From nobody Wed Apr 29 23:36:15 2026
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5YbM2SvQz6c9dn
	for <dev-commits-src-main@mlmmj.nyi.freebsd.org>; Wed, 29 Apr 2026 23:36:15 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4g5YbM1tnxz467n
	for <dev-commits-src-main@FreeBSD.org>; Wed, 29 Apr 2026 23:36:15 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1777505775;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=ZG/GuedJH5O07vB7kDIA+oGW3tVTCTvBqBl6pp7dYrc=;
	b=SqAgdgNZB2WNBxQNe743AtvhkrwyHTz8gC/uQmFPV+kdm7SALbRLsSVcPnGc487dkSslL5
	N+eSUMKzJNj/PFYGwyWPJWRp/nul83yLG1HR+m4aGAf6w4nvW1nH6Hx8sdiiZ9fvzEESl9
	0gYfN1YT9eNbpGA9jTzACKhlok+qr+JcBLnzBmLvRXVKO3xiB0Belok1AD7ZbrQF4P2UMS
	cbY8kjkFB9kQEoPX5pXeKJP1uFOGPec4FIslDmN+9EEgzOJghHOMt3YAx6pXLmNPxBWDVw
	SKYaVMHP6/EZ+Q2G6wc/JjKQAECwGYw29KVAEHVvX7tBNNesajYOWrDytXnTLg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777505775; a=rsa-sha256; cv=none;
	b=ucJAITFi+QMxM7TYG9FTZ74LV8/lX8m8XwYMdjF31eUO4go9pxapfDJcdEhBDB8HtiVljU
	Mo6tzyd7jkY58qaxkWUgIweTjn7zK61ajdNrcRlyPgFmjnAadDSjeiOy6fncQRCF87wyH8
	Ss4OITKQ7ldnDrg99MdTCS6J6lYn8wulXx4ueHsi+Xi5SQnMeJqlGQJqDsUSr31ZP5CyzV
	mvfYAWweok4wXO210NcMYCSHC0MNlWqMqej0kjddJE+ZD3C4Euna6BmQOAARsDkCm7Gmbp
	PPoIrXIFZO+gsIzrblV4+9FISNMiSLUF0YffeyWQQq4Tm7Dy81KhVC5okv6eIQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1777505775;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=ZG/GuedJH5O07vB7kDIA+oGW3tVTCTvBqBl6pp7dYrc=;
	b=NngHG4W4zCS5thvQk0Dqv4dSRVaCeBUKubBkZW/ioT6+d8cyHqW3oTWSWihPW7HX6XWEOP
	E84jVxws27OA5g+b/BVvGUArEEgxFvNRWkAuqDL79nOYpjqXsbshylsbbgjp359152dls0
	LTfPspkmhniBt0rTABx5RQ63yWCduEBT3XmZ/5JlEqHvccA326EHNKM7VRbcpgio8Gw1po
	3NK/QFFZoIJqlrH86koLD6uBcUlhhZyGRCIlPEvaOX6bKMan4k5Z/z6ebnYPDybIg6fAny
	K6r4Ya7O0lGix1x67x/PUVh8znZZg3UmjJeFmt3lG2z1INwZo54GAV+ABBec9A==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g5YbM0wswz12T8
	for <dev-commits-src-main@FreeBSD.org>; Wed, 29 Apr 2026 23:36:15 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 2598c
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Wed, 29 Apr 2026 23:36:15 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
From: Andrew Gallatin <gallatin@FreeBSD.org>
Subject: git: 72e2ae505c4a - main - tcp: release nic ktls send tags when entering time wait
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: gallatin
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 72e2ae505c4a081d4b4759f51e25bf6e17c99442
Auto-Submitted: auto-generated
Date: Wed, 29 Apr 2026 23:36:15 +0000
Message-Id: <69f295ef.2598c.6834391@gitrepo.freebsd.org>

The branch main has been updated by gallatin:

URL: https://cgit.FreeBSD.org/src/commit/?id=72e2ae505c4a081d4b4759f51e25bf6e17c99442

commit 72e2ae505c4a081d4b4759f51e25bf6e17c99442
Author:     Andrew Gallatin <gallatin@FreeBSD.org>
AuthorDate: 2026-04-29 23:26:05 +0000
Commit:     Andrew Gallatin <gallatin@FreeBSD.org>
CommitDate: 2026-04-29 23:35:47 +0000

    tcp: release nic ktls send tags when entering time wait
    
    When under heavy load or churn, inline ktls offload NICs may run out
    of hardware resources described by ktls send tags.  Rather than
    waiting for connections to pass through the time_wait state, reclaim
    the ktls send tags early, at entry to time_wait. By preventing
    potentially tens or hundreds of thousands of sessions from holding
    send tags in time_wait, this allows more ktls sessions to be offloaded
    to hardware.
    
    Reviewed by: glebius, kib, nickbanks_netflix.com, rrs, tuexen
    Sponsored by: Netflix
    Differential Revision: https://reviews.freebsd.org/D56610
---
 sys/netinet/tcp_timewait.c | 10 ++++++++++
 sys/sys/ktls.h             | 12 ++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c
index eaa2fa336a94..4f4ca445fa46 100644
--- a/sys/netinet/tcp_timewait.c
+++ b/sys/netinet/tcp_timewait.c
@@ -32,11 +32,15 @@
 #include "opt_inet.h"
 #include "opt_inet6.h"
 #include "opt_ipsec.h"
+#include "opt_kern_tls.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/callout.h>
 #include <sys/kernel.h>
+#ifdef KERN_TLS
+#include <sys/ktls.h>
+#endif
 #include <sys/sysctl.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
@@ -132,6 +136,12 @@ tcp_twstart(struct tcpcb *tp)
 	tcp_free_sackholes(tp);
 	soisdisconnected(inp->inp_socket);
 
+#ifdef KERN_TLS
+	/* release ktls snd tag now that no more data can be sent */
+	if (tptosocket(tp)->so_snd.sb_tls_info != NULL) {
+		ktls_release_snd_tag(tptosocket(tp)->so_snd.sb_tls_info);
+	}
+#endif
 	if (tp->t_flags & TF_ACKNOW)
 		(void) tcp_output(tp);
 
diff --git a/sys/sys/ktls.h b/sys/sys/ktls.h
index 6c7e7d3c5ee3..3e3f0b77e4a2 100644
--- a/sys/sys/ktls.h
+++ b/sys/sys/ktls.h
@@ -28,6 +28,7 @@
 #define	_SYS_KTLS_H_
 
 #ifdef _KERNEL
+#include <sys/mbuf.h>
 #include <sys/_null.h>
 #include <sys/refcount.h>
 #include <sys/_task.h>
@@ -285,6 +286,17 @@ ktls_free(struct ktls_session *tls)
 		ktls_destroy(tls);
 }
 
+static inline void
+ktls_release_snd_tag(struct ktls_session *tls)
+{
+	struct m_snd_tag *mst;
+
+	mst = tls->snd_tag;
+	tls->snd_tag = NULL;
+	if (mst != NULL)
+		m_snd_tag_rele(mst);
+}
+
 void ktls_session_to_xktls_onedir(const struct ktls_session *ks,
     bool export_keys, struct xktls_session_onedir *xktls_od);
 void ktls_session_copy_keys(const struct ktls_session *ktls,