diff mbox series

[GIT,PULL,v1] Improve IPsec limits, ESN and replay window

Message ID 20230406071902.712388-1-leon@kernel.org (mailing list archive)
State Accepted
Commit 4bcdfc3ab217b2e1d1ea89ac00870b6bb247e183
Delegated to: Netdev Maintainers
Headers show
Series [GIT,PULL,v1] Improve IPsec limits, ESN and replay window | expand

Pull-request

https://git.kernel.org/pub/scm/linux/kernel/git/mellanox/linux.git/ tags/ipsec-esn-replay

Checks

Context Check Description
netdev/tree_selection success Pull request for net
netdev/build_32bit success Errors and warnings before: 259 this patch: 259
netdev/build_clang success Errors and warnings before: 22 this patch: 22
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 247 this patch: 247

Commit Message

Leon Romanovsky April 6, 2023, 7:19 a.m. UTC 
This series overcomes existing hardware limitations in Mellanox ConnectX
devices around handling IPsec soft and hard limits.

In addition, the ESN logic is tied and added an interface to configure
replay window sequence numbers through existing iproute2 interface.

  ip xfrm state ... [ replay-seq SEQ ] [ replay-oseq SEQ ]
                    [ replay-seq-hi SEQ ] [ replay-oseq-hi SEQ ]

Link: https://lore.kernel.org/all/cover.1680162300.git.leonro@nvidia.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
----------------------------------------------------------------
Changelog:
v1:
 * Added Steffen's Acked-by to XFRM patch
 https://lore.kernel.org/all/ZC1Prk8HqIcpedcm@gauss3.secunet.de
 * Fixed memory leak in "net/mlx5e: Generalize IPsec work structs" patch
https://lore.kernel.org/all/285a1550242363de181bab3a07a69296f66ad9a8.1680162300.git.leonro@nvidia.com


v0: https://lore.kernel.org/all/20230403064154.12443-1-leon@kernel.org
----------------------------------------------------------------

The following changes since commit 5a6cddb89b51d99a7702e63829644a5860dd9c41:

  net/mlx5e: Update IPsec per SA packets/bytes count (2023-03-20 11:29:52 +0200)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/mellanox/linux.git/ tags/ipsec-esn-replay

for you to fetch changes up to b2f7b01d36a9b94fbd7489bd1228025ea7e7a2f4:

  net/mlx5e: Simulate missing IPsec TX limits hardware functionality (2023-04-06 10:12:03 +0300)

----------------------------------------------------------------
Leon Romanovsky (10):
      net/mlx5e: Factor out IPsec ASO update function
      net/mlx5e: Prevent zero IPsec soft/hard limits
      net/mlx5e: Add SW implementation to support IPsec 64 bit soft and hard limits
      net/mlx5e: Overcome slow response for first IPsec ASO WQE
      xfrm: don't require advance ESN callback for packet offload
      net/mlx5e: Remove ESN callbacks if it is not supported
      net/mlx5e: Set IPsec replay sequence numbers
      net/mlx5e: Reduce contention in IPsec workqueue
      net/mlx5e: Generalize IPsec work structs
      net/mlx5e: Simulate missing IPsec TX limits hardware functionality

 .../ethernet/mellanox/mlx5/core/en_accel/ipsec.c   | 331 ++++++++++++++++++---
 .../ethernet/mellanox/mlx5/core/en_accel/ipsec.h   |  47 ++-
 .../mellanox/mlx5/core/en_accel/ipsec_fs.c         |  31 +-
 .../mellanox/mlx5/core/en_accel/ipsec_offload.c    | 198 +++++++++---
 net/xfrm/xfrm_device.c                             |   2 +-
 5 files changed, 498 insertions(+), 111 deletions(-)

Comments

Leon Romanovsky April 7, 2023, 7:01 p.m. UTC | #1 
On Thu, Apr 06, 2023 at 10:19:02AM +0300, Leon Romanovsky wrote:
> This series overcomes existing hardware limitations in Mellanox ConnectX
> devices around handling IPsec soft and hard limits.
> 
> In addition, the ESN logic is tied and added an interface to configure
> replay window sequence numbers through existing iproute2 interface.
> 
>   ip xfrm state ... [ replay-seq SEQ ] [ replay-oseq SEQ ]
>                     [ replay-seq-hi SEQ ] [ replay-oseq-hi SEQ ]
> 
> Link: https://lore.kernel.org/all/cover.1680162300.git.leonro@nvidia.com
> Signed-off-by: Leon Romanovsky <leon@kernel.org>
> ----------------------------------------------------------------

Hi,

I see that this PR is marked as "Awaiting upstream".
What does it mean in context of this PR?
https://patchwork.kernel.org/project/netdevbpf/patch/20230406071902.712388-1-leon@kernel.org/

Thanks
patchwork-bot+netdevbpf@kernel.org April 8, 2023, 3:10 a.m. UTC | #2 
Hello:

This pull request was applied to netdev/net-next.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Thu,  6 Apr 2023 10:19:02 +0300 you wrote:
> This series overcomes existing hardware limitations in Mellanox ConnectX
> devices around handling IPsec soft and hard limits.
> 
> In addition, the ESN logic is tied and added an interface to configure
> replay window sequence numbers through existing iproute2 interface.
> 
>   ip xfrm state ... [ replay-seq SEQ ] [ replay-oseq SEQ ]
>                     [ replay-seq-hi SEQ ] [ replay-oseq-hi SEQ ]
> 
> [...]

Here is the summary with links:
  - [GIT,PULL,v1] Improve IPsec limits, ESN and replay window
    https://git.kernel.org/netdev/net-next/c/4bcdfc3ab217

You are awesome, thank you!
diff mbox series

Patch

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
index 0916309cf296..9a4c4bc64155 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
@@ -707,6 +707,7 @@  static int mlx5e_xfrm_add_state(struct xfrm_state *x,
 release_dwork:
        kfree(sa_entry->dwork);
 release_work:
+       kfree(sa_entry->work->data);
        kfree(sa_entry->work);
 err_xfrm:
        kfree(sa_entry);
@@ -750,6 +751,7 @@  static void mlx5e_xfrm_free_state(struct xfrm_state *x)
        mlx5e_accel_ipsec_fs_del_rule(sa_entry);
        mlx5_ipsec_free_sa_ctx(sa_entry);
        kfree(sa_entry->dwork);
+       kfree(sa_entry->work->data);
        kfree(sa_entry->work);
 sa_entry_free:
        kfree(sa_entry);