From patchwork Mon Mar 24 06:18:48 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffen Klassert X-Patchwork-Id: 14026774 X-Patchwork-Delegate: kuba@kernel.org Received: from mx1.secunet.com (mx1.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3F0007F7FC for ; Mon, 24 Mar 2025 06:19:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=62.96.220.36 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742797149; cv=none; b=oiTEw0WxY4HeKCNyg5Agqg+uYNRuA21/KWvwZL+7YvY9iAQbC/OgUXdgQgQogVFdkjpXtXHNAN5WfpSQ53JuVF3a+UOoOOlcV+EOMQ2bUr/euSQMz1mUk7LsCturRjU9b5kkH6RVnhozNDCH4iOvFSkWC21jDbz2fPhZ/A0TtmI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742797149; c=relaxed/simple; bh=ksFWpgu/qGIAAuS3CYVLIHXzuFRQiKevu6OCZbVTg9c=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=dJcni0BcPEYnvSA51VWstQhtgBfZqotVmn+Tu7kBag6aMy1MaWNJ4sX0aM9ITagFwGDtbW5t+QlnkKOfPkUvE+Ab7lDF04JIU678JbXDS34x9dDyIJVGHRM/LGOvDLY7HPt3/DPEgu25hKxyekWnlU4prXkQOAiRBhk7i4L0OM8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com; spf=pass smtp.mailfrom=secunet.com; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b=viTlRW++; arc=none smtp.client-ip=62.96.220.36 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=secunet.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b="viTlRW++" Received: from localhost (localhost [127.0.0.1]) by mx1.secunet.com (Postfix) with ESMTP id B606C2080B; Mon, 24 Mar 2025 07:18:59 +0100 (CET) X-Virus-Scanned: by secunet Received: from mx1.secunet.com ([127.0.0.1]) by localhost (mx1.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZHh8B-_uodYi; Mon, 24 Mar 2025 07:18:59 +0100 (CET) Received: from cas-essen-01.secunet.de (rl1.secunet.de [10.53.40.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.secunet.com (Postfix) with ESMTPS id A5DE0207AC; Mon, 24 Mar 2025 07:18:58 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.secunet.com A5DE0207AC DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secunet.com; s=202301; t=1742797138; bh=ZfLKHRlzTR6ZquGv/6Ou3ZAnL8x7jkbeO5SvOjY6Hz8=; h=From:To:CC:Subject:Date:In-Reply-To:References:From; b=viTlRW++O5HwWscAVA1CFkeIwrC7Y6mh5YSAf07+TiEIgqdaQC5ATv8T11V0nez24 h20rM1HID+UlqZ0YL5KHtYAvuHJOh+g6wF+xVypK8R+nMWuvMvcra/ASlqRBQaY00V kFILfrN60BgoXmuBkaZq4QNs1avt3FnbZmacJJfsi5HaB9qCa0lLVJHPgNO1DLuj3b LZOOmHmB6XGJ3hlwTYb4RK11YfpCHT7Mps/e2r3bWPQhxNjkvvponyXk9Mdn+sS8VG J3ZQ/Eq+0jRd2oZN6bT6GnRJCx9J1QTMNVyjnv1s7oXtGQB/ZiXKug4MxYw+ga/2ZD Ssv63dTrCvTbQ== Received: from mbx-essen-02.secunet.de (10.53.40.198) by cas-essen-01.secunet.de (10.53.40.201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Mon, 24 Mar 2025 07:18:58 +0100 Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-02.secunet.de (10.53.40.198) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Mon, 24 Mar 2025 07:18:57 +0100 Received: by gauss2.secunet.de (Postfix, from userid 1000) id 7B78E3181032; Mon, 24 Mar 2025 07:18:57 +0100 (CET) From: Steffen Klassert To: David Miller , Jakub Kicinski CC: Herbert Xu , Steffen Klassert , Subject: [PATCH 1/8] xfrm: prevent high SEQ input in non-ESN mode Date: Mon, 24 Mar 2025 07:18:48 +0100 Message-ID: <20250324061855.4116819-2-steffen.klassert@secunet.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250324061855.4116819-1-steffen.klassert@secunet.com> References: <20250324061855.4116819-1-steffen.klassert@secunet.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: cas-essen-02.secunet.de (10.53.40.202) To mbx-essen-02.secunet.de (10.53.40.198) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 X-Patchwork-Delegate: kuba@kernel.org From: Leon Romanovsky In non-ESN mode, the SEQ numbers are limited to 32 bits and seq_hi/oseq_hi are not used. So make sure that user gets proper error message, in case such assignment occurred. Signed-off-by: Leon Romanovsky Signed-off-by: Steffen Klassert --- net/xfrm/xfrm_user.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 08c6d6f0179f..5877eabe9d95 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -178,6 +178,12 @@ static inline int verify_replay(struct xfrm_usersa_info *p, "Replay seq and seq_hi should be 0 for output SA"); return -EINVAL; } + if (rs->oseq_hi && !(p->flags & XFRM_STATE_ESN)) { + NL_SET_ERR_MSG( + extack, + "Replay oseq_hi should be 0 in non-ESN mode for output SA"); + return -EINVAL; + } if (rs->bmp_len) { NL_SET_ERR_MSG(extack, "Replay bmp_len should 0 for output SA"); return -EINVAL; @@ -190,6 +196,12 @@ static inline int verify_replay(struct xfrm_usersa_info *p, "Replay oseq and oseq_hi should be 0 for input SA"); return -EINVAL; } + if (rs->seq_hi && !(p->flags & XFRM_STATE_ESN)) { + NL_SET_ERR_MSG( + extack, + "Replay seq_hi should be 0 in non-ESN mode for input SA"); + return -EINVAL; + } } return 0; From patchwork Mon Mar 24 06:18:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffen Klassert X-Patchwork-Id: 14026777 X-Patchwork-Delegate: kuba@kernel.org Received: from mx1.secunet.com (mx1.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8303E13FEE for ; Mon, 24 Mar 2025 06:19:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=62.96.220.36 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742797150; cv=none; b=Hb6D3pPFMrmm/unyOr539ljW33rtlfohzeFjq5jqNiVuqP9v+iVSRawqnvDJR4Dkn+9AwdawIJl2HYaRh48VcSrJcH4RStENIsY1Bd24NZ9UD3awr7PLRKcOv9WxFqMEj/xGFjHlvu8cqh/FvMk6k6mCJ56X1Y8ymQDiFSXoeJo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742797150; c=relaxed/simple; bh=Q9nZD8g5kV2Kp+b6H5Z0GfrAseGQdAheVGppZ/BACYk=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=ja3nib731bpvNQU7h8iKXOlKnw97RsRfHxJbGLR6oY6J3dApUqaF+pvlNtMybTEfRvyy25YysMvKmqUQ/hYvSsh7PP30049+UmrMBqvuybR++/zPlA/XkT34cH42DUvOihXEZmOkO0g8CfF3/7gL5Y5drmxucsN3AFA1P2XZmQM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com; spf=pass smtp.mailfrom=secunet.com; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b=e/IQulgo; arc=none smtp.client-ip=62.96.220.36 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=secunet.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b="e/IQulgo" Received: from localhost (localhost [127.0.0.1]) by mx1.secunet.com (Postfix) with ESMTP id 2FCCB20539; Mon, 24 Mar 2025 07:18:59 +0100 (CET) X-Virus-Scanned: by secunet Received: from mx1.secunet.com ([127.0.0.1]) by localhost (mx1.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hpBV4edNkpWX; Mon, 24 Mar 2025 07:18:58 +0100 (CET) Received: from cas-essen-01.secunet.de (rl1.secunet.de [10.53.40.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.secunet.com (Postfix) with ESMTPS id 579592074F; Mon, 24 Mar 2025 07:18:58 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.secunet.com 579592074F DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secunet.com; s=202301; t=1742797138; bh=gQAJ39wDU0xAYtXFzfFJXOJPOTsZjFhJ5RUuQ39rsTM=; h=From:To:CC:Subject:Date:In-Reply-To:References:From; b=e/IQulgokfIEsBUvt0Qj/kkuSzqvsnMZ9DEDGI1ZpFIMqfpEIO9AYqJjhKTjCjxXh fwyaMhPN9AsF1ac/Gyy8dZSrAkV/WEjLXRSa4fh4J8sZO3i2NuFlPzMrtc0z6dmlVT VikMS8zF6/oWhgxUmz76IAbebwxesIxziNO/o1Pznt++UTQJK9qTncvUU8CcgMU7+z rl1Uwj4GAMjkdvO/eav/RyiSc6t7poB2pTmRm7ofrMWaJXH9X4L31trSmWR4BsbN6e n6EpRQq09/QPOxTU2IQf++CJxqJa9hN1F7yIqyKrB5eKYUMDEtRf36CuBYX/0ax8xm z5oGLvSU5Hsbg== Received: from mbx-essen-02.secunet.de (10.53.40.198) by cas-essen-01.secunet.de (10.53.40.201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Mon, 24 Mar 2025 07:18:58 +0100 Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-02.secunet.de (10.53.40.198) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Mon, 24 Mar 2025 07:18:57 +0100 Received: by gauss2.secunet.de (Postfix, from userid 1000) id 807BD3182E94; Mon, 24 Mar 2025 07:18:57 +0100 (CET) From: Steffen Klassert To: David Miller , Jakub Kicinski CC: Herbert Xu , Steffen Klassert , Subject: [PATCH 2/8] xfrm: delay initialization of offload path till its actually requested Date: Mon, 24 Mar 2025 07:18:49 +0100 Message-ID: <20250324061855.4116819-3-steffen.klassert@secunet.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250324061855.4116819-1-steffen.klassert@secunet.com> References: <20250324061855.4116819-1-steffen.klassert@secunet.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: cas-essen-01.secunet.de (10.53.40.201) To mbx-essen-02.secunet.de (10.53.40.198) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 X-Patchwork-Delegate: kuba@kernel.org From: Leon Romanovsky XFRM offload path is probed even if offload isn't needed at all. Let's make sure that x->type_offload pointer stays NULL for such path to reduce ambiguity. Fixes: 9d389d7f84bb ("xfrm: Add a xfrm type offload.") Signed-off-by: Leon Romanovsky Signed-off-by: Steffen Klassert --- include/net/xfrm.h | 11 ++++++++++- net/xfrm/xfrm_device.c | 13 ++++++++----- net/xfrm/xfrm_state.c | 32 ++++++++++++++------------------ net/xfrm/xfrm_user.c | 2 +- 4 files changed, 33 insertions(+), 25 deletions(-) diff --git a/include/net/xfrm.h b/include/net/xfrm.h index ed4b83696c77..e1eed5d47d07 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -464,6 +464,15 @@ struct xfrm_type_offload { int xfrm_register_type_offload(const struct xfrm_type_offload *type, unsigned short family); void xfrm_unregister_type_offload(const struct xfrm_type_offload *type, unsigned short family); +void xfrm_set_type_offload(struct xfrm_state *x); +static inline void xfrm_unset_type_offload(struct xfrm_state *x) +{ + if (!x->type_offload) + return; + + module_put(x->type_offload->owner); + x->type_offload = NULL; +} /** * struct xfrm_mode_cbs - XFRM mode callbacks @@ -1760,7 +1769,7 @@ void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si); u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq); int xfrm_init_replay(struct xfrm_state *x, struct netlink_ext_ack *extack); u32 xfrm_state_mtu(struct xfrm_state *x, int mtu); -int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload, +int __xfrm_init_state(struct xfrm_state *x, bool init_replay, struct netlink_ext_ack *extack); int xfrm_init_state(struct xfrm_state *x); int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type); diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c index d1fa94e52cea..97c8030cc417 100644 --- a/net/xfrm/xfrm_device.c +++ b/net/xfrm/xfrm_device.c @@ -244,11 +244,6 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, xfrm_address_t *daddr; bool is_packet_offload; - if (!x->type_offload) { - NL_SET_ERR_MSG(extack, "Type doesn't support offload"); - return -EINVAL; - } - if (xuo->flags & ~(XFRM_OFFLOAD_IPV6 | XFRM_OFFLOAD_INBOUND | XFRM_OFFLOAD_PACKET)) { NL_SET_ERR_MSG(extack, "Unrecognized flags in offload request"); @@ -310,6 +305,13 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, return -EINVAL; } + xfrm_set_type_offload(x); + if (!x->type_offload) { + NL_SET_ERR_MSG(extack, "Type doesn't support offload"); + dev_put(dev); + return -EINVAL; + } + xso->dev = dev; netdev_tracker_alloc(dev, &xso->dev_tracker, GFP_ATOMIC); xso->real_dev = dev; @@ -332,6 +334,7 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, netdev_put(dev, &xso->dev_tracker); xso->type = XFRM_DEV_OFFLOAD_UNSPECIFIED; + xfrm_unset_type_offload(x); /* User explicitly requested packet offload mode and configured * policy in addition to the XFRM state. So be civil to users, * and return an error instead of taking fallback path. diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index ad2202fa82f3..69af5964c886 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -424,18 +424,18 @@ void xfrm_unregister_type_offload(const struct xfrm_type_offload *type, } EXPORT_SYMBOL(xfrm_unregister_type_offload); -static const struct xfrm_type_offload * -xfrm_get_type_offload(u8 proto, unsigned short family, bool try_load) +void xfrm_set_type_offload(struct xfrm_state *x) { const struct xfrm_type_offload *type = NULL; struct xfrm_state_afinfo *afinfo; + bool try_load = true; retry: - afinfo = xfrm_state_get_afinfo(family); + afinfo = xfrm_state_get_afinfo(x->props.family); if (unlikely(afinfo == NULL)) - return NULL; + goto out; - switch (proto) { + switch (x->id.proto) { case IPPROTO_ESP: type = afinfo->type_offload_esp; break; @@ -449,18 +449,16 @@ xfrm_get_type_offload(u8 proto, unsigned short family, bool try_load) rcu_read_unlock(); if (!type && try_load) { - request_module("xfrm-offload-%d-%d", family, proto); + request_module("xfrm-offload-%d-%d", x->props.family, + x->id.proto); try_load = false; goto retry; } - return type; -} - -static void xfrm_put_type_offload(const struct xfrm_type_offload *type) -{ - module_put(type->owner); +out: + x->type_offload = type; } +EXPORT_SYMBOL(xfrm_set_type_offload); static const struct xfrm_mode xfrm4_mode_map[XFRM_MODE_MAX] = { [XFRM_MODE_BEET] = { @@ -609,8 +607,6 @@ static void ___xfrm_state_destroy(struct xfrm_state *x) kfree(x->coaddr); kfree(x->replay_esn); kfree(x->preplay_esn); - if (x->type_offload) - xfrm_put_type_offload(x->type_offload); if (x->type) { x->type->destructor(x); xfrm_put_type(x->type); @@ -784,6 +780,8 @@ void xfrm_dev_state_free(struct xfrm_state *x) struct xfrm_dev_offload *xso = &x->xso; struct net_device *dev = READ_ONCE(xso->dev); + xfrm_unset_type_offload(x); + if (dev && dev->xfrmdev_ops) { spin_lock_bh(&xfrm_state_dev_gc_lock); if (!hlist_unhashed(&x->dev_gclist)) @@ -3122,7 +3120,7 @@ u32 xfrm_state_mtu(struct xfrm_state *x, int mtu) } EXPORT_SYMBOL_GPL(xfrm_state_mtu); -int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload, +int __xfrm_init_state(struct xfrm_state *x, bool init_replay, struct netlink_ext_ack *extack) { const struct xfrm_mode *inner_mode; @@ -3178,8 +3176,6 @@ int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload, goto error; } - x->type_offload = xfrm_get_type_offload(x->id.proto, family, offload); - err = x->type->init_state(x, extack); if (err) goto error; @@ -3229,7 +3225,7 @@ int xfrm_init_state(struct xfrm_state *x) { int err; - err = __xfrm_init_state(x, true, false, NULL); + err = __xfrm_init_state(x, true, NULL); if (!err) x->km.state = XFRM_STATE_VALID; diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 5877eabe9d95..b5266e0848e8 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -919,7 +919,7 @@ static struct xfrm_state *xfrm_state_construct(struct net *net, goto error; } - err = __xfrm_init_state(x, false, attrs[XFRMA_OFFLOAD_DEV], extack); + err = __xfrm_init_state(x, false, extack); if (err) goto error; From patchwork Mon Mar 24 06:18:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffen Klassert X-Patchwork-Id: 14026778 X-Patchwork-Delegate: kuba@kernel.org Received: from mx1.secunet.com (mx1.