| Message ID | ebe29739-7027-a95f-160f-8f9d6522a09d@secunet.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net-next] xfrm: replay: Fix ESN wrap around for GSO | expand |
| Context | Check | Description |
|---|---|---|
| netdev/tree_selection | success | Clearly marked for net-next |
| netdev/apply | fail | Patch does not apply to net-next |
On Tue, Sep 27, 2022 at 11:28:08AM +0200, Christian Langrock wrote: > When using GSO it can happen that the wrong seq_hi is used for the last > packets before the wrap around. To avoid this, we should serialize this > last GSO packet. > > Fixes: d7dbefc45cf55 ("xfrm: Add xfrm_replay_overflow functions for > offloading") > Please remove extra line between Fixes and SOB. > Signed-off-by: Christian Langrock <christian.langrock@secunet.com> > --- > include/net/xfrm.h | 1 + > net/xfrm/xfrm_output.c | 2 +- > net/xfrm/xfrm_replay.c | 36 ++++++++++++++++++++++++++++++++++++ > 3 files changed, 38 insertions(+), 1 deletion(-) > > diff --git a/include/net/xfrm.h b/include/net/xfrm.h > index 6e8fa98f786f..49d6d974f493 100644 > --- a/include/net/xfrm.h > +++ b/include/net/xfrm.h > @@ -1749,6 +1749,7 @@ void xfrm_replay_advance(struct xfrm_state *x, > __be32 net_seq); > int xfrm_replay_check(struct xfrm_state *x, struct sk_buff *skb, __be32 > net_seq); > void xfrm_replay_notify(struct xfrm_state *x, int event); > int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb); > +int xfrm_replay_overflow_check(struct xfrm_state *x, struct sk_buff *skb); > int xfrm_replay_recheck(struct xfrm_state *x, struct sk_buff *skb, > __be32 net_seq); > > static inline int xfrm_aevent_is_on(struct net *net) > diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c > index 9a5e79a38c67..c470a68d9c88 100644 > --- a/net/xfrm/xfrm_output.c > +++ b/net/xfrm/xfrm_output.c > @@ -738,7 +738,7 @@ int xfrm_output(struct sock *sk, struct sk_buff *skb) > skb->encapsulation = 1; > > if (skb_is_gso(skb)) { > - if (skb->inner_protocol) > + if (skb->inner_protocol || xfrm_replay_overflow_check(x, skb)) Maybe it is perfectly fine to call xfrm_output_gso(), but your commit message doesn't explain what is wrong with standard flow. > return xfrm_output_gso(net, sk, skb); > > skb_shinfo(skb)->gso_type |= SKB_GSO_ESP; > diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c > index 9277d81b344c..6c696b6c0a22 100644 > --- a/net/xfrm/xfrm_replay.c > +++ b/net/xfrm/xfrm_replay.c > @@ -750,6 +750,37 @@ int xfrm_replay_overflow(struct xfrm_state *x, > struct sk_buff *skb) > > return xfrm_replay_overflow_offload(x, skb); > } > + > +static int xfrm_replay_overflow_check_offload_esn(struct xfrm_state *x, > struct sk_buff *skb) > +{ The function returns true or false and better to have "static bool ..." as a prototype. > + int ret = 0; > + struct xfrm_offload *xo = xfrm_offload(skb); > + struct xfrm_replay_state_esn *replay_esn = x->replay_esn; > + __u32 oseq = replay_esn->oseq; Reversed Christmas tree. > + > + if (xo && x->type->flags & XFRM_TYPE_REPLAY_PROT) { > + if (skb_is_gso(skb)) { You already checked this. Maybe it is more future proof to write like this, but it is not optimal from performance POV as you perform same checks in datapath. > + oseq = oseq + 1 + skb_shinfo(skb)->gso_segs; > + if (unlikely(oseq < replay_esn->oseq)) { > + ret = 1; > + } > + } > + } > + > + return ret; > +} > + > +int xfrm_replay_overflow_check(struct xfrm_state *x, struct sk_buff *skb) This function doesn't do much except call to another function. > +{ > + switch (x->repl_mode) { > + case XFRM_REPLAY_MODE_ESN: > + return xfrm_replay_overflow_check_offload_esn(x, skb); > + } > + > + return 0; > + > +} > + > #else > int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb) > { > @@ -764,6 +795,11 @@ int xfrm_replay_overflow(struct xfrm_state *x, > struct sk_buff *skb) > > return __xfrm_replay_overflow(x, skb); > } > + > +int xfrm_replay_overflow_check(struct xfrm_state *x, struct sk_buff *skb) > +{ > + return 0; > +} > #endif > > int xfrm_init_replay(struct xfrm_state *x) > -- > 2.37.1.223.g6a475b71f8
diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 6e8fa98f786f..49d6d974f493 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1749,6 +1749,7 @@ void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq); int xfrm_replay_check(struct xfrm_state *x, struct sk_buff *skb, __be32 net_seq); void xfrm_replay_notify(struct xfrm_state *x, int event); int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb); +int xfrm_replay_overflow_check(struct xfrm_state *x, struct sk_buff *skb); int xfrm_replay_recheck(struct xfrm_state *x, struct sk_buff *skb, __be32 net_seq); static inline int xfrm_aevent_is_on(struct net *net) diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c index 9a5e79a38c67..c470a68d9c88 100644 --- a/net/xfrm/xfrm_output.c +++ b/net/xfrm/xfrm_output.c @@ -738,7 +738,7 @@ int xfrm_output(struct sock *sk, struct sk_buff *skb) skb->encapsulation = 1; if (skb_is_gso(skb)) { - if (skb->inner_protocol) + if (skb->inner_protocol || xfrm_replay_overflow_check(x, skb)) return xfrm_output_gso(net, sk, skb); skb_shinfo(skb)->gso_type |= SKB_GSO_ESP; diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c index 9277d81b344c..6c696b6c0a22 100644 --- a/net/xfrm/xfrm_replay.c +++ b/net/xfrm/xfrm_replay.c @@ -750,6 +750,37 @@ int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb) return xfrm_replay_overflow_offload(x, skb); } + +static int xfrm_replay_overflow_check_offload_esn(struct xfrm_state *x, struct sk_buff *skb) +{ + int ret = 0; + struct xfrm_offload *xo = xfrm_offload(skb); + struct xfrm_replay_state_esn *replay_esn = x->replay_esn; + __u32 oseq = replay_esn->oseq; + + if (xo && x->type->flags & XFRM_TYPE_REPLAY_PROT) { + if (skb_is_gso(skb)) { + oseq = oseq + 1 + skb_shinfo(skb)->gso_segs; + if (unlikely(oseq < replay_esn->oseq)) { + ret = 1; + } + } + } + + return ret; +} + +int xfrm_replay_overflow_check(struct xfrm_state *x, struct sk_buff *skb) +{ + switch (x->repl_mode) { + case XFRM_REPLAY_MODE_ESN: + return xfrm_replay_overflow_check_offload_esn(x, skb); + } + + return 0; + +} + #else
When using GSO it can happen that the wrong seq_hi is used for the last packets before the wrap around. To avoid this, we should serialize this last GSO packet. Fixes: d7dbefc45cf55 ("xfrm: Add xfrm_replay_overflow functions for offloading") Signed-off-by: Christian Langrock <christian.langrock@secunet.com> --- include/net/xfrm.h | 1 + net/xfrm/xfrm_output.c | 2 +- net/xfrm/xfrm_replay.c | 36 ++++++++++++++++++++++++++++++++++++ 3 files changed, 38 insertions(+), 1 deletion(-) int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb) { @@ -764,6 +795,11 @@ int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb) return __xfrm_replay_overflow(x, skb); } + +int xfrm_replay_overflow_check(struct xfrm_state *x, struct sk_buff *skb) +{ + return 0; +} #endif int xfrm_init_replay(struct xfrm_state *x)