ipsec_offload: do not leak drv_spi unr

in the ipsec_accel_sa_newkey_cb() when the SA offload is only enabled
on a specific different interface, not the current one.

Also remove no longer relevant XXX comment.

Noted and reviewed by:	slavash
Sponsored by:	NVidia networking
MFC after:	1 week

1 files changed, 6 insertions, 7 deletions

diff --git a/sys/netipsec/ipsec_offload.c b/sys/netipsec/ipsec_offload.c
index 59a107881676..3583fc50f51b 100644
--- a/sys/netipsec/ipsec_offload.c
+++ b/sys/netipsec/ipsec_offload.c
@@ -289,19 +289,18 @@ ipsec_accel_sa_newkey_cb(if_t ifp, void *arg)
 	    be32toh(tq->sav->spi), tq->sav->flags, tq->sav->seq);
 	priv = NULL;
 	drv_spi = alloc_unr(drv_spi_unr);
-	if (tq->sav->accel_ifname != NULL &&
-	    strcmp(tq->sav->accel_ifname, if_name(ifp)) != 0) {
-		error = ipsec_accel_handle_sav(tq->sav,
-		    ifp, drv_spi, priv, IFP_HS_REJECTED, NULL);
-		goto out;
-	}
 	if (drv_spi == -1) {
-		/* XXXKIB */
 		dprintf("ipsec_accel_sa_install_newkey: cannot alloc "
 		    "drv_spi if %s spi %#x\n", if_name(ifp),
 		    be32toh(tq->sav->spi));
 		return (0);
 	}
+	if (tq->sav->accel_ifname != NULL &&
+	    strcmp(tq->sav->accel_ifname, if_name(ifp)) != 0) {
+		error = ipsec_accel_handle_sav(tq->sav,
+		    ifp, drv_spi, priv, IFP_HS_REJECTED, NULL);
+		goto out;
+	}
 	error = ifp->if_ipsec_accel_m->if_sa_newkey(ifp, tq->sav,
 	    drv_spi, &priv);
 	if (error != 0) {