Page MenuHomeFreeBSD

Set the proper vnet in IPSec callback functions.
ClosedPublic

Authored by jhb on Mar 19 2018, 10:14 PM.
Tags
None
Referenced Files
Unknown Object (File)
Oct 18 2024, 10:05 PM
Unknown Object (File)
Oct 5 2024, 7:26 AM
Unknown Object (File)
Oct 4 2024, 3:50 PM
Unknown Object (File)
Oct 3 2024, 11:05 PM
Unknown Object (File)
Oct 3 2024, 3:12 PM
Unknown Object (File)
Sep 27 2024, 10:00 PM
Unknown Object (File)
Sep 26 2024, 3:16 PM
Unknown Object (File)
Sep 23 2024, 8:16 PM
Subscribers

Details

Summary

When using hardware crypto engines, the callback functions used to handle
an IPSec packet after it has been encrypted or decrypted can be invoked
asynchronously from a worker thread that is not associated with a vnet.
Extend 'struct xform_data' to include a vnet pointer and save the current
vnet in this new member when queueing crypto requests in IPSec. In the
IPSec callback routines, use the new member to set the current vnet while
processing the modified packet.

This fixes a panic when using hardware offload such as ccr(4) with IPSec
after VIMAGE was enabled in GENERIC.

Test Plan
  • ping when using ccr(4) to offload crypto for an IPSec tunnel using AES-CBC + SHA1 HMAC.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

Sounds good to me. I think if the vnet disappears between before the callback we have entirely different problems.

PS: It's spelt IPsec (lower case 's'; IP security).

This revision is now accepted and ready to land.Mar 20 2018, 3:56 PM
This revision was automatically updated to reflect the committed changes.