Page MenuHomeFreeBSD

ipsec: Drain async ipsec_offload work when destroying a vnet
ClosedPublic

Authored by markj on Aug 30 2024, 12:54 AM.
Tags
None
Referenced Files
F103589094: D46483.id142607.diff
Tue, Nov 26, 8:14 PM
F103579796: D46483.diff
Tue, Nov 26, 5:54 PM
Unknown Object (File)
Tue, Nov 19, 6:10 AM
Unknown Object (File)
Fri, Nov 8, 4:16 PM
Unknown Object (File)
Wed, Oct 30, 1:38 PM
Unknown Object (File)
Oct 19 2024, 10:23 PM
Unknown Object (File)
Oct 9 2024, 9:18 AM
Unknown Object (File)
Oct 2 2024, 5:21 PM

Details

Summary

The ipsec_offload code in some cases releases object references in an
asynchronous context where it needs to set the current VNET. Make sure
that all such work completes before the VNET is actually destroyed,
otherwise a use-after-free is possible.

Reported by: KASAN
Fixes: ef2a572bf6bd ("ipsec_offload: kernel infrastructure")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 59238
Build 56125: arc lint + arc unit

Event Timeline

This revision is now accepted and ready to land.Aug 30 2024, 6:35 AM

This patch can cause hangs, since it's possible for key_vnet_destroy() to execute in taskqueue_thread's context.

To fix this, I wonder if ipsec_accel can use a dedicated taskqueue thread instead of taskqueue_thread.

This patch can cause hangs, since it's possible for key_vnet_destroy() to execute in taskqueue_thread's context.

To fix this, I wonder if ipsec_accel can use a dedicated taskqueue thread instead of taskqueue_thread.

It can, the restriction is that all handling should occur in the same single-threaded context.
I did not allocated dedicated thread because the events like creation or destruction of SAs are very rare, and creation or destruction of SPs almost never happen. So I do not want to waste the whole thread for this.

Then, for me this feels more like a bug in taskqueue_drain_all(). What about D46489 instead?