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8309139FD9 for ; Mon, 24 Mar 2025 06:19:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=62.96.220.36 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742797150; cv=none; b=ozXWjgYcyz8Xiyn92xezcJfotktZNSU3dR/gdTJfQ+0m4NB+ligQRsIFds5LCEU3cOADr7mfqkTqzLB2yfPszgUWawxWUly9dDuqmFKI5SbQDAw5WdtQfNBTGP/6/6gjYaCP71yKnMGH28hp++vwx8IZYI8MwXcuDiQDw9VyQNQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742797150; c=relaxed/simple; bh=iL6foIisTntDK6QknFM3dj6IIJErInRpBCeouo0ZmQM=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=mTcNSGHlGVpUyHXIiAq7BVGAo6Hb5UtIMKrjwiSr3sAuVh1g5QejjaGTcpWjRJIO7US/xsi5mxhBNiljMUK9y2CQsAblcrxiZOIx4v52JnmPpbnbuhlN7NBpkhZKMG/dSEWMuRk+jCk60HsA3eP7k0v8JArJ5mRh1BKg7GlXDT0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com; spf=pass smtp.mailfrom=secunet.com; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b=cHDEr3ki; arc=none smtp.client-ip=62.96.220.36 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=secunet.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b="cHDEr3ki" Received: from localhost (localhost [127.0.0.1]) by mx1.secunet.com (Postfix) with ESMTP id 0D408207BE; Mon, 24 Mar 2025 07:18:59 +0100 (CET) X-Virus-Scanned: by secunet Received: from mx1.secunet.com ([127.0.0.1]) by localhost (mx1.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6ZfWop_fVMfa; Mon, 24 Mar 2025 07:18:58 +0100 (CET) Received: from cas-essen-01.secunet.de (rl1.secunet.de [10.53.40.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.secunet.com (Postfix) with ESMTPS id 4068720539; Mon, 24 Mar 2025 07:18:58 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.secunet.com 4068720539 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secunet.com; s=202301; t=1742797138; bh=5nZEdkFPKIuIQ4O9yxtyW50TbMOi/nQMUdlZXoiYfbc=; h=From:To:CC:Subject:Date:In-Reply-To:References:From; b=cHDEr3ki4l+VA/vCgUnFvbl0QH2OatdrUARwJbeZG082k479VKcj00ofdTm6qBOpi pSCbChhwBpB70yRq9AAIpFUqvtqSf8j3pAoMxx2YIU6opJWKz7UzHXmkgEXEHtW6fB jo5Y/ZBAo4FZp38Sw0wGcDjVIuMCUEcSF4j47wjdDs0iyVuufkHUMb3J+NziWSm1zI RHYouIRwG7gbwNm7WCxh6RnIJXJZPdPIvhdfhmhe/dhBpIbAodeeRw7UVoBZDde7bd wmfg0+8NQCi3I+7pBRqOZJVDxidOwrSsD4cevA1kOa1Uc4MOngONQBVdDcwkKJlze7 +01w7e23tJ+iA== Received: from mbx-essen-02.secunet.de (10.53.40.198) by cas-essen-01.secunet.de (10.53.40.201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Mon, 24 Mar 2025 07:18:58 +0100 Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-02.secunet.de (10.53.40.198) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Mon, 24 Mar 2025 07:18:57 +0100 Received: by gauss2.secunet.de (Postfix, from userid 1000) id 7DAD0318295A; Mon, 24 Mar 2025 07:18:57 +0100 (CET) From: Steffen Klassert To: David Miller , Jakub Kicinski CC: Herbert Xu , Steffen Klassert , Subject: [PATCH 3/8] xfrm: simplify SA initialization routine Date: Mon, 24 Mar 2025 07:18:50 +0100 Message-ID: <20250324061855.4116819-4-steffen.klassert@secunet.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250324061855.4116819-1-steffen.klassert@secunet.com> References: <20250324061855.4116819-1-steffen.klassert@secunet.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: cas-essen-01.secunet.de (10.53.40.201) To mbx-essen-02.secunet.de (10.53.40.198) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 X-Patchwork-Delegate: kuba@kernel.org From: Leon Romanovsky SA replay mode is initialized differently for user-space and kernel-space users, but the call to xfrm_init_replay() existed in common path with boolean protection. That caused to situation where we have two different function orders. So let's rewrite the SA initialization flow to have same order for both in-kernel and user-space callers. Signed-off-by: Leon Romanovsky Signed-off-by: Steffen Klassert --- include/net/xfrm.h | 3 +-- net/xfrm/xfrm_state.c | 22 ++++++++++------------ net/xfrm/xfrm_user.c | 2 +- 3 files changed, 12 insertions(+), 15 deletions(-) diff --git a/include/net/xfrm.h b/include/net/xfrm.h index e1eed5d47d07..15997374a594 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1769,8 +1769,7 @@ void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si); u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq); int xfrm_init_replay(struct xfrm_state *x, struct netlink_ext_ack *extack); u32 xfrm_state_mtu(struct xfrm_state *x, int mtu); -int __xfrm_init_state(struct xfrm_state *x, bool init_replay, - struct netlink_ext_ack *extack); +int __xfrm_init_state(struct xfrm_state *x, struct netlink_ext_ack *extack); int xfrm_init_state(struct xfrm_state *x); int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type); int xfrm_input_resume(struct sk_buff *skb, int nexthdr); diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 69af5964c886..7b1028671144 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -3120,8 +3120,7 @@ u32 xfrm_state_mtu(struct xfrm_state *x, int mtu) } EXPORT_SYMBOL_GPL(xfrm_state_mtu); -int __xfrm_init_state(struct xfrm_state *x, bool init_replay, - struct netlink_ext_ack *extack) +int __xfrm_init_state(struct xfrm_state *x, struct netlink_ext_ack *extack) { const struct xfrm_mode *inner_mode; const struct xfrm_mode *outer_mode; @@ -3188,12 +3187,6 @@ int __xfrm_init_state(struct xfrm_state *x, bool init_replay, } x->outer_mode = *outer_mode; - if (init_replay) { - err = xfrm_init_replay(x, extack); - if (err) - goto error; - } - if (x->nat_keepalive_interval) { if (x->dir != XFRM_SA_DIR_OUT) { NL_SET_ERR_MSG(extack, "NAT keepalive is only supported for outbound SAs"); @@ -3225,11 +3218,16 @@ int xfrm_init_state(struct xfrm_state *x) { int err; - err = __xfrm_init_state(x, true, NULL); - if (!err) - x->km.state = XFRM_STATE_VALID; + err = __xfrm_init_state(x, NULL); + if (err) + return err; - return err; + err = xfrm_init_replay(x, NULL); + if (err) + return err; + + x->km.state = XFRM_STATE_VALID; + return 0; } EXPORT_SYMBOL(xfrm_init_state); diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index b5266e0848e8..784a2d124749 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -919,7 +919,7 @@ static struct xfrm_state *xfrm_state_construct(struct net *net, goto error; } - err = __xfrm_init_state(x, false, extack); + err = __xfrm_init_state(x, extack); if (err) goto error; From patchwork Mon Mar 24 06:18:51 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffen Klassert X-Patchwork-Id: 14026776 X-Patchwork-Delegate: kuba@kernel.org Received: from mx1.secunet.com (mx1.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3F03A84037 for ; Mon, 24 Mar 2025 06:19:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=62.96.220.36 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742797149; cv=none; b=SyfsP5rqpchnbcFC0pauVWFprVqCKcaYw6nCrzVgQvtwusD6Az4gxm1b7srZiGfPkdR49XeiMes7JxLAYpyPvU8ZhLuqD8SVQXfrMKxujxhKBhU6i9YNlqWb01TYvI1Kus3sNT38agj21sPkNygsuJ+plJIXYqRPXu1LSSQhap8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742797149; c=relaxed/simple; bh=J1ihKVg29vha1REgeYEK9STd6fEIw8twnr0BcDz9GK8=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=uecRZiLDnXx9DZSYDRlVfaBhDcYqHi8jXTkK2D0JOMLECyQzs51uozr7tiBIQcLA5axQp1REdJszxdkRHj7B/5A6jbPaTpPltAwVBS9k9BO+ofDY+ESBqwNBj4t0TJ8d7LS40IVXeDGal2rDOF2K4N9otfDNIPotS1T6Urs2fFA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com; spf=pass smtp.mailfrom=secunet.com; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b=fT8ukGTb; arc=none smtp.client-ip=62.96.220.36 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=secunet.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b="fT8ukGTb" Received: from localhost (localhost [127.0.0.1]) by mx1.secunet.com (Postfix) with ESMTP id 3EB1C207AC; Mon, 24 Mar 2025 07:19:00 +0100 (CET) X-Virus-Scanned: by secunet Received: from mx1.secunet.com ([127.0.0.1]) by localhost (mx1.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mDJ_Xa8GRoU1; Mon, 24 Mar 2025 07:18:59 +0100 (CET) Received: from cas-essen-01.secunet.de (rl1.secunet.de [10.53.40.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.secunet.com (Postfix) with ESMTPS id CB941207B2; Mon, 24 Mar 2025 07:18:58 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.secunet.com CB941207B2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secunet.com; s=202301; t=1742797138; bh=tV6ljVpGC+yw/IXeNh2TziFLI50t1aDlk0H7wBbnrIU=; h=From:To:CC:Subject:Date:In-Reply-To:References:From; b=fT8ukGTbStIeCndSRPAHzokebQo/9ufnYTeiSE6Pu3mntdF0Glc9yKcizJCMXlT2G +au79aMthgZ3MqkEdiDfLRSdY2ogpls6R2Y9gjNDQ7p0IuITykrEK1JjdFI3astocU QRrmJghX4JvObAypP3uc8sFSTCGJ1po6ubkmPMKOWuWFu5DnBSCZbscD0HWAFwRa9O A4/6utSMMLQAP7BSK2tkgfp7ED9wQXTAK+b5TOJNJPhrQaDcOpTFTyRlwSvMZwQXaJ 38Vm7glw95p5aAEAzL0KBifhn1iAQbQb4axZ2UWsggPTyUo9vrorGCHf45Up/xdx8V uQfdHtbtAQmGA== Received: from mbx-essen-02.secunet.de (10.53.40.198) by cas-essen-01.secunet.de (10.53.40.201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Mon, 24 Mar 2025 07:18:58 +0100 Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-02.secunet.de (10.53.40.198) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Mon, 24 Mar 2025 07:18:57 +0100 Received: by gauss2.secunet.de (Postfix, from userid 1000) id 82BC93182BD9; Mon, 24 Mar 2025 07:18:57 +0100 (CET) From: Steffen Klassert To: David Miller , Jakub Kicinski CC: Herbert Xu , Steffen Klassert , Subject: [PATCH 4/8] xfrm: rely on XFRM offload Date: Mon, 24 Mar 2025 07:18:51 +0100 Message-ID: <20250324061855.4116819-5-steffen.klassert@secunet.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250324061855.4116819-1-steffen.klassert@secunet.com> References: <20250324061855.4116819-1-steffen.klassert@secunet.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: cas-essen-02.secunet.de (10.53.40.202) To mbx-essen-02.secunet.de (10.53.40.198) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 X-Patchwork-Delegate: kuba@kernel.org From: Leon Romanovsky After change of initialization of x->type_offload pointer to be valid only for offloaded SAs. There is no need to rely on both x->type_offload and x->xso.type to determine if SA is offloaded or not. Reviewed-by: Zhu Yanjun Signed-off-by: Leon Romanovsky Signed-off-by: Steffen Klassert --- net/xfrm/xfrm_device.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c index 97c8030cc417..8d24f4743107 100644 --- a/net/xfrm/xfrm_device.c +++ b/net/xfrm/xfrm_device.c @@ -419,13 +419,11 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x) struct xfrm_dst *xdst = (struct xfrm_dst *)dst; struct net_device *dev = x->xso.dev; - if (!x->type_offload || - (x->xso.type == XFRM_DEV_OFFLOAD_UNSPECIFIED && x->encap)) + if (x->xso.type == XFRM_DEV_OFFLOAD_UNSPECIFIED) return false; if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET || - ((!dev || (dev == xfrm_dst_path(dst)->dev)) && - !xdst->child->xfrm)) { + ((dev == xfrm_dst_path(dst)->dev) && !xdst->child->xfrm)) { mtu = xfrm_state_mtu(x, xdst->child_mtu_cached); if (skb->len <= mtu) goto ok; @@ -437,8 +435,8 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x) return false; ok: - if (dev && dev->xfrmdev_ops && dev->xfrmdev_ops->xdo_dev_offload_ok) - return x->xso.dev->xfrmdev_ops->xdo_dev_offload_ok(skb, x); + if (dev->xfrmdev_ops->xdo_dev_offload_ok) + return dev->xfrmdev_ops->xdo_dev_offload_ok(skb, x); return true; } From patchwork Mon Mar 24 06:18:52 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffen Klassert X-Patchwork-Id: 14026782 X-Patchwork-Delegate: kuba@kernel.org Received: from mx1.secunet.com (mx1.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 777A213A26D for ; Mon, 24 Mar 2025 06:19:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=62.96.220.36 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742797153; cv=none; b=jSnTzzahlhWtGFASFc9trZRpVwgQ5ET8mnaGoDGGtTXv/A3WT5PthWO4vSdhQrO3hmML0Azjw6v7tloA5SL4G7YErwZqkAIeE82mVUhGXL6axAatYafN2Nchmm7wzsYib34FFUQTWSe403FnQVOaeu0cgmt2wAb4BvFfwSk2VvE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742797153; c=relaxed/simple; bh=rVfDwxWBvJnlvYDmXyJWXwIOHFXAoyJ6h6KvJMOX0DQ=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=VuFdQU1a8gWptYNCHFs6dXlveYCB+PFW3hjx8kB8icgn3Rdyy5Lo9nUMDR0fDE9m96WDv2fk4HwUBrC6BF3F6MmjYnUWHy7cUW+rA9RU8Y1AJFLjRIoLX8pAKvuW1evzG+MiZx7rM+B0TGkNZyU9cDaOG6PWJesLMCUQPLQEeuI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com; spf=pass smtp.mailfrom=secunet.com; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b=YPS8Uni1; arc=none smtp.client-ip=62.96.220.36 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=secunet.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b="YPS8Uni1" Received: from localhost (localhost [127.0.0.1]) by mx1.secunet.com (Postfix) with ESMTP id C6602207BB; Mon, 24 Mar 2025 07:19:01 +0100 (CET) X-Virus-Scanned: by secunet Received: from mx1.secunet.com ([127.0.0.1]) by localhost (mx1.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C5wqDcaf9Gyb; Mon, 24 Mar 2025 07:19:00 +0100 (CET) Received: from cas-essen-01.secunet.de (rl1.secunet.de [10.53.40.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.secunet.com (Postfix) with ESMTPS id 29363207C6; Mon, 24 Mar 2025 07:18:59 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.secunet.com 29363207C6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secunet.com; s=202301; t=1742797139; bh=JktmyU+c1DoNHqPMmiwjX/gLbMUbJghSbqsxLdZyqqM=; h=From:To:CC:Subject:Date:In-Reply-To:References:From; b=YPS8Uni1sRtNEOjlArJBGryLZK/JaE2jjnMmuK2kPe9QN4RSyArf3OVZbpeCreaRT +RJe0ykQmuBJ8xs4XYkjnChR0f7miYNrJm2c47e4wGw9LpS0pWRrJtpt+zP3z/WJoL rWRUrHSAgnILbMNA41Cq6EoRpjDpZTb4Fo2jrncZgqvX5+DSzU2pxCS/A8Z9yNxS0e DYFIEfoh2aaqfZo6+7V0XVVD3r2WdaC7cnKPcsbUWgAsMXp+KEZCWf/RAPoCn7RlvM +fO9F3n9oGPXOwFDV2baqomUKFmmczgRRfkfo7zv2ig7teohf0ylrejJBxeVWhvtDa gBLpObMeMUjpA== Received: from mbx-essen-02.secunet.de (10.53.40.198) by cas-essen-01.secunet.de (10.53.40.201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Mon, 24 Mar 2025 07:18:58 +0100 Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-02.secunet.de (10.53.40.198) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Mon, 24 Mar 2025 07:18:58 +0100 Received: by gauss2.secunet.de (Postfix, from userid 1000) id 85CFE3182F6C; Mon, 24 Mar 2025 07:18:57 +0100 (CET) From: Steffen Klassert To: David Miller , Jakub Kicinski CC: Herbert Xu , Steffen Klassert , Subject: [PATCH 5/8] xfrm: provide common xdo_dev_offload_ok callback implementation Date: Mon, 24 Mar 2025 07:18:52 +0100 Message-ID: <20250324061855.4116819-6-steffen.klassert@secunet.