From nobody Wed Feb 25 17:20:19 2026
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fLhDn49D2z6TK6c
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Wed, 25 Feb 2026 17:20:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4fLhDm75M7z3ZTn
	for <dev-commits-src-all@FreeBSD.org>; Wed, 25 Feb 2026 17:20:24 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1772040025;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=OcZxEfvuEKOSKcQLpA3fS2lnF+XIG1oZ6fA44+VtWok=;
	b=LiGV1hDXNRP7zJ+flXxtK3pd0JHxg1yBr3W1XH05XFPsc4mAI/+0Yo5pAvPuCHARdw4Pad
	/bUluxUTZW8bM9NDMkgVJorNu8Rcp4cfRgWB2vCoK6d6IP0rMOhzlgG7E/Q5V/RLKaIER/
	/chAy3cpNPc5XZrtIXEjh6oC5C41Rj6QC2hn3dIQ8oPNLjkW5fbsbiIiZiNOtKt580/tft
	ftyvMZsieLPEyQcWzPr/FEBgTrA9KmD60uJLoURidDGG6ZcY8tXOgxKRx46tuzE0nOpkKu
	8iR/RlO87SLwBjk5blDGW4UEOuUYLKaEpiFKgjFrC3Dqnh4UjHf6nQ0R6Ce9tQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1772040025; a=rsa-sha256; cv=none;
	b=dTPdS9ucEhrhZlnvvKtpwe4DLEOQQoRSzvZkHxQS29kPWtdtzVa312c44SWsTGW9Bfr2G/
	R1TJSaAZ6ZZuQVNNLrAOENHNckVc8cJ6I0sgL2I1gw8vkxujf8ZAOWujtx5WukkiMU5iEn
	aZZGGGxDZ8uhjrO8U9naDhIA3/b4PiyFm3kZ+l5SlRRTVTwtMXt0Vo/HTS3yRl55y6isS2
	8E7ZEWQq7DTvhjBmBUyP02JUro7qFEi1lQ4/KwFf7mfcnXeKmURg5oyRhE9x1TdZ38ZjkT
	sD+JJMkR5IjlzHhmMT7Zoa0JTaaMfaE2Xb7QQmqHjOt6gX4YEZcd5cD1V2SgYQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1772040025;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=OcZxEfvuEKOSKcQLpA3fS2lnF+XIG1oZ6fA44+VtWok=;
	b=Il1uTVHtfSi+8OFBCoUf0x8lYASyxMBELF8i01PKGbm7nPnbCq64xETAQh6UDr2DX1OyhC
	VTa7m3Cm18x9gLAWvCu9lc+2TjV5KAsO5NDAA9JDiVTNoRgf5koJnKtSjmzMAy23j1mMLC
	4Ad9VcOaamjj/NlICjEg0hORqXRmFwIMlst9PoLrLBSlNWi+X16HUNipYk4Zb5s4dmzsLj
	I0vTNVusdbdOv29bxfNc1IzI4Vje+2siZjwlzJ5AC1tg0dv0ctZppb0w5r3rNuzDxjVCy+
	qgpnyM/s3BjJ3Y4PGxsYzNLKUlMgULkxolCrf/0U0eyxu8ptNb6NdFVs7aqJiQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fLhDm6V35z19Lb
	for <dev-commits-src-all@FreeBSD.org>; Wed, 25 Feb 2026 17:20:24 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 3777b
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Wed, 25 Feb 2026 17:20:19 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
From: Konstantin Belousov <kib@FreeBSD.org>
Subject: git: 477f020c7b54 - main - netipsec/ipsec_offload.c: handle failures to install SA nicely
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kib
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 477f020c7b5453bcd3bff7f1491e9830027b271e
Auto-Submitted: auto-generated
Date: Wed, 25 Feb 2026 17:20:19 +0000
Message-Id: <699f2f53.3777b.68820e75@gitrepo.freebsd.org>

The branch main has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=477f020c7b5453bcd3bff7f1491e9830027b271e

commit 477f020c7b5453bcd3bff7f1491e9830027b271e
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2026-01-27 01:00:36 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2026-02-25 17:19:36 +0000

    netipsec/ipsec_offload.c: handle failures to install SA nicely
    
    If driver refused to install SA, record rejected handle for SA on the
    interface always, not only for EOPNOTSUPP case.  The
    ipsec_accel_output() function did the right thing if there is no
    rejection handle, but not having the handle allows further attempts to
    install the SA on the interface.
    
    If driver installed the SA, but ipsec_accel_handle_sav() returned error,
    uninstall the SA from the interface.  Hardware must not be set up to
    process packets for which kernel expects no processing is done.
    
    In both cases, free the drv_spi if a handle was not installed.  But keep
    drv_spi allocated if the deinstall returned an error from the driver.
    
    Reviewed by:    slavash
    Tested by:      Wafa Hamzah <wafah@nvidia.com>
    Sponsored by:   NVidia networking
    MFC after:      1 week
---
 sys/netipsec/ipsec_offload.c | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/sys/netipsec/ipsec_offload.c b/sys/netipsec/ipsec_offload.c
index 632e99b8cfce..23d36c395c43 100644
--- a/sys/netipsec/ipsec_offload.c
+++ b/sys/netipsec/ipsec_offload.c
@@ -308,23 +308,38 @@ ipsec_accel_sa_newkey_cb(if_t ifp, void *arg)
 			dprintf("ipsec_accel_sa_newkey: driver "
 			    "refused sa if %s spi %#x\n",
 			    if_name(ifp), be32toh(tq->sav->spi));
-			error = ipsec_accel_handle_sav(tq->sav,
-			    ifp, drv_spi, priv, IFP_HS_REJECTED, NULL);
-			/* XXXKIB */
 		} else {
 			dprintf("ipsec_accel_sa_newkey: driver "
 			    "error %d if %s spi %#x\n",
 			    error, if_name(ifp), be32toh(tq->sav->spi));
-			/* XXXKIB */
+		}
+		error = ipsec_accel_handle_sav(tq->sav, ifp, drv_spi, priv,
+		    IFP_HS_REJECTED, NULL);
+		if (error != 0) {
+			dprintf("ipsec_accel_sa_newkey: handle_sav REJECTED "
+			    "err %d if %s spi %#x\n", error,
+			    if_name(ifp), be32toh(tq->sav->spi));
+			free_unr(drv_spi_unr, drv_spi);
 		}
 	} else {
 		error = ipsec_accel_handle_sav(tq->sav, ifp,
 		    drv_spi, priv, IFP_HS_HANDLED, NULL);
 		if (error != 0) {
-			/* XXXKIB */
-			dprintf("ipsec_accel_sa_newkey: handle_sav "
+			dprintf("ipsec_accel_sa_newkey: handle_sav HANDLED "
 			    "err %d if %s spi %#x\n", error,
 			    if_name(ifp), be32toh(tq->sav->spi));
+			error = ifp->if_ipsec_accel_m->if_sa_deinstall(ifp,
+			    drv_spi, priv);
+			if (error == 0)
+				free_unr(drv_spi_unr, drv_spi);
+			/*
+			 * If driver refused to deinstall the SA, keep
+			 * drv_spi leaked so that it is not reused.
+			 * The SA is still programmed into the
+			 * hardware with the drv_spi ident, so it is
+			 * better to leak the drv_spi then reuse for
+			 * another SA and have issues due to aliasing.
+			 */
 		}
 	}
 out: