[2/5] xfrm: Pass UDP encapsulation in TX packet offload

Message ID	20240306100438.3953516-3-steffen.klassert@secunet.com (mailing list archive)
State	Accepted
Commit	983a73da1f996faee9997149eb05b12fa7bd8cbf
Delegated to:	Netdev Maintainers
Headers	show Received: from a.mx.secunet.com (a.mx.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 69F0D5EE8E for <netdev@vger.kernel.org>; Wed, 6 Mar 2024 10:04:54 +0000 (UTC) From: Steffen Klassert <steffen.klassert@secunet.com> To: David Miller <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org> CC: Herbert Xu <herbert@gondor.apana.org.au>, Steffen Klassert <steffen.klassert@secunet.com>, <netdev@vger.kernel.org> Subject: [PATCH 2/5] xfrm: Pass UDP encapsulation in TX packet offload Date: Wed, 6 Mar 2024 11:04:35 +0100 Message-ID: <20240306100438.3953516-3-steffen.klassert@secunet.com> In-Reply-To: <20240306100438.3953516-1-steffen.klassert@secunet.com> References: <20240306100438.3953516-1-steffen.klassert@secunet.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	[1/5] xfrm: Clear low order bits of ->flowi4_tos in decode_session4(). \| expand [1/5] xfrm: Clear low order bits of ->flowi4_tos in decode_session4(). [2/5] xfrm: Pass UDP encapsulation in TX packet offload [3/5] xfrm: Avoid clang fortify warning in copy_to_user_tmpl() [4/5] xfrm: fix xfrm child route lookup for packet offload [5/5] xfrm: set skb control buffer based on packet offload as well

Context	Check	Description
netdev/series_format	warning	Pull request is its own cover letter; Target tree name not specified in the subject
netdev/tree_selection	success	Guessed tree name to be net-next
netdev/ynl	success	Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present	success	Fixes tag not required for -next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 942 this patch: 942
netdev/build_tools	success	No tools touched, skip
netdev/cc_maintainers	fail	2 blamed authors not CCed: leon@kernel.org pabeni@redhat.com; 3 maintainers not CCed: leon@kernel.org pabeni@redhat.com edumazet@google.com
netdev/build_clang	success	Errors and warnings before: 957 this patch: 957
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	success	Errors and warnings before: 958 this patch: 958
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/build_clang_rust	success	No Rust files in patch. Skipping build
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0
netdev/contest	success	net-next-2024-03-06--21-00 (tests: 892)

Steffen Klassert March 6, 2024, 10:04 a.m. UTC

From: Leon Romanovsky <leonro@nvidia.com>

In addition to citied commit in Fixes line, allow UDP encapsulation in
TX path too.

Fixes: 89edf40220be ("xfrm: Support UDP encapsulation in packet offload mode")
CC: Steffen Klassert <steffen.klassert@secunet.com>
Reported-by: Mike Yu <yumike@google.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
 net/xfrm/xfrm_device.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Paolo Abeni March 11, 2024, 4:25 p.m. UTC | #1

Hi,

On Wed, 2024-03-06 at 11:04 +0100, Steffen Klassert wrote:
> From: Leon Romanovsky <leonro@nvidia.com>
> 
> In addition to citied commit in Fixes line, allow UDP encapsulation in
> TX path too.
> 
> Fixes: 89edf40220be ("xfrm: Support UDP encapsulation in packet offload mode")
> CC: Steffen Klassert <steffen.klassert@secunet.com>
> Reported-by: Mike Yu <yumike@google.com>
> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

This is causing self-test failures:

https://netdev.bots.linux.dev/flakes.html?tn-needle=pmtu-sh

reverting this change locally resolves the issue.

@Leon, @Steffen: could you please have a look?

Thanks!

Paolo

Jakub Kicinski March 11, 2024, 5:05 p.m. UTC | #2

On Mon, 11 Mar 2024 17:25:03 +0100 Paolo Abeni wrote:
> Hi,
> 
> On Wed, 2024-03-06 at 11:04 +0100, Steffen Klassert wrote:
> > From: Leon Romanovsky <leonro@nvidia.com>
> > 
> > In addition to citied commit in Fixes line, allow UDP encapsulation in
> > TX path too.
> > 
> > Fixes: 89edf40220be ("xfrm: Support UDP encapsulation in packet offload mode")
> > CC: Steffen Klassert <steffen.klassert@secunet.com>
> > Reported-by: Mike Yu <yumike@google.com>
> > Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
> > Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
> > Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>  
> 
> This is causing self-test failures:
> 
> https://netdev.bots.linux.dev/flakes.html?tn-needle=pmtu-sh
> 
> reverting this change locally resolves the issue.
> 
> @Leon, @Steffen: could you please have a look?

