From nobody Wed Feb 25 17:20:19 2026
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fLhDg6M11z6TJxF
	for <dev-commits-src-main@mlmmj.nyi.freebsd.org>; Wed, 25 Feb 2026 17:20:19 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4fLhDg5mmhz3ZWd
	for <dev-commits-src-main@FreeBSD.org>; Wed, 25 Feb 2026 17:20:19 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1772040019;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=OcZxEfvuEKOSKcQLpA3fS2lnF+XIG1oZ6fA44+VtWok=;
	b=e6PuaZw6rFj4sfjW8DIC6IUXu3fCO6PrZGgEG7kP8oele60dC3ySrlBov8D70rwrf3A7cC
	oPLjx5Fd/3atnxH4jm4QTjR9QWK5YNapdCa/LghO5wAzhxtS6D6kRyAHpKNfVAI6KwlxAE
	/fGKk2l6H0sAv5euAkP2KnJeanX+8RFJwkMg3k16ebXZLD5h/dYSEICc2HZSmABmgSrnNg
	dJNdOC+Ks+ivCk1t5XhjIdjqQz5bdhD16pGm8sUxv9KoYUfnD14vJFwwTlXxJo56pbtNPs
	vxKnRwW32Pp+lQ0MwHI8zOvdUfTOm3tHxFFTbGI+LY3UXFjOdssuwfGrRTGImQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1772040019; a=rsa-sha256; cv=none;
	b=xdVXOidtetzT61+GGHeBujxbhc3PLXVfZgrvi14yy2HBIuSif2k8l+y8TZGfy3EgM1ZbfU
	7TfcXkdYnzBAVrQ5YlMKpfaYxlSkbLLJids22YORI/gfs3AewqZjQo3kAivp3l/8lQzH1y
	ndv+zKiCZJIys0Rc0xw9RSC4q8IG2z2NEbOnBa9akVPutWx6AiDpb5y5iRjyFqhNMM0CHb
	9ulv0Ob1+0NtXKy3UhPN8to4+IrWNMZrVhrlQP2/uK+d8/GFPbUbWgJdaU6Jxlhg3aiuk8
	ZuVmxfw8NUa4DqLq8Dk0TXrgKsPvqKRmQVn3gM5/Ze8XWI7vZCYTumu5oH1fUQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1772040019;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=OcZxEfvuEKOSKcQLpA3fS2lnF+XIG1oZ6fA44+VtWok=;
	b=T8QOWVtz5VVPR81IEbJyW33GBvC+ma2wDWo60tIalj7a6rLL7cjyYSZlQn0wvG7vhyezhK
	wqW6gsFEO0TEPYMwMySlRigrzK1tv9U69OJ9tc4yrNhrniw381z6mNdCZoIfglvtF2aFoS
	TfEP9oLkhwHmyODYgHdZtpyhlAg7qZUOwbqxmJzwElhBwEypl8Ys9vJ4ejvY0/+e6C3S2F
	nc+U2cWDq0leOpm+5ke1B9LB0V802rLhtGQhUlvw94MT3u2RwHl0YQm+vHm8pD6qv9/au0
	eY15iUFA4HxSaOpwCV1qJ5PaY8f5FcMBc5Dvop6v36qGMvX+Pipn19dv5UFw3Q==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fLhDg5N1Lz194P
	for <dev-commits-src-main@FreeBSD.org>; Wed, 25 Feb 2026 17:20:19 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 3777b
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Wed, 25 Feb 2026 17:20:19 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
From: Konstantin Belousov <kib@FreeBSD.org>
Subject: git: 477f020c7b54 - main - netipsec/ipsec_offload.c: handle failures to install SA nicely
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kib
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 477f020c7b5453bcd3bff7f1491e9830027b271e
Auto-Submitted: auto-generated
Date: Wed, 25 Feb 2026 17:20:19 +0000
Message-Id: <699f2f53.3777b.68820e75@gitrepo.freebsd.org>

The branch main has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=477f020c7b5453bcd3bff7f1491e9830027b271e

commit 477f020c7b5453bcd3bff7f1491e9830027b271e
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2026-01-27 01:00:36 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2026-02-25 17:19:36 +0000

    netipsec/ipsec_offload.c: handle failures to install SA nicely
    
    If driver refused to install SA, record rejected handle for SA on the
    interface always, not only for EOPNOTSUPP case.  The
    ipsec_accel_output() function did the right thing if there is no
    rejection handle, but not having the handle allows further attempts to
    install the SA on the interface.
    
    If driver installed the SA, but ipsec_accel_handle_sav() returned error,
    uninstall the SA from the interface.  Hardware must not be set up to
    process packets for which kernel expects no processing is done.
    
    In both cases, free the drv_spi if a handle was not installed.  But keep
    drv_spi allocated if the deinstall returned an error from the driver.
    
    Reviewed by:    slavash
    Tested by:      Wafa Hamzah <wafah@nvidia.com>
    Sponsored by:   NVidia networking
    MFC after:      1 week
---
 sys/netipsec/ipsec_offload.c | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/sys/netipsec/ipsec_offload.c b/sys/netipsec/ipsec_offload.c
index 632e99b8cfce..23d36c395c43 100644
--- a/sys/netipsec/ipsec_offload.c
+++ b/sys/netipsec/ipsec_offload.c
@@ -308,23 +308,38 @@ ipsec_accel_sa_newkey_cb(if_t ifp, void *arg)
 			dprintf("ipsec_accel_sa_newkey: driver "
 			    "refused sa if %s spi %#x\n",
 			    if_name(ifp), be32toh(tq->sav->spi));
-			error = ipsec_accel_handle_sav(tq->sav,
-			    ifp, drv_spi, priv, IFP_HS_REJECTED, NULL);
-			/* XXXKIB */
 		} else {
 			dprintf("ipsec_accel_sa_newkey: driver "
 			    "error %d if %s spi %#x\n",
 			    error, if_name(ifp), be32toh(tq->sav->spi));
-			/* XXXKIB */
+		}
+		error = ipsec_accel_handle_sav(tq->sav, ifp, drv_spi, priv,
+		    IFP_HS_REJECTED, NULL);
+		if (error != 0) {
+			dprintf("ipsec_accel_sa_newkey: handle_sav REJECTED "
+			    "err %d if %s spi %#x\n", error,
+			    if_name(ifp), be32toh(tq->sav->spi));
+			free_unr(drv_spi_unr, drv_spi);
 		}
 	} else {
 		error = ipsec_accel_handle_sav(tq->sav, ifp,
 		    drv_spi, priv, IFP_HS_HANDLED, NULL);
 		if (error != 0) {
-			/* XXXKIB */
-			dprintf("ipsec_accel_sa_newkey: handle_sav "
+			dprintf("ipsec_accel_sa_newkey: handle_sav HANDLED "
 			    "err %d if %s spi %#x\n", error,
 			    if_name(ifp), be32toh(tq->sav->spi));
+			error = ifp->if_ipsec_accel_m->if_sa_deinstall(ifp,
+			    drv_spi, priv);
+			if (error == 0)
+				free_unr(drv_spi_unr, drv_spi);
+			/*
+			 * If driver refused to deinstall the SA, keep
+			 * drv_spi leaked so that it is not reused.
+			 * The SA is still programmed into the
+			 * hardware with the drv_spi ident, so it is
+			 * better to leak the drv_spi then reuse for
+			 * another SA and have issues due to aliasing.
+			 */
 		}
 	}
 out: