Re: [PATCH net-next V2 2/4] net/mlx5: Implement devlink port function cmds to control ipsec_crypto

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Simon Horman <simon.horman@corigine.com>
To: Dima Chumak <dchumak@nvidia.com>
Cc: "David S. Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>,
	Eric Dumazet <edumazet@google.com>,
	Paolo Abeni <pabeni@redhat.com>,
	netdev@vger.kernel.org, Jiri Pirko <jiri@resnulli.us>,
	Leon Romanovsky <leon@kernel.org>,
	Saeed Mahameed <saeedm@nvidia.com>
Subject: Re: [PATCH net-next V2 2/4] net/mlx5: Implement devlink port function cmds to control ipsec_crypto
Date: Sun, 23 Apr 2023 19:41:20 +0200	[thread overview]
Message-ID: <ZEVtwNsM+/VLWp6G@corigine.com> (raw)
In-Reply-To: <20230421104901.897946-3-dchumak@nvidia.com>

On Fri, Apr 21, 2023 at 01:48:59PM +0300, Dima Chumak wrote:
> Implement devlink port function commands to enable / disable IPsec
> crypto offloads.  This is used to control the IPsec capability of the
> device.
> 
> When ipsec_crypto is enabled for a VF, it prevents adding IPsec crypto
> offloads on the PF, because the two cannot be active simultaneously due
> to HW constraints. Conversely, if there are any active IPsec crypto
> offloads on the PF, it's not allowed to enable ipsec_crypto on a VF,
> until PF IPsec offloads are cleared.
> 
> Signed-off-by: Dima Chumak <dchumak@nvidia.com>

Hi Dima,

I noticed a few issues in error handling, mostly flagged by smatch.

> @@ -622,6 +624,7 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x,
>  	struct mlx5e_ipsec_sa_entry *sa_entry = NULL;
>  	struct net_device *netdev = x->xso.real_dev;
>  	struct mlx5e_ipsec *ipsec;
> +	struct mlx5_eswitch *esw;
>  	struct mlx5e_priv *priv;
>  	gfp_t gfp;
>  	int err;
> @@ -646,6 +649,11 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x,
>  	if (err)
>  		goto err_xfrm;

goto err_xfrm will now result in a call to
mlx5_eswitch_ipsec_offloads_count_dec().
But mlx5_eswitch_ipsec_offloads_count_inc is not called
until a few lines below.
This seems inconsistent to me.


>  
> +	esw = priv->mdev->priv.eswitch;
> +	if (esw && mlx5_esw_vport_ipsec_offload_enabled(esw))
> +		return -EBUSY;

I think a goto is needed here in order to unwind correctly.

> +	mlx5_eswitch_ipsec_offloads_count_inc(priv->mdev);
> +
>  	/* check esn */
>  	if (x->props.flags & XFRM_STATE_ESN)
>  		mlx5e_ipsec_update_esn_state(sa_entry);
> @@ -711,6 +719,7 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x,
>  	kfree(sa_entry->work->data);
>  	kfree(sa_entry->work);
>  err_xfrm:
> +	mlx5_eswitch_ipsec_offloads_count_dec(priv->mdev);
>  	kfree(sa_entry);
>  	NL_SET_ERR_MSG_MOD(extack, "Device failed to offload this policy");
>  	return err;
> @@ -734,6 +743,7 @@ static void mlx5e_xfrm_del_state(struct xfrm_state *x)
>  		/* Make sure that no ARP requests are running in parallel */
>  		flush_workqueue(ipsec->wq);
>  
> +	mlx5_eswitch_ipsec_offloads_count_dec(ipsec->mdev);
>  }
>  
>  static void mlx5e_xfrm_free_state(struct xfrm_state *x)
> @@ -1007,6 +1017,7 @@ static int mlx5e_xfrm_add_policy(struct xfrm_policy *x,
>  {
>  	struct net_device *netdev = x->xdo.real_dev;
>  	struct mlx5e_ipsec_pol_entry *pol_entry;
> +	struct mlx5_eswitch *esw;
>  	struct mlx5e_priv *priv;
>  	int err;
>  
> @@ -1027,6 +1038,11 @@ static int mlx5e_xfrm_add_policy(struct xfrm_policy *x,
>  	pol_entry->x = x;
>  	pol_entry->ipsec = priv->ipsec;
>  
> +	esw = priv->mdev->priv.eswitch;
> +	if (esw && mlx5_esw_vport_ipsec_offload_enabled(esw))
> +		return -EBUSY;

I think this leaks pol_entry.

> +	mlx5_eswitch_ipsec_offloads_count_inc(priv->mdev);
> +
>  	mlx5e_ipsec_build_accel_pol_attrs(pol_entry, &pol_entry->attrs);
>  	err = mlx5e_accel_ipsec_fs_add_pol(pol_entry);
>  	if (err)

...

next prev parent reply	other threads:[~2023-04-23 17:41 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-04-21 10:48 [PATCH net-next V2 0/4] devlink: Add port function attributes Dima Chumak
2023-04-21 10:48 ` [PATCH net-next V2 1/4] devlink: Expose port function commands to control IPsec crypto offloads Dima Chumak
2023-04-21 10:48 ` [PATCH net-next V2 2/4] net/mlx5: Implement devlink port function cmds to control ipsec_crypto Dima Chumak
2023-04-23 16:30   ` Leon Romanovsky
2023-04-23 17:41   ` Simon Horman [this message]
2023-04-21 10:49 ` [PATCH net-next V2 3/4] devlink: Expose port function commands to control IPsec packet offloads Dima Chumak
2023-04-21 10:49 ` [PATCH net-next V2 4/4] net/mlx5: Implement devlink port function cmds to control ipsec_packet Dima Chumak

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZEVtwNsM+/VLWp6G@corigine.com \
    --to=simon.horman@corigine.com \
    --cc=davem@davemloft.net \
    --cc=dchumak@nvidia.com \
    --cc=edumazet@google.com \
    --cc=jiri@resnulli.us \
    --cc=kuba@kernel.org \
    --cc=leon@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=saeedm@nvidia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.