]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 49431af)
xfrm: provide common xdo_dev_offload_ok callback implementation
authorLeon Romanovsky <leonro@nvidia.com>
Wed, 19 Feb 2025 13:51:00 +0000 (15:51 +0200)
committerSteffen Klassert <steffen.klassert@secunet.com>
Fri, 21 Feb 2025 07:08:15 +0000 (08:08 +0100)
Almost all drivers except bond and nsim had same check if device
can perform XFRM offload on that specific packet. The check was that
packet doesn't have IPv4 options and IPv6 extensions.

In NIC drivers, the IPv4 HELEN comparison was slightly different, but
the intent was to check for the same conditions. So let's chose more
strict variant as a common base.

Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
12 files changed:
Documentation/networking/xfrm_device.rst patch | blob | blame | history
drivers/net/bonding/bond_main.c patch | blob | blame | history
drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c patch | blob | blame | history
drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c patch | blob | blame | history
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c patch | blob | blame | history
drivers/net/ethernet/intel/ixgbevf/ipsec.c patch | blob | blame | history
drivers/net/ethernet/marvell/octeontx2/nic/cn10k_ipsec.c patch | blob | blame | history
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c patch | blob | blame | history
drivers/net/ethernet/netronome/nfp/crypto/ipsec.c patch | blob | blame | history
drivers/net/netdevsim/ipsec.c patch | blob | blame | history
drivers/net/netdevsim/netdevsim.h patch | blob | blame | history
net/xfrm/xfrm_device.c patch | blob | blame | history

diff --git a/Documentation/networking/xfrm_device.rst b/Documentation/networking/xfrm_device.rst
index 66f6e9a9b59ae81575ee12f1f6b63aa09984d4f7..7f24c09f269431f4871b961fa75ec1d73b965fe5 100644 (file)
--- a/Documentation/networking/xfrm_device.rst
+++ b/Documentation/networking/xfrm_device.rst
@@ -126,7 +126,8 @@ been setup for offload, it first calls into xdo_dev_offload_ok() with
 the skb and the intended offload state to ask the driver if the offload
 will serviceable.  This can check the packet information to be sure the
 offload can be supported (e.g. IPv4 or IPv6, no IPv4 options, etc) and
-return true of false to signify its support.
+return true or false to signify its support. In case driver doesn't implement
+this callback, the stack provides reasonable defaults.
 
 Crypto offload mode:
 When ready to send, the driver needs to inspect the Tx packet for the
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index f6d0628a36d9f283bc98e4a75b46fc4ad8c54b35..154e670d80753c347d00c82be77b818ea4f858a5 100644 (file)
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -673,22 +673,16 @@ out:
 static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
 {
        struct net_device *real_dev;
-       bool ok = false;
 
        rcu_read_lock();
        real_dev = bond_ipsec_dev(xs);
-       if (!real_dev)
-               goto out;
-
-       if (!real_dev->xfrmdev_ops ||
-           !real_dev->xfrmdev_ops->xdo_dev_offload_ok ||
-           netif_is_bond_master(real_dev))
-               goto out;
+       if (!real_dev || netif_is_bond_master(real_dev)) {
+               rcu_read_unlock();
+               return false;
+       }
 
-       ok = real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs);
-out:
        rcu_read_unlock();
-       return ok;
+       return true;
 }
 
 /**
diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
index 2f0b3e389e624c89926a493751ceb6ddc9fea867..551c279dc14bed76f0bd0dac640a52247fc6af94 100644 (file)
--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
@@ -6538,26 +6538,6 @@ out_unlock:
        mutex_unlock(&uld_mutex);
 }
 
