Introduce and use garbage collector for 'ipsec_ids' struct entities

destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@

1 files changed, 3 insertions, 2 deletions

diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index ba2c7c616fb..2528811eab0 100644
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ipsp.h,v 1.202 2021/07/18 14:38:20 bluhm Exp $	*/
+/*	$OpenBSD: ip_ipsp.h,v 1.203 2021/07/18 18:19:22 mvs Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -226,13 +226,14 @@ struct ipsec_id {
 };
 
 struct ipsec_ids {
+	LIST_ENTRY(ipsec_ids)	id_gc_list;
 	RBT_ENTRY(ipsec_ids)	id_node_id;
 	RBT_ENTRY(ipsec_ids)	id_node_flow;
 	struct ipsec_id		*id_local;
 	struct ipsec_id		*id_remote;
 	u_int32_t		id_flow;
 	int			id_refcount;
-	struct timeout		id_timeout;
+	u_int			id_gc_ttl;
 };
 RBT_HEAD(ipsec_ids_flows, ipsec_ids);
 RBT_HEAD(ipsec_ids_tree, ipsec_ids);