The failure in rtnetlink.sh seems to also be xfrm related:

# FAIL: ipsec_offload can't create SA

https://netdev-3.bots.linux.dev/vmksft-net-dbg/results/502821/10-rtnetlink-sh/stdout

Jakub Kicinski March 12, 2024, 2:46 a.m. UTC | #3

On Mon, 11 Mar 2024 10:05:10 -0700 Jakub Kicinski wrote:
> > This is causing self-test failures:
> > 
> > https://netdev.bots.linux.dev/flakes.html?tn-needle=pmtu-sh
> > 
> > reverting this change locally resolves the issue.
> > 
> > @Leon, @Steffen: could you please have a look?  
> 
> The failure in rtnetlink.sh seems to also be xfrm related:
> 
> # FAIL: ipsec_offload can't create SA
> 
> https://netdev-3.bots.linux.dev/vmksft-net-dbg/results/502821/10-rtnetlink-sh/stdout

That failure resolved itself, FWIW, so ignore that.

Steffen Klassert March 12, 2024, 6:20 a.m. UTC | #4

On Mon, Mar 11, 2024 at 05:25:03PM +0100, Paolo Abeni wrote:
> Hi,
> 
> On Wed, 2024-03-06 at 11:04 +0100, Steffen Klassert wrote:
> > From: Leon Romanovsky <leonro@nvidia.com>
> > 
> > In addition to citied commit in Fixes line, allow UDP encapsulation in
> > TX path too.
> > 
> > Fixes: 89edf40220be ("xfrm: Support UDP encapsulation in packet offload mode")
> > CC: Steffen Klassert <steffen.klassert@secunet.com>
> > Reported-by: Mike Yu <yumike@google.com>
> > Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
> > Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
> > Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
> 
> This is causing self-test failures:
> 
> https://netdev.bots.linux.dev/flakes.html?tn-needle=pmtu-sh
> 
> reverting this change locally resolves the issue.
> 
> @Leon, @Steffen: could you please have a look?

Looks like the check for x->encap was removed unconditionally.
I should just be removed when XFRM_DEV_OFFLOAD_PACKET is set,
otherwise we might create a GSO packet with UPD encapsulation.

Leon?

Leon Romanovsky March 12, 2024, 11:15 a.m. UTC | #5

On Tue, Mar 12, 2024 at 07:20:06AM +0100, Steffen Klassert wrote:
> On Mon, Mar 11, 2024 at 05:25:03PM +0100, Paolo Abeni wrote:
> > Hi,
> > 
> > On Wed, 2024-03-06 at 11:04 +0100, Steffen Klassert wrote:
> > > From: Leon Romanovsky <leonro@nvidia.com>
> > > 
> > > In addition to citied commit in Fixes line, allow UDP encapsulation in
> > > TX path too.
> > > 
> > > Fixes: 89edf40220be ("xfrm: Support UDP encapsulation in packet offload mode")
> > > CC: Steffen Klassert <steffen.klassert@secunet.com>
> > > Reported-by: Mike Yu <yumike@google.com>
> > > Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
> > > Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
> > > Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
> > 
> > This is causing self-test failures:
> > 
> > https://netdev.bots.linux.dev/flakes.html?tn-needle=pmtu-sh
> > 
> > reverting this change locally resolves the issue.
> > 
> > @Leon, @Steffen: could you please have a look?
> 
> Looks like the check for x->encap was removed unconditionally.
> I should just be removed when XFRM_DEV_OFFLOAD_PACKET is set,
> otherwise we might create a GSO packet with UPD encapsulation.
> 
> Leon?

Right, I missed IPsec SW path, that x->encap check can be removed
in packet offload because HW supports it and in crypto offload, because
there is a check in xfrm_dev_state_add() to prevent it.

What about this fix?

diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
index 653e51ae3964..6e3e5a09cfeb 100644
--- a/net/xfrm/xfrm_device.c
+++ b/net/xfrm/xfrm_device.c
@@ -407,7 +407,7 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
        struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
        struct net_device *dev = x->xso.dev;

-       if (!x->type_offload)
+       if (!x->type_offload || x->xso.type == XFRM_DEV_OFFLOAD_UNSPECIFIED)
                return false;

        if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET ||


Thanks



>

Steffen Klassert March 12, 2024, 11:20 a.m. UTC | #6

On Tue, Mar 12, 2024 at 01:15:28PM +0200, Leon Romanovsky wrote:
> On Tue, Mar 12, 2024 at 07:20:06AM +0100, Steffen Klassert wrote:
> > On Mon, Mar 11, 2024 at 05:25:03PM +0100, Paolo Abeni wrote:
> > > Hi,
> > > 
> > > On Wed, 2024-03-06 at 11:04 +0100, Steffen Klassert wrote:
> > > > From: Leon Romanovsky <leonro@nvidia.com>
> > > > 
> > > > In addition to citied commit in Fixes line, allow UDP encapsulation in
> > > > TX path too.
> > > > 
> > > > Fixes: 89edf40220be ("xfrm: Support UDP encapsulation in packet offload mode")
> > > > CC: Steffen Klassert <steffen.klassert@secunet.com>
> > > > Reported-by: Mike Yu <yumike@google.com>
> > > > Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
> > > > Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
> > > > Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
> > > 
> > > This is causing self-test failures:
> > > 
> > > https://netdev.bots.linux.dev/flakes.html?tn-needle=pmtu-sh
> > > 
> > > reverting this change locally resolves the issue.
> > > 
> > > @Leon, @Steffen: could you please have a look?
> > 
> > Looks like the check for x->encap was removed unconditionally.
> > I should just be removed when XFRM_DEV_OFFLOAD_PACKET is set,
> > otherwise we might create a GSO packet with UPD encapsulation.
> > 
> > Leon?
> 
> Right, I missed IPsec SW path, that x->encap check can be removed
> in packet offload because HW supports it and in crypto offload, because
> there is a check in xfrm_dev_state_add() to prevent it.
> 
> What about this fix?
> 
> diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
> index 653e51ae3964..6e3e5a09cfeb 100644
> --- a/net/xfrm/xfrm_device.c
> +++ b/net/xfrm/xfrm_device.c
> @@ -407,7 +407,7 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
>         struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
>         struct net_device *dev = x->xso.dev;
> 
> -       if (!x->type_offload)
> +       if (!x->type_offload || x->xso.type == XFRM_DEV_OFFLOAD_UNSPECIFIED)
>                 return false;