-static bool cxgb4_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
-{
-       struct adapter *adap = netdev2adap(x->xso.dev);
-       bool ret = false;
-
-       if (!mutex_trylock(&uld_mutex)) {
-               dev_dbg(adap->pdev_dev,
-                       "crypto uld critical resource is under use\n");
-               return ret;
-       }
-       if (chcr_offload_state(adap, CXGB4_XFRMDEV_OPS))
-               goto out_unlock;
-
-       ret = adap->uld[CXGB4_ULD_IPSEC].xfrmdev_ops->xdo_dev_offload_ok(skb, x);
-
-out_unlock:
-       mutex_unlock(&uld_mutex);
-       return ret;
-}
-
 static void cxgb4_advance_esn_state(struct xfrm_state *x)
 {
        struct adapter *adap = netdev2adap(x->xso.dev);
@@ -6583,7 +6563,6 @@ static const struct xfrmdev_ops cxgb4_xfrmdev_ops = {
        .xdo_dev_state_add      = cxgb4_xfrm_add_state,
        .xdo_dev_state_delete   = cxgb4_xfrm_del_state,
        .xdo_dev_state_free     = cxgb4_xfrm_free_state,
-       .xdo_dev_offload_ok     = cxgb4_ipsec_offload_ok,
        .xdo_dev_state_advance_esn = cxgb4_advance_esn_state,
 };
 
diff --git a/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c b/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c
index c7338ac6a5bbe61aeedea4564bde53524b2b2a9e..baba96883f48b57ad52379dae7295338ad56650b 100644 (file)
--- a/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c
+++ b/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c
@@ -71,7 +71,6 @@
 static LIST_HEAD(uld_ctx_list);
 static DEFINE_MUTEX(dev_mutex);
 
-static bool ch_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *x);
 static int ch_ipsec_uld_state_change(void *handle, enum cxgb4_state new_state);
 static int ch_ipsec_xmit(struct sk_buff *skb, struct net_device *dev);
 static void *ch_ipsec_uld_add(const struct cxgb4_lld_info *infop);
@@ -85,7 +84,6 @@ static const struct xfrmdev_ops ch_ipsec_xfrmdev_ops = {
        .xdo_dev_state_add      = ch_ipsec_xfrm_add_state,
        .xdo_dev_state_delete   = ch_ipsec_xfrm_del_state,
        .xdo_dev_state_free     = ch_ipsec_xfrm_free_state,
-       .xdo_dev_offload_ok     = ch_ipsec_offload_ok,
        .xdo_dev_state_advance_esn = ch_ipsec_advance_esn_state,
 };
 
@@ -323,20 +321,6 @@ static void ch_ipsec_xfrm_free_state(struct xfrm_state *x)
        module_put(THIS_MODULE);
 }
 
-static bool ch_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
-{
-       if (x->props.family == AF_INET) {
-               /* Offload with IP options is not supported yet */
-               if (ip_hdr(skb)->ihl > 5)
-                       return false;
-       } else {
-               /* Offload with IPv6 extension headers is not support yet */
-               if (ipv6_ext_hdr(ipv6_hdr(skb)->nexthdr))
-                       return false;
-       }
-       return true;
-}
-
 static void ch_ipsec_advance_esn_state(struct xfrm_state *x)
 {
        /* do nothing */
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
index 866024f2b9eeb380d31557b53f2c7e00fe41a15a..07ea1954a276ed96837a0283ec5f8eb0dc125fa8 100644 (file)
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
@@ -817,30 +817,9 @@ static void ixgbe_ipsec_del_sa(struct xfrm_state *xs)
        }
 }
 
-/**
- * ixgbe_ipsec_offload_ok - can this packet use the xfrm hw offload
- * @skb: current data packet
- * @xs: pointer to transformer state struct
- **/
-static bool ixgbe_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
-{
-       if (xs->props.family == AF_INET) {
-               /* Offload with IPv4 options is not supported yet */
-               if (ip_hdr(skb)->ihl != 5)
-                       return false;
-       } else {
-               /* Offload with IPv6 extension headers is not support yet */
-               if (ipv6_ext_hdr(ipv6_hdr(skb)->nexthdr))
-                       return false;
-       }
-
-       return true;
-}
-
 static const struct xfrmdev_ops ixgbe_xfrmdev_ops = {
        .xdo_dev_state_add = ixgbe_ipsec_add_sa,
        .xdo_dev_state_delete = ixgbe_ipsec_del_sa,
-       .xdo_dev_offload_ok = ixgbe_ipsec_offload_ok,
 };
 
 /**
diff --git a/drivers/net/ethernet/intel/ixgbevf/ipsec.c b/drivers/net/ethernet/intel/ixgbevf/ipsec.c
index f804b35d79c726c9caf18a303a07fc5fe864edc0..8ba037e3d9c270d3ab6fe19f6fe50003973e249b 100644 (file)
--- a/drivers/net/ethernet/intel/ixgbevf/ipsec.c
+++ b/drivers/net/ethernet/intel/ixgbevf/ipsec.c
@@ -428,30 +428,9 @@ static void ixgbevf_ipsec_del_sa(struct xfrm_state *xs)
        }
 }
 
