From: Antonio Quartulli <antonio@openvpn.net>
To: Sabrina Dubroca <sd@queasysnail.net>
Cc: netdev@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Donald Hunter <donald.hunter@gmail.com>,
Shuah Khan <shuah@kernel.org>,
ryazanov.s.a@gmail.com, Andrew Lunn <andrew+netdev@lunn.ch>,
Simon Horman <horms@kernel.org>,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
Xiao Liang <shaw.leon@gmail.com>
Subject: Re: [PATCH v21 09/24] ovpn: implement packet processing
Date: Wed, 5 Mar 2025 00:35:09 +0100 [thread overview]
Message-ID: <8abd4290-cef5-4ea3-bdfc-b872c16efb8a@openvpn.net> (raw)
In-Reply-To: <Z8dOOy9tSpJ1UCiR@hog>
On 04/03/2025 20:02, Sabrina Dubroca wrote:
> 2025-03-04, 01:33:39 +0100, Antonio Quartulli wrote:
>> +struct crypto_aead *ovpn_aead_init(const char *title, const char *alg_name,
>> + const unsigned char *key,
>> + unsigned int keylen)
>
> nit: static? I don't see it used outside this file.
ACK.
>
>
> [...]
>> +static inline struct ovpn_crypto_key_slot *
>> +ovpn_crypto_key_id_to_slot(const struct ovpn_crypto_state *cs, u8 key_id)
>> +{
>> + struct ovpn_crypto_key_slot *ks;
>> + u8 idx;
>> +
>> + if (unlikely(!cs))
>> + return NULL;
>> +
>> + rcu_read_lock();
>> + idx = cs->primary_idx;
>
> I'd go with slots[0] and slots[1], since it doesn't really matter
> whether we check the primary or secondary first. It would avoid a
> possible reload of cs->primary_idx (which might be updated
> concurrently by a key swap and cause us to look into the same slot
> twice) -- a READ_ONCE would also prevent that.
Reason for looking into primary first is that we will most likely need
the primary key to decrypt the incoming traffic.
Secondary is used only during a small (if at all) time window where we
moved to a new key, but our peer was still sending traffic encrypted
with the old (secondary) key.
Therefore optimizing for primary-first may make a non-negligible
difference under heavy load.
Code doesn't get more complex due to this logic, therefore I'd keep this
version (with READ_ONCE(cs->primary_idx)), unless there is a strong
argument against it.
Thanks!
>
>> + ks = rcu_dereference(cs->slots[idx]);
>> + if (ks && ks->key_id == key_id) {
>> + if (unlikely(!ovpn_crypto_key_slot_hold(ks)))
>> + ks = NULL;
>> + goto out;
>> + }
>> +
>> + ks = rcu_dereference(cs->slots[!idx]);
>> + if (ks && ks->key_id == key_id) {
>> + if (unlikely(!ovpn_crypto_key_slot_hold(ks)))
>> + ks = NULL;
>> + goto out;
>> + }
>> +
>> + /* when both key slots are occupied but no matching key ID is found, ks
>> + * has to be reset to NULL to avoid carrying a stale pointer
>> + */
>> + ks = NULL;
>> +out:
>> + rcu_read_unlock();
>> +
>> + return ks;
>> +}
>
--
Antonio Quartulli
OpenVPN Inc.
next prev parent reply other threads:[~2025-03-04 23:35 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-04 0:33 [PATCH v21 00/24] Introducing OpenVPN Data Channel Offload Antonio Quartulli
2025-03-04 0:33 ` [PATCH v21 01/24] net: introduce OpenVPN Data Channel Offload (ovpn) Antonio Quartulli
2025-03-04 0:33 ` [PATCH v21 02/24] ovpn: add basic netlink support Antonio Quartulli
2025-03-04 0:33 ` [PATCH v21 03/24] ovpn: add basic interface creation/destruction/management routines Antonio Quartulli
2025-03-04 0:33 ` [PATCH v21 04/24] ovpn: keep carrier always on for MP interfaces Antonio Quartulli
2025-03-04 0:33 ` [PATCH v21 05/24] ovpn: introduce the ovpn_peer object Antonio Quartulli
2025-03-04 0:33 ` [PATCH v21 06/24] ovpn: introduce the ovpn_socket object Antonio Quartulli
2025-03-04 0:33 ` [PATCH v21 07/24] ovpn: implement basic TX path (UDP) Antonio Quartulli
2025-03-04 0:33 ` [PATCH v21 08/24] ovpn: implement basic RX " Antonio Quartulli
2025-03-04 0:33 ` [PATCH v21 09/24] ovpn: implement packet processing Antonio Quartulli
2025-03-04 19:02 ` Sabrina Dubroca
2025-03-04 23:35 ` