */ + } + error = ipsec_accel_handle_sav(tq->sav, ifp, drv_spi, priv, + IFP_HS_REJECTED, NULL); + if (error != 0) { + dprintf("ipsec_accel_sa_newkey: handle_sav REJECTED " + "err %d if %s spi %#x\n", error, + if_name(ifp), be32toh(tq->sav->spi)); + free_unr(drv_spi_unr, drv_spi); } } else { error = ipsec_accel_handle_sav(tq->sav, ifp, drv_spi, priv, IFP_HS_HANDLED, NULL); if (error != 0) { - /* XXXKIB */ - dprintf("ipsec_accel_sa_newkey: handle_sav " + dprintf("ipsec_accel_sa_newkey: handle_sav HANDLED " "err %d if %s spi %#x\n", error, if_name(ifp), be32toh(tq->sav->spi)); + error = ifp->if_ipsec_accel_m->if_sa_deinstall(ifp, + drv_spi, priv); + if (error == 0) + free_unr(drv_spi_unr, drv_spi); + /* + * If driver refused to deinstall the SA, keep + * drv_spi leaked so that it is not reused. + * The SA is still programmed into the + * hardware with the drv_spi ident, so it is + * better to leak the drv_spi then reuse for + * another SA and have issues due to aliasing. + */ } } out:
