1 files changed, 18 insertions, 0 deletions

diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c
index 75b3d75..aee9382 100644
--- a/sys/netipsec/xform_ipcomp.c
+++ b/sys/netipsec/xform_ipcomp.c
@@ -174,6 +174,15 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 	/* Crypto operation descriptor */
 	crp->crp_ilen = m->m_pkthdr.len - (skip + hlen);
 	crp->crp_flags = CRYPTO_F_IMBUF;
+	/*
+	 * When using crypto support the operates "synchronously" (e.g.
+	 * software crypto) mark the operation for immediate callback to
+	 * avoid the context switch.  This increases the amount of kernel
+	 * stack required to process a frame but we assume there is enough
+	 * to do this.
+	 */
+	if (CRYPTO_SESID2CAPS(sav->tdb_cryptoid) & CRYPTOCAP_F_SYNC)
+		crp->crp_flags |= CRYPTO_F_CBIMM;
 	crp->crp_buf = (caddr_t) m;
 	crp->crp_callback = ipcomp_input_cb;
 	crp->crp_sid = sav->tdb_cryptoid;
@@ -478,6 +487,15 @@ ipcomp_output(
 	/* Crypto operation descriptor */
 	crp->crp_ilen = m->m_pkthdr.len;	/* Total input length */
 	crp->crp_flags = CRYPTO_F_IMBUF;
+	/*
+	 * When using crypto support the operates "synchronously" (e.g.
+	 * software crypto) mark the operation for immediate callback to
+	 * avoid the context switch.  This increases the amount of kernel
+	 * stack required to process a frame but we assume there is enough
+	 * to do this.
+	 */
+	if (CRYPTO_SESID2CAPS(sav->tdb_cryptoid) & CRYPTOCAP_F_SYNC)
+		crp->crp_flags |= CRYPTO_F_CBIMM;
 	crp->crp_buf = (caddr_t) m;
 	crp->crp_callback = ipcomp_output_cb;
 	crp->crp_opaque = (caddr_t) tc;