-/**
- * ixgbevf_ipsec_offload_ok - can this packet use the xfrm hw offload
- * @skb: current data packet
- * @xs: pointer to transformer state struct
- **/
-static bool ixgbevf_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
-{
-       if (xs->props.family == AF_INET) {
-               /* Offload with IPv4 options is not supported yet */
-               if (ip_hdr(skb)->ihl != 5)
-                       return false;
-       } else {
-               /* Offload with IPv6 extension headers is not support yet */
-               if (ipv6_ext_hdr(ipv6_hdr(skb)->nexthdr))
-                       return false;
-       }
-
-       return true;
-}
-
 static const struct xfrmdev_ops ixgbevf_xfrmdev_ops = {
        .xdo_dev_state_add = ixgbevf_ipsec_add_sa,
        .xdo_dev_state_delete = ixgbevf_ipsec_del_sa,
-       .xdo_dev_offload_ok = ixgbevf_ipsec_offload_ok,
 };
 
 /**
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_ipsec.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_ipsec.c
index 09a5b52682055fd8f10ff04de96d583f3876f079..fc59e50bafce668b50040f0fbefefe54bed11210 100644 (file)
--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_ipsec.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_ipsec.c
@@ -744,24 +744,9 @@ static void cn10k_ipsec_del_state(struct xfrm_state *x)
                queue_work(pf->ipsec.sa_workq, &pf->ipsec.sa_work);
 }
 
-static bool cn10k_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
-{
-       if (x->props.family == AF_INET) {
-               /* Offload with IPv4 options is not supported yet */
-               if (ip_hdr(skb)->ihl > 5)
-                       return false;
-       } else {
-               /* Offload with IPv6 extension headers is not support yet */
-               if (ipv6_ext_hdr(ipv6_hdr(skb)->nexthdr))
-                       return false;
-       }
-       return true;
-}
-
 static const struct xfrmdev_ops cn10k_ipsec_xfrmdev_ops = {
        .xdo_dev_state_add      = cn10k_ipsec_add_state,
        .xdo_dev_state_delete   = cn10k_ipsec_del_state,
-       .xdo_dev_offload_ok     = cn10k_ipsec_offload_ok,
 };
 
 static void cn10k_ipsec_sa_wq_handler(struct work_struct *work)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
index 501709ac310f25ecfac700f36b48ea911b9aa8ea..3b81e7b8ce23ca54b5184a586797fdf56a54850e 100644 (file)
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
@@ -953,21 +953,6 @@ void mlx5e_ipsec_cleanup(struct mlx5e_priv *priv)
        priv->ipsec = NULL;
 }
 
-static bool mlx5e_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
-{
-       if (x->props.family == AF_INET) {
-               /* Offload with IPv4 options is not supported yet */
-               if (ip_hdr(skb)->ihl > 5)
-                       return false;
-       } else {
-               /* Offload with IPv6 extension headers is not support yet */
-               if (ipv6_ext_hdr(ipv6_hdr(skb)->nexthdr))
-                       return false;
-       }
-
-       return true;
-}
-
 static void mlx5e_xfrm_advance_esn_state(struct xfrm_state *x)
 {
        struct mlx5e_ipsec_sa_entry *sa_entry = to_ipsec_sa_entry(x);
@@ -1196,7 +1181,6 @@ static const struct xfrmdev_ops mlx5e_ipsec_xfrmdev_ops = {
        .xdo_dev_state_add      = mlx5e_xfrm_add_state,
        .xdo_dev_state_delete   = mlx5e_xfrm_del_state,
        .xdo_dev_state_free     = mlx5e_xfrm_free_state,
-       .xdo_dev_offload_ok     = mlx5e_ipsec_offload_ok,
        .xdo_dev_state_advance_esn = mlx5e_xfrm_advance_esn_state,
 
        .xdo_dev_state_update_stats = mlx5e_xfrm_update_stats,
diff --git a/drivers/net/ethernet/netronome/nfp/crypto/ipsec.c b/drivers/net/ethernet/netronome/nfp/crypto/ipsec.c
index 515069d5637b0d67d22f5844ff6f413f497e4017..671af5d4c5d25c1385cfb6ceb968acb9f1fe1b9e 100644 (file)
--- a/drivers/net/ethernet/netronome/nfp/crypto/ipsec.c
+++ b/drivers/net/ethernet/netronome/nfp/crypto/ipsec.c
@@ -565,20 +565,9 @@ static void nfp_net_xfrm_del_state(struct xfrm_state *x)
        xa_erase(&nn->xa_ipsec, x->xso.offload_handle - 1);
 }
 
-static bool nfp_net_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
-{
-       if (x->props.family == AF_INET)
-               /* Offload with IPv4 options is not supported yet */
-               return ip_hdr(skb)->ihl == 5;
-
-       /* Offload with IPv6 extension headers is not support yet */
-       return !(ipv6_ext_hdr(ipv6_hdr(skb)->nexthdr));
-}
-
 static const struct xfrmdev_ops nfp_net_ipsec_xfrmdev_ops = {
        .xdo_dev_state_add = nfp_net_xfrm_add_state,
        .xdo_dev_state_delete = nfp_net_xfrm_del_state,
-       .xdo_dev_offload_ok = nfp_net_ipsec_offload_ok,
 };
 
 void nfp_net_ipsec_init(struct nfp_net *nn)
diff --git a/drivers/net/netdevsim/ipsec.c b/drivers/net/netdevsim/ipsec.c
index 88187dd4eb2d4012cc8e3ca78a05dbcdbbfa3cba..d88bdb9a17176a3af556e357ce41aade0991e743 100644 (file)
--- a/drivers/net/netdevsim/ipsec.c
+++ b/drivers/net/netdevsim/ipsec.c
@@ -217,20 +217,9 @@ static void nsim_ipsec_del_sa(struct xfrm_state *xs)
        ipsec->count--;
 }
 
-static bool nsim_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
-{
-       struct netdevsim *ns = netdev_priv(xs->xso.real_dev);
-       struct nsim_ipsec *ipsec = &ns->ipsec;
-
-       ipsec->ok++;
-
-       return true;
-}
-
 static const struct xfrmdev_ops nsim_xfrmdev_ops = {
        .xdo_dev_state_add      = nsim_ipsec_add_sa,
        .xdo_dev_state_delete   = nsim_ipsec_del_sa,
-       .xdo_dev_offload_ok     = nsim_ipsec_offload_ok,
 };
 
 bool nsim_ipsec_tx(struct netdevsim *ns, struct sk_buff *skb)
diff --git a/drivers/net/netdevsim/netdevsim.h b/drivers/net/netdevsim/netdevsim.h
index 96d54c08043d3a62b0731efd43bc6a313998bf01..ca8f1a6200440bc55f49f75dad2e5a14850c3221 100644 (file)
--- a/drivers/net/netdevsim/netdevsim.h
+++ b/drivers/net/netdevsim/netdevsim.h
@@ -54,7 +54,6 @@ struct nsim_ipsec {
        struct dentry *pfile;
        u32 count;
        u32 tx;
-       u32 ok;
 };
 
 #define NSIM_MACSEC_MAX_SECY_COUNT 3
diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
index 8d24f47431079a6b30464846605a1c54047636f4..f9d985ef30f2ed1ea06e41ec7d358614123f1f1b 100644 (file)
--- a/net/xfrm/xfrm_device.c
+++ b/net/xfrm/xfrm_device.c
@@ -435,6 +435,21 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
        return false;
 
 ok:
+       switch (x->props.family) {
+       case AF_INET:
+               /* Check for IPv4 options */
+               if (ip_hdr(skb)->ihl != 5)
+                       return false;
+               break;
+       case AF_INET6:
+               /* Check for IPv6 extensions */
+               if (ipv6_ext_hdr(ipv6_hdr(skb)->nexthdr))
+                       return false;
+               break;
+       default:
+               break;
+       }
+
        if (dev->xfrmdev_ops->xdo_dev_offload_ok)
                return dev->xfrmdev_ops->xdo_dev_offload_ok(skb, x);
 
A mirror of Linus' kernel repository