From nobody Mon Jan 13 19:30:12 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YX2Qs1F18z5kjb5; Mon, 13 Jan 2025 19:30:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YX2Qr6LRnz3WhM; Mon, 13 Jan 2025 19:30:12 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1736796612; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=eGyCLOysHMihXzEHe3JjqyfONPhJGsL5tCmo0ow1QHo=; b=UXdVnTx1GPdufcdV+5Smoz9D414BrTjiVn72FMEeIplkMyItLYgJGUjoiVGjqJhAQxPlVs RF2LRMUxrpo4MUVp9ShZ4B6kATekdesuRu/CUx0V9We/SJ/pXdmR8fcjITAJivN6iGd3Oo lKpOYvA2DEmSNlWFP9Ak02/QyTR0+STA7HfA01aWcUA2gyH1WFb42U2aOZyytip3Hrn+sL 6nXaiDuwEqWDnQ/m7xLBSr/jHTy2d+7DEmewAKZ9tc8XKU4D5CZP1sQ43IpW4M80BrccCu Jc+Y5lvM3IYRf8hW+lFWRLQUP6bDH/O7IekIFAKBip9q2MmwkcJCeiM2gE56Xw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1736796612; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=eGyCLOysHMihXzEHe3JjqyfONPhJGsL5tCmo0ow1QHo=; b=OEKb7/W+JVG9n6XFW4oGRxeUoqiy7RBfI20GFt5W7Vm6HTUnEDK5GjZtZNUgpuNI+nfY6Y thnZip4blhFjutiwNz60mPUwidJE9yYkUpVhZQs7UAbaq2DrPjzI+kWUhjeu4DDcoYXM35 8XNck2q0mvOt0S0r4mkJlpq71b6FpHydfEEurtimeWpmH6IKuJ0nnp1HoCUNxklwm7xZDa GDshaoL8sktA8rHi76KRRmfupZANvO5reouPbknPNfR5moi7ULUqHshRFmHrFVqz6RIlxl rk+BaGDUislJRRP0pS757xNPautQpli4wuchqu0PWpTDufG12V1KH4kTUyKnag== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1736796612; a=rsa-sha256; cv=none; b=usIgSsjJpJ/8j2zS4szAR/r+c3ei9jIT06NK3InlxyLIdvJzZB9NNAcAC6Y2uVRjxHl28R aQWe1cK3J2J2lAeZyjsqc1MX5FKYf+prWAJrob6uK6L+RU3XwG479jLkVkZkNORAyN5EnC MgXYnPd9aWUMeo5Fo2QGvQyq3VYt6HAZlfP1GPlUGGR/D9KXJEKOKxZhPNaat5+udC2Ghm YNyz6wV7q6RrDqCxrussPcAU+bGTrxm23EEsuoEM2OGU8o+AyNdtfsltN4eSLQGmwbjbaa Ibz9SiYlWEC72kElsC1AcJp4X8/TrJU3kwzhLoH99eLXhzGM0J+PTcS0SzcLPA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YX2Qr5gCzzkJY; Mon, 13 Jan 2025 19:30:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 50DJUCUY047122; Mon, 13 Jan 2025 19:30:12 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 50DJUCFg047113; Mon, 13 Jan 2025 19:30:12 GMT (envelope-from git) Date: Mon, 13 Jan 2025 19:30:12 GMT Message-Id: <202501131930.50DJUCFg047113@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Konstantin Belousov Subject: git: b0e020764aae - main - ipsec + ktls: cannot coexists List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kib X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: b0e020764aae970545357b0f146dcba7b4b55864 Auto-Submitted: auto-generated The branch main has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=b0e020764aae970545357b0f146dcba7b4b55864 commit b0e020764aae970545357b0f146dcba7b4b55864 Author: Konstantin Belousov AuthorDate: 2024-12-28 08:30:49 +0000 Commit: Konstantin Belousov CommitDate: 2025-01-13 19:29:31 +0000 ipsec + ktls: cannot coexists but instead of tripping the assert in debug kernel, and silently falling into UB for prod, skip IPSEC processing for KTLS framed packets when mb_unmapped_to_ext() failed. Reviewed by: markj Sponsored by: NVidia networking MFC after: 1 week Differential revision: https://reviews.freebsd.org/D48265 --- sys/netinet/ip_output.c | 33 +++++++++++++++++++++++++-------- sys/netinet6/ip6_output.c | 34 ++++++++++++++++++++++++++-------- 2 files changed, 51 insertions(+), 16 deletions(-) diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 770a95dae659..4f5d8b7279ba 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -667,17 +667,25 @@ again: sendit: #if defined(IPSEC) || defined(IPSEC_SUPPORT) if (IPSEC_ENABLED(ipv4)) { - m = mb_unmapped_to_ext(m); - if (m == NULL) { - IPSTAT_INC(ips_odropped); - error = ENOBUFS; - goto bad; + struct mbuf *m1; + + error = mb_unmapped_to_ext(m, &m1); + if (error != 0) { + if (error == ENOMEM) { + IPSTAT_INC(ips_odropped); + error = ENOBUFS; + goto bad; + } + /* XXXKIB */ + goto no_ipsec; } + m = m1; if ((error = IPSEC_OUTPUT(ipv4, ifp, m, inp, mtu)) != 0) { if (error == EINPROGRESS) error = 0; goto done; } +no_ipsec:; } /* * Check if there was a route for this packet; return error if not. @@ -731,11 +739,20 @@ sendit: /* Ensure the packet data is mapped if the interface requires it. */ if ((ifp->if_capenable & IFCAP_MEXTPG) == 0) { - m = mb_unmapped_to_ext(m); - if (m == NULL) { + struct mbuf *m1; + + error = mb_unmapped_to_ext(m, &m1); + if (error != 0) { + if (error == EINVAL) { + if_printf(ifp, "TLS packet\n"); + /* XXXKIB */ + } else if (error == ENOMEM) { + error = ENOBUFS; + } IPSTAT_INC(ips_odropped); - error = ENOBUFS; goto bad; + } else { + m = m1; } } diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index 9e4985cdc6cd..c6907835bc67 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -792,18 +792,26 @@ nonh6lookup: * XXX: need scope argument. */ if (IPSEC_ENABLED(ipv6)) { - m = mb_unmapped_to_ext(m); - if (m == NULL) { - IP6STAT_INC(ip6s_odropped); - error = ENOBUFS; - goto bad; + struct mbuf *m1; + + error = mb_unmapped_to_ext(m, &m1); + if (error != 0) { + if (error == ENOMEM) { + IP6STAT_INC(ip6s_odropped); + error = ENOBUFS; + goto bad; + } + /* XXXKIB */ + goto no_ipsec; } + m = m1; if ((error = IPSEC_OUTPUT(ipv6, ifp, m, inp, mtu == 0 ? ifp->if_mtu : mtu)) != 0) { if (error == EINPROGRESS) error = 0; goto done; } +no_ipsec:; } #endif /* IPSEC */ @@ -1106,10 +1114,20 @@ passout: /* Ensure the packet data is mapped if the interface requires it. */ if ((ifp->if_capenable & IFCAP_MEXTPG) == 0) { - m = mb_unmapped_to_ext(m); - if (m == NULL) { + struct mbuf *m1; + + error = mb_unmapped_to_ext(m, &m1); + if (error != 0) { + if (error == EINVAL) { + if_printf(ifp, "TLS packet\n"); + /* XXXKIB */ + } else if (error == ENOMEM) { + error = ENOBUFS; + } IP6STAT_INC(ip6s_odropped); - return (ENOBUFS); + return (error); + } else { + m = m1; } }