Then we can't generate GSO packets for the SW path anymore. We just need
to reject UDP enacpsulation in SW here.

Leon Romanovsky March 12, 2024, 11:26 a.m. UTC | #7

On Tue, Mar 12, 2024 at 12:20:49PM +0100, Steffen Klassert wrote:
> On Tue, Mar 12, 2024 at 01:15:28PM +0200, Leon Romanovsky wrote:
> > On Tue, Mar 12, 2024 at 07:20:06AM +0100, Steffen Klassert wrote:
> > > On Mon, Mar 11, 2024 at 05:25:03PM +0100, Paolo Abeni wrote:
> > > > Hi,
> > > > 
> > > > On Wed, 2024-03-06 at 11:04 +0100, Steffen Klassert wrote:
> > > > > From: Leon Romanovsky <leonro@nvidia.com>
> > > > > 
> > > > > In addition to citied commit in Fixes line, allow UDP encapsulation in
> > > > > TX path too.
> > > > > 
> > > > > Fixes: 89edf40220be ("xfrm: Support UDP encapsulation in packet offload mode")
> > > > > CC: Steffen Klassert <steffen.klassert@secunet.com>
> > > > > Reported-by: Mike Yu <yumike@google.com>
> > > > > Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
> > > > > Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
> > > > > Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
> > > > 
> > > > This is causing self-test failures:
> > > > 
> > > > https://netdev.bots.linux.dev/flakes.html?tn-needle=pmtu-sh
> > > > 
> > > > reverting this change locally resolves the issue.
> > > > 
> > > > @Leon, @Steffen: could you please have a look?
> > > 
> > > Looks like the check for x->encap was removed unconditionally.
> > > I should just be removed when XFRM_DEV_OFFLOAD_PACKET is set,
> > > otherwise we might create a GSO packet with UPD encapsulation.
> > > 
> > > Leon?
> > 
> > Right, I missed IPsec SW path, that x->encap check can be removed
> > in packet offload because HW supports it and in crypto offload, because
> > there is a check in xfrm_dev_state_add() to prevent it.
> > 
> > What about this fix?
> > 
> > diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
> > index 653e51ae3964..6e3e5a09cfeb 100644
> > --- a/net/xfrm/xfrm_device.c
> > +++ b/net/xfrm/xfrm_device.c
> > @@ -407,7 +407,7 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
> >         struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
> >         struct net_device *dev = x->xso.dev;
> > 
> > -       if (!x->type_offload)
> > +       if (!x->type_offload || x->xso.type == XFRM_DEV_OFFLOAD_UNSPECIFIED)
> >                 return false;
> 
> Then we can't generate GSO packets for the SW path anymore. We just need
> to reject UDP enacpsulation in SW here.

Is it better?

diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
index 653e51ae3964..6346690d5c69 100644
--- a/net/xfrm/xfrm_device.c
+++ b/net/xfrm/xfrm_device.c
@@ -407,7 +407,8 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
        struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
        struct net_device *dev = x->xso.dev;

-       if (!x->type_offload)
+       if (!x->type_offload ||
+           (x->xso.type == XFRM_DEV_OFFLOAD_UNSPECIFIED && x->encap))
                return false;

        if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET ||

>

Steffen Klassert March 12, 2024, 11:36 a.m. UTC | #8

On Tue, Mar 12, 2024 at 01:26:30PM +0200, Leon Romanovsky wrote:
> 
> Is it better?
> 
> diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
> index 653e51ae3964..6346690d5c69 100644
> --- a/net/xfrm/xfrm_device.c
> +++ b/net/xfrm/xfrm_device.c
> @@ -407,7 +407,8 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
>         struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
>         struct net_device *dev = x->xso.dev;
> 
> -       if (!x->type_offload)
> +       if (!x->type_offload ||
> +           (x->xso.type == XFRM_DEV_OFFLOAD_UNSPECIFIED && x->encap))
>                 return false;

Yes, that should do it.

Thanks!

[2/5] xfrm: Pass UDP encapsulation in TX packet offload

Checks

Commit Message

Comments

Patch