The current workaround to disable parallel IPsec did not work.

Variable nettaskqs must not change at runtime.  Interface input
queues choose the thread during init with ifiq_softnet = net_tq().
So it cannot be modified after pfkeyv2_send() sets the first SA in
kernel.  Also changing the calculation in net_tq() may call task_del()
with a different taskq than task_add().
Instead of restricting the index to the first softnet task, use an
exclusive lock.  For now just move the comment.  We can later decide
if a write net lock or kernel lock is better.
OK mvs@

diff --git a/sys/net/if.c b/sys/net/if.c
index 91f544e..8fe99ef 100644 (file)
--- a/sys/net/if.c
+++ b/sys/net/if.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: if.c,v 1.642 2021/06/30 13:23:33 bluhm Exp $  */
+/*     $OpenBSD: if.c,v 1.643 2021/07/20 16:32:28 bluhm Exp $  */
 /*     $NetBSD: if.c,v 1.35 1996/05/07 05:26:04 thorpej Exp $  */
 
 /*
@@ -834,6 +834,12 @@ if_input_process(struct ifnet *ifp, struct mbuf_list *ml)
         * to PF globals, pipex globals, unicast and multicast addresses
         * lists and the socket layer.
         */
+
+       /*
+        * XXXSMP IPsec data structures are not ready to be accessed
+        * by multiple network threads in parallel.  In this case
+        * use an exclusive lock.
+        */
        NET_LOCK();
        while ((m = ml_dequeue(ml)) != NULL)
                (*ifp->if_input)(ifp, m);
@@ -3311,17 +3317,14 @@ unhandled_af(int af)
        panic("unhandled af %d", af);
 }
 
-/*
- * XXXSMP This tunable is here to work around the fact that IPsec
- * globals aren't ready to be accessed by multiple threads in
- * parallel.
- */
-int             nettaskqs = NET_TASKQ;
-
 struct taskq *
 net_tq(unsigned int ifindex)
 {
        struct taskq *t = NULL;
+       static int nettaskqs;
+
+       if (nettaskqs == 0)
+               nettaskqs = min(NET_TASKQ, ncpus);
 
        t = nettqmp[ifindex % nettaskqs];
 

diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c
index d807207..9e7f9bb 100644 (file)
--- a/sys/net/pfkeyv2.c
+++ b/sys/net/pfkeyv2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkeyv2.c,v 1.218 2021/07/14 22:39:26 tobhe Exp $ */
+/* $OpenBSD: pfkeyv2.c,v 1.219 2021/07/20 16:32:28 bluhm Exp $ */
 
 /*
  *     @(#)COPYRIGHT   1.1 (NRL) 17 January 1995
@@ -2019,14 +2019,6 @@ pfkeyv2_send(struct socket *so, void *message, int len)
                        }
                        TAILQ_INSERT_HEAD(&ipsec_policy_head, ipo, ipo_list);
                        ipsec_in_use++;
-                       /*
-                        * XXXSMP IPsec data structures are not ready to be
-                        * accessed by multiple Network threads in parallel,
-                        * so force all packets to be processed by the first
-                        * one.
-                        */
-                       extern int nettaskqs;
-                       nettaskqs = 1;
                } else {
                        ipo->ipo_last_searched = ipo->ipo_flags = 0;
                }