Page MenuHomeFreeBSD
Differential D46483

ipsec: Drain async ipsec_offload work when destroying a vnet
ClosedPublic
Actions

Authored by markj on Fri, Aug 30, 12:54 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Sep 8, 8:05 AM
Unknown Object (File)
Sun, Sep 8, 7:07 AM
Unknown Object (File)
Fri, Sep 6, 10:16 AM
Unknown Object (File)
Tue, Sep 3, 4:59 PM
Unknown Object (File)
Sun, Sep 1, 11:35 PM
Unknown Object (File)
Sun, Sep 1, 1:12 PM
Unknown Object (File)
Sun, Sep 1, 5:24 AM
Unknown Object (File)
Sat, Aug 31, 3:29 PM
View All 9 Files
Subscribers
ae
glebius
imp
melifaro

Details

Reviewers
kib
Commits
rG01f43479b592: ipsec: Drain async ipsec_offload work when destroying a vnet
rGe196b12f4d4d: ipsec: Drain async ipsec_offload work when destroying a vnet
Summary

The ipsec_offload code in some cases releases object references in an
asynchronous context where it needs to set the current VNET. Make sure
that all such work completes before the VNET is actually destroyed,
otherwise a use-after-free is possible.

Reported by: KASAN
Fixes: ef2a572bf6bd ("ipsec_offload: kernel infrastructure")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj created this revision.Fri, Aug 30, 12:54 AM
Herald added subscribers: glebius, melifaro, ae, imp. · View Herald TranscriptFri, Aug 30, 12:54 AM
markj requested review of this revision.Fri, Aug 30, 12:54 AM
Harbormaster completed remote builds in B59238: Diff 142607.Fri, Aug 30, 12:54 AM
kib accepted this revision.Fri, Aug 30, 6:35 AM
This revision is now accepted and ready to land.Fri, Aug 30, 6:35 AM
Closed by commit rGe196b12f4d4d: ipsec: Drain async ipsec_offload work when destroying a vnet (authored by markj). · Explain WhyFri, Aug 30, 1:10 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rGe196b12f4d4d: ipsec: Drain async ipsec_offload work when destroying a vnet.
markj added a reverting change: rG28294dc92476: Revert "ipsec: Drain async ipsec_offload work when destroying a vnet".Fri, Aug 30, 3:01 PM
markj added a comment.Fri, Aug 30, 3:03 PM

This patch can cause hangs, since it's possible for key_vnet_destroy() to execute in taskqueue_thread's context.

To fix this, I wonder if ipsec_accel can use a dedicated taskqueue thread instead of taskqueue_thread.

kib added a comment.Fri, Aug 30, 3:31 PM
In D46483#1059583, @markj wrote:

This patch can cause hangs, since it's possible for key_vnet_destroy() to execute in taskqueue_thread's context.

To fix this, I wonder if ipsec_accel can use a dedicated taskqueue thread instead of taskqueue_thread.

It can, the restriction is that all handling should occur in the same single-threaded context.
I did not allocated dedicated thread because the events like creation or destruction of SAs are very rare, and creation or destruction of SPs almost never happen. So I do not want to waste the whole thread for this.

Then, for me this feels more like a bug in taskqueue_drain_all(). What about D46489 instead?

markj added a commit: rG01f43479b592: ipsec: Drain async ipsec_offload work when destroying a vnet.Wed, Sep 4, 2:29 PM

Revision Contents
Changeset List

PathSize
sys/
netipsec/
2 lines
3 lines

Diff 142619

View Options

sys/netipsec/ipsec_offload.c

Loading...
View Options

sys/netipsec/key.c

Loading...