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250324061855.4116819-1-steffen.klassert@secunet.com> References: <20250324061855.4116819-1-steffen.klassert@secunet.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: cas-essen-02.secunet.de (10.53.40.202) To mbx-essen-02.secunet.de (10.53.40.198) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 X-Patchwork-Delegate: kuba@kernel.org From: Leon Romanovsky Almost all drivers except bond and nsim had same check if device can perform XFRM offload on that specific packet. The check was that packet doesn't have IPv4 options and IPv6 extensions. In NIC drivers, the IPv4 HELEN comparison was slightly different, but the intent was to check for the same conditions. So let's chose more strict variant as a common base. Reviewed-by: Zhu Yanjun Signed-off-by: Leon Romanovsky Signed-off-by: Steffen Klassert --- Documentation/networking/xfrm_device.rst | 3 ++- drivers/net/bonding/bond_main.c | 16 +++++--------- .../net/ethernet/chelsio/cxgb4/cxgb4_main.c | 21 ------------------- .../inline_crypto/ch_ipsec/chcr_ipsec.c | 16 -------------- .../net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 21 ------------------- drivers/net/ethernet/intel/ixgbevf/ipsec.c | 21 ------------------- .../marvell/octeontx2/nic/cn10k_ipsec.c | 15 ------------- .../mellanox/mlx5/core/en_accel/ipsec.c | 16 -------------- .../net/ethernet/netronome/nfp/crypto/ipsec.c | 11 ---------- drivers/net/netdevsim/ipsec.c | 11 ---------- drivers/net/netdevsim/netdevsim.h | 1 - net/xfrm/xfrm_device.c | 15 +++++++++++++ 12 files changed, 22 insertions(+), 145 deletions(-) diff --git a/Documentation/networking/xfrm_device.rst b/Documentation/networking/xfrm_device.rst index 66f6e9a9b59a..7f24c09f2694 100644 --- a/Documentation/networking/xfrm_device.rst +++ b/Documentation/networking/xfrm_device.rst @@ -126,7 +126,8 @@ been setup for offload, it first calls into xdo_dev_offload_ok() with the skb and the intended offload state to ask the driver if the offload will serviceable. This can check the packet information to be sure the offload can be supported (e.g. IPv4 or IPv6, no IPv4 options, etc) and -return true of false to signify its support. +return true or false to signify its support. In case driver doesn't implement +this callback, the stack provides reasonable defaults. Crypto offload mode: When ready to send, the driver needs to inspect the Tx packet for the diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index f6d0628a36d9..154e670d8075 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -673,22 +673,16 @@ static void bond_ipsec_free_sa(struct xfrm_state *xs) static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs) { struct net_device *real_dev; - bool ok = false; rcu_read_lock(); real_dev = bond_ipsec_dev(xs); - if (!real_dev) - goto out; - - if (!real_dev->xfrmdev_ops || - !real_dev->xfrmdev_ops->xdo_dev_offload_ok || - netif_is_bond_master(real_dev)) - goto out; + if (!real_dev || netif_is_bond_master(real_dev)) { + rcu_read_unlock(); + return false; + } - ok = real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs); -out: rcu_read_unlock(); - return ok; + return true; } /** diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c index 2f0b3e389e62..551c279dc14b 100644 --- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c @@ -6538,26 +6538,6 @@ static void cxgb4_xfrm_free_state(struct xfrm_state *x) mutex_unlock(&uld_mutex); } -static bool cxgb4_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *x) -{ - struct adapter *adap = netdev2adap(x->xso.dev); - bool ret = false; - - if (!mutex_trylock(&uld_mutex)) { - dev_dbg(adap->pdev_dev, - "crypto uld critical resource is under use\n"); - return ret; - } - if (chcr_offload_state(adap, CXGB4_XFRMDEV_OPS)) - goto out_unlock; - - ret = adap->uld[CXGB4_ULD_IPSEC].xfrmdev_ops->xdo_dev_offload_ok(skb, x); - -out_unlock: - mutex_unlock(&uld_mutex); - return ret; -} - static void cxgb4_advance_esn_state(struct xfrm_state *x) { struct adapter *adap = netdev2adap(x->xso.dev); @@ -6583,7 +6563,6 @@ static const struct xfrmdev_ops cxgb4_xfrmdev_ops = { .xdo_dev_state_add = cxgb4_xfrm_add_state, .xdo_dev_state_delete = cxgb4_xfrm_del_state, .xdo_dev_state_free = cxgb4_xfrm_free_state, - .xdo_dev_offload_ok = cxgb4_ipsec_offload_ok, .xdo_dev_state_advance_esn = cxgb4_advance_esn_state, }; diff --git a/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c b/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c index c7338ac6a5bb..baba96883f48 100644 --- a/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c +++ b/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c @@ -71,7 +71,6 @@ static LIST_HEAD(uld_ctx_list); static DEFINE_MUTEX(dev_mutex); -static bool ch_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *x); static int ch_ipsec_uld_state_change(void *handle, enum cxgb4_state new_state); static int ch_ipsec_xmit(struct sk_buff *skb, struct net_device *dev); static void *ch_ipsec_uld_add(const struct cxgb4_lld_info *infop); @@ -85,7 +84,6 @@ static const struct xfrmdev_ops ch_ipsec_xfrmdev_ops = { .xdo_dev_state_add = ch_ipsec_xfrm_add_state, .xdo_dev_state_delete = ch_ipsec_xfrm_del_state, .xdo_dev_state_free = ch_ipsec_xfrm_free_state, - .xdo_dev_offload_ok = ch_ipsec_offload_ok, .xdo_dev_state_advance_esn = ch_ipsec_advance_esn_state, }; @@ -323,20 +321,6 @@ static void ch_ipsec_xfrm_free_state(struct xfrm_state *x) module_put(THIS_MODULE); } -static bool ch_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *x) -{ - if (x->props.family == AF_INET) { - /* Offload with IP options is not supported yet */ - if (ip_hdr(skb)->ihl > 5) - return false; - } else { - /* Offload with IPv6 extension headers is not support yet */ - if (ipv6_ext_hdr(ipv6_hdr(skb)->nexthdr)) - return false; - } - return true; -} - static void ch_ipsec_advance_esn_state(struct xfrm_state *x) { /* do nothing */ diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c index 866024f2b9ee..07ea1954a276 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c @@ -817,30 +817,9 @@ static void ixgbe_ipsec_del_sa(struct xfrm_state *xs) } } -/** - * ixgbe_ipsec_offload_ok - can this packet use the xfrm hw offload - * @skb: current data packet - * @xs: pointer to transformer state struct - **/ -static bool ixgbe_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs) -{ - if (xs->props.family == AF_INET) { - /* Offload with IPv4 options is not supported yet */ - if (ip_hdr(skb)->ihl != 5) - return false; - } else { - /* Offload with IPv6 extension headers is not support yet */ - if (ipv6_ext_hdr(ipv6_hdr(skb)->nexthdr)) - return false; - } - - return true; -} - static const struct xfrmdev_ops ixgbe_xfrmdev_ops = { .xdo_dev_state_add = ixgbe_ipsec_add_sa, .xdo_dev_state_delete = ixgbe_ipsec_del_sa, - .xdo_dev_offload_ok = ixgbe_ipsec_offload_ok, }; /** diff --git a/drivers/net/ethernet/intel/ixgbevf/ipsec.c b/drivers/net/ethernet/intel/ixgbevf/ipsec.c index f804b35d79c7..8ba037e3d9c2 100644 --- a/drivers/net/ethernet/intel/ixgbevf/ipsec.c +++ b/drivers/net/ethernet/intel/ixgbevf/ipsec.c @@ -428,30 +428,9 @@ static void ixgbevf_ipsec_del_sa(struct xfrm_state *xs) } } -/** - * ixgbevf_ipsec_offload_ok - can this packet use the xfrm hw offload - * @skb: current data packet - * @xs: pointer to transformer state struct - **/ -static bool ixgbevf_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs) -{ - if (xs->props.family == AF_INET) { - /* Offload with IPv4 options is not supported yet */ - if (ip_hdr(skb)->ihl != 5) - return false; - } else { - /* Offload with IPv6 extension headers is not support yet */ - if (ipv6_ext_hdr(ipv6_hdr(skb)->nexthdr)) - return false; - } - - return true; -} - static const struct xfrmdev_ops ixgbevf_xfrmdev_ops = { .xdo_dev_state_add = ixgbevf_ipsec_add_sa, .xdo_dev_state_delete = ixgbevf_ipsec_del_sa, - .xdo_dev_offload_ok = ixgbevf_ipsec_offload_ok, }; /** diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_ipsec.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_ipsec.c index 09a5b5268205..fc59e50bafce 100644 --- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_ipsec.c +++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_ipsec.c @@ -744,24 +744,9 @@ static void cn10k_ipsec_del_state(struct xfrm_state *x) queue_work(pf->ipsec.sa_workq, &pf->ipsec.sa_work); } -static bool cn10k_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *x) -{ - if (x->props.family == AF_INET) { - /* Offload with IPv4 options is not supported yet */ - if (ip_hdr(skb)->ihl > 5) - return false; - } else { - /* Offload with IPv6 extension headers is not support yet */ - if (ipv6_ext_hdr(ipv6_hdr(skb)->nexthdr)) - return false; - } - return true; -} - static const struct xfrmdev_ops cn10k_ipsec_xfrmdev_ops = { .xdo_dev_state_add = cn10k_ipsec_add_state, .xdo_dev_state_delete = cn10k_ipsec_del_state, - .xdo_dev_offload_ok = cn10k_ipsec_offload_ok, }; static void cn10k_ipsec_sa_wq_handler(struct work_struct *work) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c index 501709ac310f..3b81e7b8ce23 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c @@ -953,21 +953,6 @@ void mlx5e_ipsec_cleanup(struct mlx5e_priv *priv) priv->ipsec = NULL; } -static bool mlx5e_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *x) -{ - if (x->props.family == AF_INET) { - /* Offload with IPv4 options is not supported yet */ - if (ip_hdr(skb)->ihl > 5) - return false; - } else { - /* Offload with IPv6 extension headers is not support yet */ - if (ipv6_ext_hdr(ipv6_hdr(skb)->nexthdr)) - return false; - } - - return true; -} - static void mlx5e_xfrm_advance_esn_state(struct xfrm_state *x) { struct mlx5e_ipsec_sa_entry *sa_entry = to_ipsec_sa_entry(x); @@ -1196,7 +1181,6 @@ static const struct xfrmdev_ops mlx5e_ipsec_xfrmdev_ops = { .xdo_dev_state_add = mlx5e_xfrm_add_state, .xdo_dev_state_delete = mlx5e_xfrm_del_state, .xdo_dev_state_free = mlx5e_xfrm_free_state, - .xdo_dev_offload_ok = mlx5e_ipsec_offload_ok, .xdo_dev_state_advance_esn = mlx5e_xfrm_advance_esn_state, .xdo_dev_state_update_stats = mlx5e_xfrm_update_stats, diff --git a/drivers/net/ethernet/netronome/nfp/crypto/ipsec.c b/drivers/net/ethernet/netronome/nfp/crypto/ipsec.c index 515069d5637b..671af5d4c5d2 100644 --- a/drivers/net/ethernet/netronome/nfp/crypto/ipsec.c +++ b/drivers/net/ethernet/netronome/nfp/crypto/ipsec.c @@ -565,20 +565,9 @@ static void nfp_net_xfrm_del_state(struct xfrm_state *x) xa_erase(&nn->xa_ipsec, x->xso.offload_handle - 1); } -static bool nfp_net_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *x) -{ - if (x->props.family == AF_INET) - /* Offload with IPv4 options is not supported yet */ - return ip_hdr(skb)->ihl == 5; - - /* Offload with IPv6 extension headers is not support yet */ - return !(ipv6_ext_hdr(ipv6_hdr(skb)->nexthdr)); -} - static const struct xfrmdev_ops nfp_net_ipsec_xfrmdev_ops = { .xdo_dev_state_add = nfp_net_xfrm_add_state, .xdo_dev_state_delete = nfp_net_xfrm_del_state, - .xdo_dev_offload_ok = nfp_net_ipsec_offload_ok, }; void nfp_net_ipsec_init(struct nfp_net *nn) diff --git a/drivers/net/netdevsim/ipsec.c b/drivers/net/netdevsim/ipsec.c index 88187dd4eb2d..d88bdb9a1717 100644 --- a/drivers/net/netdevsim/ipsec.c +++ b/drivers/net/netdevsim/ipsec.c @@ -217,20 +217,9 @@ static void nsim_ipsec_del_sa(struct xfrm_state *xs) ipsec->count--; } -static bool nsim_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs) -{ - struct netdevsim *ns = netdev_priv(xs->xso.real_dev); - struct nsim_ipsec *ipsec = &ns->ipsec; - - ipsec->ok++; - - return true; -} - static const struct xfrmdev_ops nsim_xfrmdev_ops = { .xdo_dev_state_add = nsim_ipsec_add_sa, .xdo_dev_state_delete = nsim_ipsec_del_sa, - .xdo_dev_offload_ok = nsim_ipsec_offload_ok, }; bool nsim_ipsec_tx(struct netdevsim *ns, struct sk_buff *skb) diff --git a/drivers/net/netdevsim/netdevsim.h b/drivers/net/netdevsim/netdevsim.h index 96d54c08043d..ca8f1a620044 100644 --- a/drivers/net/netdevsim/netdevsim.h +++ b/drivers/net/netdevsim/netdevsim.h @@ -54,7 +54,6 @@ struct nsim_ipsec { struct dentry *pfile; u32 count; u32 tx; - u32 ok; }; #define NSIM_MACSEC_MAX_SECY_COUNT 3 diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c index 8d24f4743107..f9d985ef30f2 100644 --- a/net/xfrm/xfrm_device.c +++ b/net/xfrm/xfrm_device.c @@ -435,6 +435,21 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x) return false; ok: + switch (x->props.family) { + case AF_INET: + /* Check for IPv4 options */ + if (ip_hdr(skb)->ihl != 5) + return false; + break; + case AF_INET6: + /* Check for IPv6 extensions */ + if (ipv6_ext_hdr(ipv6_hdr(skb)->nexthdr)) + return false; + break; + default: + break; + } + if (dev->xfrmdev_ops->xdo_dev_offload_ok) return dev->xfrmdev_ops->xdo_dev_offload_ok(skb, x); From patchwork Mon Mar 24 06:18:53 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffen Klassert X-Patchwork-Id: 14026781 X-Patchwork-Delegate: kuba@kernel.org Received: from mx1.secunet.com (mx1.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7775D84037 for ; Mon, 24 Mar 2025 06:19:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=62.96.220.36 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742797153; cv=none; b=jbdXkOaVysuUf9Th7JP/vHDFwtqMidBoO32NeMgXSU5Y+IRyhaYxOEzfYQ3qnJd9aZzx94LNqiPgoRNINoPPQ5TDeYaixcu4z6BNM3kQ3v9E+VnVfVhq5nSmSRd6Z6GBCQfPJGqtFNtrGqMKLillodBwBz3zzBS795g+qHrVV2k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742797153; c=relaxed/simple; bh=ya3ifQeqW/FORrUjcYnaoCbh1gRLleNuYoZw4vZdxhE=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=HU93ZlET76eAO1+kd1i6Ww6xpYKyaODiQNQ/8w4IJ3n2T3yvvfpqHTbVZb4scEgbJOSxRUiMJTptAyqBcm+yB+SklcB2MpWv/YaK3MOMzsiTumAOso5SHo4h/ul/+QJ061KA0W9aDVBkruxn35JKBEqjAyaiXtOd/Mwt2oAb2oM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com; spf=pass smtp.mailfrom=secunet.com; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b=fEzFW2oC; arc=none smtp.client-ip=62.96.220.36 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=secunet.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b="fEzFW2oC" Received: from localhost (localhost [127.0.0.1]) by mx1.secunet.com (Postfix) with ESMTP id 02A42207B2; Mon, 24 Mar 2025 07:19:02 +0100 (CET) X-Virus-Scanned: by secunet Received: from mx1.secunet.com ([127.0.0.1]) by localhost (mx1.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v_iyCHrsVcgf; Mon, 24 Mar 2025 07:19:01 +0100 (CET) Received: from cas-essen-01.secunet.de (rl1.secunet.de [10.53.40.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.secunet.com (Postfix) with ESMTPS id 73B4A2074F; Mon, 24 Mar 2025 07:18:59 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.secunet.com 73B4A2074F DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secunet.com; s=202301; t=1742797139; bh=jHqELCdYMo5nBvqpUAbyaGLkibfv3Aj0mudeEbfGspk=; h=From:To:CC:Subject:Date:In-Reply-To:References:From; b=fEzFW2oC8R2m7rni5WEpNVWVsEwzma8WPfg2ofedb5ODlzfMMX1NxFIDRgAgWSvCj tOYey7jTkKF6QwnX0uxH0N3z2WrC57npQm5zr5tGvMIEiIcSozF4BmFQtycNgck+zP vHTxqJiVFILFZ7GZHFBVAKfljTO2rhzU432wHPjlV89g/5JBhIxpxu+qd/Xvoq3950 BFNuC3WEAc3iz6BZ8WA9SpJbrsZYEr6j4adeUVgwJx6rtOJ4HW0qYf2D1Ll36gapHU aK0DXG4Y8qzQIqYaVUao8N8r9lAK3Jbz3pAwaJCHV/bhQ6l1n935kD5i5LSRfm4ax/ TBq9YtwAEsSfw== Received: from mbx-essen-02.secunet.de (10.53.40.198) by cas-essen-01.secunet.de (10.53.40.201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Mon, 24 Mar 2025 07:18:59 +0100 Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-02.secunet.de (10.53.40.198) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Mon, 24 Mar 2025 07:18:58 +0100 Received: by gauss2.secunet.de (Postfix, from userid 1000) id 89F4E3182FE0; Mon, 24 Mar 2025 07:18:57 +0100 (CET) From: Steffen Klassert To: David Miller , Jakub Kicinski CC: Herbert Xu , Steffen Klassert , Subject: [PATCH 6/8] xfrm: check for PMTU in tunnel mode for packet offload Date: Mon, 24 Mar 2025 07:18:53 +0100 Message-ID: <20250324061855.4116819-7-steffen.klassert@secunet.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250324061855.4116819-1-steffen.klassert@secunet.com> References: <20250324061855.4116819-1-steffen.klassert@secunet.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: cas-essen-02.secunet.de (10.53.40.202) To mbx-essen-02.secunet.de (10.53.40.198) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 X-Patchwork-Delegate: kuba@kernel.org From: Leon Romanovsky In tunnel mode, for the packet offload, there were no PMTU signaling to the upper level about need to fragment the packet. As a solution, call to already existing xfrm[4|6]_tunnel_check_size() to perform that. Signed-off-by: Leon Romanovsky Signed-off-by: Steffen Klassert --- include/net/xfrm.h | 9 +++++++++ net/xfrm/xfrm_device.c | 10 ++++++++-- net/xfrm/xfrm_output.c | 6 ++++-- 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 15997374a594..39365fd2ea17 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1781,6 +1781,15 @@ int xfrm_trans_queue(struct sk_buff *skb, struct sk_buff *)); int xfrm_output_resume(struct sock *sk, struct sk_buff *skb, int err); int xfrm_output(struct sock *sk, struct sk_buff *skb); +int xfrm4_tunnel_check_size(struct sk_buff *skb); +#if IS_ENABLED(CONFIG_IPV6) +int xfrm6_tunnel_check_size(struct sk_buff *skb); +#else +static inline int xfrm6_tunnel_check_size(struct sk_buff *skb) +{ + return -EMSGSIZE; +} +#endif #if IS_ENABLED(CONFIG_NET_PKTGEN) int pktgen_xfrm_outer_mode_output(struct xfrm_state *x, struct sk_buff *skb); diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c index f9d985ef30f2..d62f76161d83 100644 --- a/net/xfrm/xfrm_device.c +++ b/net/xfrm/xfrm_device.c @@ -418,12 +418,12 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x) struct dst_entry *dst = skb_dst(skb); struct xfrm_dst *xdst = (struct xfrm_dst *)dst; struct net_device *dev = x->xso.dev; + bool check_tunnel_size; if (x->xso.type == XFRM_DEV_OFFLOAD_UNSPECIFIED) return false; - if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET || - ((dev == xfrm_dst_path(dst)->dev) && !xdst->child->xfrm)) { + if ((dev == xfrm_dst_path(dst)->dev) && !xdst->child->xfrm) { mtu = xfrm_state_mtu(x, xdst->child_mtu_cached); if (skb->len <= mtu) goto ok; @@ -435,16 +435,22 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x) return false; ok: + check_tunnel_size = x->xso.type == XFRM_DEV_OFFLOAD_PACKET && + x->props.mode == XFRM_MODE_TUNNEL; switch (x->props.family) { case AF_INET: /* Check for IPv4 options */ if (ip_hdr(skb)->ihl != 5) return false; + if (check_tunnel_size && xfrm4_tunnel_check_size(skb)) + return false; break; case AF_INET6: /* Check for IPv6 extensions */ if (ipv6_ext_hdr(ipv6_hdr(skb)->nexthdr)) return false; + if (check_tunnel_size && xfrm6_tunnel_check_size(skb)) + return false; break; default: break; diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c index f7abd42c077d..34c8e266641c 100644 --- a/net/xfrm/xfrm_output.c +++ b/net/xfrm/xfrm_output.c @@ -786,7 +786,7 @@ int xfrm_output(struct sock *sk, struct sk_buff *skb) } EXPORT_SYMBOL_GPL(xfrm_output); -static int xfrm4_tunnel_check_size(struct sk_buff *skb) +int xfrm4_tunnel_check_size(struct sk_buff *skb) { int mtu, ret = 0; @@ -812,6 +812,7 @@ static int xfrm4_tunnel_check_size(struct sk_buff *skb) out: return ret; } +EXPORT_SYMBOL_GPL(xfrm4_tunnel_check_size); static int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb) { @@ -834,7 +835,7 @@ static int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb) } #if IS_ENABLED(CONFIG_IPV6) -static int xfrm6_tunnel_check_size(struct sk_buff *skb) +int xfrm6_tunnel_check_size(struct sk_buff *skb) { int mtu, ret = 0; struct dst_entry *dst = skb_dst(skb); @@ -864,6 +865,7 @@ static int xfrm6_tunnel_check_size(struct sk_buff *skb) out: return ret; } +EXPORT_SYMBOL_GPL(xfrm6_tunnel_check_size); #endif static int xfrm6_extract_output(struct xfrm_state *x, struct sk_buff *skb) From patchwork Mon Mar 24 06:18:54 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffen Klassert X-Patchwork-Id: 14026780 X-Patchwork-Delegate: kuba@kernel.org Received: from mx1.secunet.com (mx1.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AFD8E191F75 for ; Mon, 24 Mar 2025 06:19:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=62.96.220.36 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742797152; cv=none; b=DRHFSJze1ov22IzrNRIexAmDQu4VKFgN+O5tifSWVujT6Omv4rBXw7nJgC4L3Fs0cJZD4rTRg6fzI+98lFeH12nxSGD0YNcs6gUgOgYdJZpSMlkzBwtEJTSCUuZ2CDcsLAKX5syNrbGP4VWb6Wl9c+4epSqegFjq9wTvIchKRP4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742797152; c=relaxed/simple; bh=XLSzQfS2Rcd/otv1pVZavoZHtBojKQsA5AhJ2FvaTfY=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=iiJVwp3864StI3JO4wZLBjAuWRsFj3+AewTIS4SUNrCse5ClQHqi+AXLeb7m7xU5eF/QS2/+UQr4dyBrSPASH6K9uOls4iGO9TYPIILwdBKKPWm7vY5yebVfokh5B8xR1QjzfvRxirk2tuRwrla7PAG9NmsuS0sV1IRNk6c4S04= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com; spf=pass smtp.mailfrom=secunet.com; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b=mGQwOcbn; arc=none smtp.client-ip=62.96.220.36 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=secunet.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b="mGQwOcbn" Received: from localhost (localhost [127.0.0.1]) by mx1.secunet.com (Postfix) with ESMTP id 4748E2076B; Mon, 24 Mar 2025 07:19:01 +0100 (CET) X-Virus-Scanned: by secunet Received: from mx1.secunet.com ([127.0.0.1]) by localhost (mx1.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VFtA59ojw02D; Mon, 24 Mar 2025 07:19:00 +0100 (CET) Received: from cas-essen-01.secunet.de (rl1.secunet.de [10.53.40.