ipsec: serialize SPI allocation
ClosedPublic
Actions

Authored by mjg on Nov 3 2021, 4:25 PM.

Details

Reviewers

Commits

rG10ea195fa269: ipsec: add a lock encompassing SPI allocation
rG626bd0970abf: ipsec: fix edge case detection in key_do_getnewspi

Summary

two commits:

ipsec: add a lock encompassing SPI allocation

SPIs get allocated and inserted in separate steps. Prior to the change
there was nothing preventing 2 differnet threads from ending up with the
same one.

ipsec: fix edge case detection in key_do_getnewspi

The 'count' variable would end up being -1 post loop, while the
following condition would check for 0 instead.

Test Plan

kyua test sys/netipsec

internal testing at netgate

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

mjg created this revision.Nov 3 2021, 4:25 PM

Herald added subscribers: melifaro, imp. · View Herald TranscriptNov 3 2021, 4:25 PM

mjg requested review of this revision.Nov 3 2021, 4:25 PM

mjg edited the test plan for this revision. (Show Details)

mjg added inline comments.

sys/netipsec/key.c
219	i tried an mtx lock but it ran into problems with apparent malloc called with M_WAITOK down the line

ae added inline comments.Nov 3 2021, 5:01 PM

sys/netipsec/key.c
5651	missing SPI_ALLOC_UNLOCK();
6046	It seems the locking here needed only to satisfy KASSERT in key_do_getnewspi(). So you can unlock here and remove SPI_ALLOC_UNLOCK() in each following condition.
6262	the same, only one SPI_ALLOCK_UNLOCK() here needed.