Propagate errors from crypto_invoke() and count them in IPsec. They

should not happen, but always check error conditions.  tq is never
NULL, remove the check.  tdb->tdb_odrops++ is not MP safe, but will
be addressed separately in ipsec_output_cb().
OK mvs@

2 files changed, 12 insertions, 7 deletions

diff --git a/sys/crypto/crypto.c b/sys/crypto/crypto.c
index e6bac747ee5..4f3f1f85509 100644
--- a/sys/crypto/crypto.c
+++ b/sys/crypto/crypto.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: crypto.c,v 1.83 2021/06/30 12:21:02 bluhm Exp $	*/
+/*	$OpenBSD: crypto.c,v 1.84 2021/07/21 11:11:41 bluhm Exp $	*/
 /*
  * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
  *
@@ -388,7 +388,7 @@ int
 crypto_dispatch(struct cryptop *crp)
 {
 	struct taskq *tq = crypto_taskq;
-	int s;
+	int error = 0, s;
 	u_int32_t hid;
 
 	s = splvm();
@@ -399,14 +399,14 @@ crypto_dispatch(struct cryptop *crp)
 	}
 	splx(s);
 
-	if (tq && !(crp->crp_flags & CRYPTO_F_NOQUEUE)) {
+	if ((crp->crp_flags & CRYPTO_F_NOQUEUE) == 0) {
 		task_set(&crp->crp_task, (void (*))crypto_invoke, crp);
 		task_add(tq, &crp->crp_task);
 	} else {
-		crypto_invoke(crp);
+		error = crypto_invoke(crp);
 	}
 
-	return 0;
+	return error;
 }
 
 /*
diff --git a/sys/netinet/ipsec_output.c b/sys/netinet/ipsec_output.c
index a1f1616addd..9f39a532930 100644
--- a/sys/netinet/ipsec_output.c
+++ b/sys/netinet/ipsec_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsec_output.c,v 1.82 2021/07/08 15:13:14 bluhm Exp $ */
+/*	$OpenBSD: ipsec_output.c,v 1.83 2021/07/21 11:11:41 bluhm Exp $ */
 /*
  * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
  *
@@ -418,7 +418,12 @@ ipsec_output_cb(struct cryptop *crp)
 			if (tdb->tdb_cryptoid != 0)
 				tdb->tdb_cryptoid = crp->crp_sid;
 			NET_UNLOCK();
-			crypto_dispatch(crp);
+			error = crypto_dispatch(crp);
+			if (error) {
+				DPRINTF("crypto dispatch error %d", error);
+				ipsecstat_inc(ipsec_odrops);
+				tdb->tdb_odrops++;
+			}
 			return;
 		}
 		DPRINTF("crypto error %d", crp->crp_etype);