Page MenuHomeFreeBSD

ipsec: serialize SPI allocation
ClosedPublic

Authored by mjg on Nov 3 2021, 4:25 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Mar 25, 5:51 PM
Unknown Object (File)
Feb 14 2024, 5:37 PM
Unknown Object (File)
Feb 9 2024, 12:05 AM
Unknown Object (File)
Dec 22 2023, 1:05 AM
Unknown Object (File)
Dec 20 2023, 8:24 AM
Unknown Object (File)
Dec 20 2023, 3:39 AM
Unknown Object (File)
Oct 26 2023, 5:14 AM
Unknown Object (File)
Oct 18 2023, 9:14 AM
Subscribers

Details

Summary

two commits:

ipsec: add a lock encompassing SPI allocation

SPIs get allocated and inserted in separate steps. Prior to the change
there was nothing preventing 2 differnet threads from ending up with the
same one.

ipsec: fix edge case detection in key_do_getnewspi

The 'count' variable would end up being -1 post loop, while the
following condition would check for 0 instead.
Test Plan

kyua test sys/netipsec

internal testing at netgate

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

mjg requested review of this revision.Nov 3 2021, 4:25 PM
mjg edited the test plan for this revision. (Show Details)
mjg added inline comments.
sys/netipsec/key.c
219

i tried an mtx lock but it ran into problems with apparent malloc called with M_WAITOK down the line

sys/netipsec/key.c
5652

missing SPI_ALLOC_UNLOCK();

6048

It seems the locking here needed only to satisfy KASSERT in key_do_getnewspi(). So you can unlock here and remove SPI_ALLOC_UNLOCK() in each following condition.

6262

the same, only one SPI_ALLOCK_UNLOCK() here needed.

mjg added inline comments.
sys/netipsec/key.c
6260

key_getsavbyspi does not need the lock per se but I would argue it is more future-proof to keep it

This revision is now accepted and ready to land.Nov 3 2021, 6:10 PM