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.secunet.com (Postfix) with ESMTPS id 52002207D1; Mon, 24 Mar 2025 07:18:59 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.secunet.com 52002207D1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secunet.com; s=202301; t=1742797139; bh=GAPeqGdRLwLyY1/zyUmvSnpTQ3Eh9TE9Ah+31zrEIJs=; h=From:To:CC:Subject:Date:In-Reply-To:References:From; b=mGQwOcbnQ65B2JxLyFwT8VUDNoA0olwy+GARUauxQCTIhyxUgxaESzqgmMQJGzZ6s lgWG5Jspq0T/YEhO7tEwOjgFreJT9KFP1+EpePamOixFceq5JhdHMD467BWLZbHRLc oVRWmKnPX2+NmPPrioJrIX0uhg3/o9RL++s8HVbuCWS+0fOui2TmctdZCyxQ3YdjFG lZRZsK8L0mSS8+nHGXU6Xl7cv5Eg3M1VXkvRj+hXOH2FrhXW6MlC0sjtuYX+C8Cjff UA4KM4RL6SGjx6BrO2Iib9yWDiFmvRHD3qqMrDwlWK4VAIto54l7d5bVlGvLGTCn1i 7zAsBRgNLEXXA== Received: from mbx-essen-02.secunet.de (10.53.40.198) by cas-essen-01.secunet.de (10.53.40.201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Mon, 24 Mar 2025 07:18:59 +0100 Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-02.secunet.de (10.53.40.198) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Mon, 24 Mar 2025 07:18:58 +0100 Received: by gauss2.secunet.de (Postfix, from userid 1000) id 8DD483183C55; Mon, 24 Mar 2025 07:18:57 +0100 (CET) From: Steffen Klassert To: David Miller , Jakub Kicinski CC: Herbert Xu , Steffen Klassert , Subject: [PATCH 7/8] xfrm: state: make xfrm_state_lookup_byaddr lockless Date: Mon, 24 Mar 2025 07:18:54 +0100 Message-ID: <20250324061855.4116819-8-steffen.klassert@secunet.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250324061855.4116819-1-steffen.klassert@secunet.com> References: <20250324061855.4116819-1-steffen.klassert@secunet.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: cas-essen-01.secunet.de (10.53.40.201) To mbx-essen-02.secunet.de (10.53.40.198) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 X-Patchwork-Delegate: kuba@kernel.org From: Florian Westphal This appears to be an oversight back when the state lookup was converted to RCU, I see no reason why we need to hold the state lock here. __xfrm_state_lookup_byaddr already uses xfrm_state_hold_rcu helper to obtain a reference, so just replace the state lock with rcu. Signed-off-by: Florian Westphal Signed-off-by: Steffen Klassert --- net/xfrm/xfrm_state.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 7b1028671144..07545944a536 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -2313,12 +2313,12 @@ xfrm_state_lookup_byaddr(struct net *net, u32 mark, struct xfrm_hash_state_ptrs state_ptrs; struct xfrm_state *x; - spin_lock_bh(&net->xfrm.xfrm_state_lock); + rcu_read_lock(); xfrm_hash_ptrs_get(net, &state_ptrs); x = __xfrm_state_lookup_byaddr(&state_ptrs, mark, daddr, saddr, proto, family); - spin_unlock_bh(&net->xfrm.xfrm_state_lock); + rcu_read_unlock(); return x; } EXPORT_SYMBOL(xfrm_state_lookup_byaddr); From patchwork Mon Mar 24 06:18:55 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffen Klassert X-Patchwork-Id: 14026779 X-Patchwork-Delegate: kuba@kernel.org Received: from mx1.secunet.com (mx1.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AFDD7191F91 for ; Mon, 24 Mar 2025 06:19:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=62.96.220.36 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742797152; cv=none; b=nURAR4VcCTGL0O55TeCePjCuT6vuU6mY0YCjRiatuFvyRqzbBdn7rtBLKUdqc5NE+GVZrJ2OG0WF5+f2+Tl4SLpIqgnlSTk8MntD5iU5CVYdOsXvTsxMaj7w0uoEKavwCVDlH8F74K9IQngxluyTgyKJQMCObYrP4BA/dqH4ZBI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742797152; c=relaxed/simple; bh=ZORXetLAv3Pu50j8KqGNskN+PEJrY1tX6LhTilyN/So=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=reyBmkRl4jCwead8YreN5vF30JW0mm1z4sxGN0/0k2qwPACtoKIQnGCGFaIq+Agfix8VHWjgHwDTjdORzqeupposKcx/Da4DSkPhi9K/XIvC00sxvHWWHsvmDtidfQVqa5RO/70WKpTXS5Z/RzML4zGNxF0uRVDNBRXCiPeyPCU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com; spf=pass smtp.mailfrom=secunet.com; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b=dJtilWl4; arc=none smtp.client-ip=62.96.220.36 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=secunet.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b="dJtilWl4" Received: from localhost (localhost [127.0.0.1]) by mx1.secunet.com (Postfix) with ESMTP id B5F5520764; Mon, 24 Mar 2025 07:19:00 +0100 (CET) X-Virus-Scanned: by secunet Received: from mx1.secunet.com ([127.0.0.1]) by localhost (mx1.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0AReqygrZSZy; Mon, 24 Mar 2025 07:19:00 +0100 (CET) Received: from cas-essen-01.secunet.de (rl1.secunet.de [10.53.40.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.secunet.com (Postfix) with ESMTPS id F0DA9207BB; Mon, 24 Mar 2025 07:18:58 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.secunet.com F0DA9207BB DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secunet.com; s=202301; t=1742797139; bh=r3sLdMxNlW+yZKmEZI7ZektX8tJ1YwQixiNg40VVu9w=; h=From:To:CC:Subject:Date:In-Reply-To:References:From; b=dJtilWl4ueKtNlGJuSRm/kuUgJv1jAJUiIMmcPhJ5OLcxoroXuxwOUuz1ZmLcdlOM azsV40ZxMYApV0Qh8/OayRjcRQI6Aua6DoOKj3cvt/m2mDr+fDC4SORHP1ds80nsJ2 lkHkhlX5U4bkQ0tCMctBC9+DIOytRJeiuzHhAHTiK0R9geEUT/r/oBW8kZBwsRRLb4 ctCCt/+gmhUJwZbqgjguaD3MKTz/B2RRpT16bKrcoCiXpzGNeQt4mINPiTg/75v66n YazwhFgHMyIKDieeeEXkEoG1oBxqLxSKbl57OInPOSwoscka5GLfhjBHq0FWXSZpX7 i/uxTyNPXy2Iw== Received: from mbx-essen-02.secunet.de (10.53.40.198) by cas-essen-01.secunet.de (10.53.40.201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Mon, 24 Mar 2025 07:18:58 +0100 Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-02.secunet.de (10.53.40.198) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Mon, 24 Mar 2025 07:18:58 +0100 Received: by gauss2.secunet.de (Postfix, from userid 1000) id 916563183E89; Mon, 24 Mar 2025 07:18:57 +0100 (CET) From: Steffen Klassert To: David Miller , Jakub Kicinski CC: Herbert Xu , Steffen Klassert , Subject: [PATCH 8/8] xfrm: Remove unnecessary NULL check in xfrm_lookup_with_ifid() Date: Mon, 24 Mar 2025 07:18:55 +0100 Message-ID: <20250324061855.4116819-9-steffen.klassert@secunet.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250324061855.4116819-1-steffen.klassert@secunet.com> References: <20250324061855.4116819-1-steffen.klassert@secunet.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: cas-essen-01.secunet.de (10.53.40.201) To mbx-essen-02.secunet.de (10.53.40.198) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 X-Patchwork-Delegate: kuba@kernel.org From: Dan Carpenter This NULL check is unnecessary and can be removed. It confuses Smatch static analysis tool because it makes Smatch think that xfrm_lookup_with_ifid() can return a mix of NULL pointers and errors so it creates a lot of false positives. Remove it. Signed-off-by: Dan Carpenter Reviewed-by: Michal Kubiak Signed-off-by: Steffen Klassert --- net/xfrm/xfrm_policy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 6551e588fe52..30970d40a454 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -3294,7 +3294,7 @@ struct dst_entry *xfrm_lookup_with_ifid(struct net *net, ok: xfrm_pols_put(pols, drop_pols); - if (dst && dst->xfrm && + if (dst->xfrm && (dst->xfrm->props.mode == XFRM_MODE_TUNNEL || dst->xfrm->props.mode == XFRM_MODE_IPTFS)) dst->flags |= DST_XFRM_TUNNEL;