From: Sabrina Dubroca <sd@queasysnail.net>
To: Cosmin Ratiu <cratiu@nvidia.com>
Cc: Leon Romanovsky <leonro@nvidia.com>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"razor@blackwall.org" <razor@blackwall.org>,
"steffen.klassert@secunet.com" <steffen.klassert@secunet.com>
Subject: Re: [PATCH ipsec 2/3] Revert "xfrm: Remove unneeded device check from validate_xmit_xfrm"
Date: Wed, 30 Jul 2025 16:02:07 +0200 [thread overview]
Message-ID: <aIol33zSxJk6OQSy@krikkit> (raw)
In-Reply-To: <2b6578f3fa54feff8d7161e3ee46f204e0ae2408.camel@nvidia.com>
2025-07-30, 12:32:13 +0000, Cosmin Ratiu wrote:
> On Wed, 2025-07-30 at 12:26 +0200, Sabrina Dubroca wrote:
> > 2025-07-29, 15:27:39 +0000, Cosmin Ratiu wrote:
> > > On Mon, 2025-07-28 at 17:17 +0200, Sabrina Dubroca wrote:
> > > > This reverts commit d53dda291bbd993a29b84d358d282076e3d01506.
> > > >
> > > > This change causes traffic using GSO with SW crypto running
> > > > through a
> > > > NIC capable of HW offload to no longer get segmented during
> > > > validate_xmit_xfrm.
> > > >
> > > > Fixes: d53dda291bbd ("xfrm: Remove unneeded device check from
> > > > validate_xmit_xfrm")
> > > >
> > >
> > > Thanks for the fix, but I'm curious about details.
> > >
> > > In that commit, I tried to map all of the possible code paths. Can
> > > you
> > > please explain what code paths I missed that need real_dev given
> > > that
> > > only bonding should use it now?
> >
> > After running some more tests, it's not about real_dev, it's the
> > other
> > check ("unlikely(x->xso.dev != dev)" below) that you also removed in
> > that patch that causes the issue in my setup. I don't know how you
> > decided that it should be dropped, since it predates bonding's ipsec
> > offload.
>
> Apologies for that, I think I assumed that if offload is off, then
> xfrm_offload(skb) is NULL and the code bails out early on "if (!xo)".
> Seems I was wrong. On the TX side, the only place that adds a secpath
> and increments sp->olen (and thus add an xfrm_offload) is in
> xfrm_output, after the xfrm_dev_offload_ok check.
Yes, the "offload" code is used for both HW offload and "SW offloads"
(aka GSO/GRO).
> > The codepath is the usual:
> > __dev_queue_xmit -> validate_xmit_skb -> validate_xmit_xfrm
> >
> > Since the commit message made the incorrect claim "ESP offload off:
> > validate_xmit_xfrm returns early on !xo." I didn't check if a partial
> > revert was enough to fix the issue. My bad.
> >
> No problem, good that we caught the actual issue. Will you prepare a
> follow-up patch then?
I'll send a v2 of this series with this patch updated. Thanks.
--
Sabrina
next prev parent reply other threads:[~2025-07-30 14:02 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-28 15:17 [PATCH ipsec 0/3] xfrm: some fixes for GSO with SW crypto Sabrina Dubroca
2025-07-28 15:17 ` [PATCH ipsec 1/3] xfrm: restore GSO for " Sabrina Dubroca
2025-07-29 13:05 ` Leon Romanovsky
2025-07-29 16:06 ` Zhu Yanjun
2025-07-28 15:17 ` [PATCH ipsec 2/3] Revert "xfrm: Remove unneeded device check from validate_xmit_xfrm" Sabrina Dubroca
2025-07-29 13:06 ` Leon Romanovsky
2025-07-29 15:27 ` Cosmin Ratiu
2025-07-30 10:26 ` Sabrina Dubroca
2025-07-30 12:32 ` Cosmin Ratiu
2025-07-30 14:02 ` Sabrina Dubroca [this message]
2025-07-28 15:17 ` [PATCH ipsec 3/3] udp: also consider secpath when evaluating ipsec use for checksumming Sabrina Dubroca
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aIol33zSxJk6OQSy@krikkit \
--to=sd@queasysnail.net \
--cc=cratiu@nvidia.com \
--cc=leonro@nvidia.com \
--cc=netdev@vger.kernel.org \
--cc=razor@blackwall.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.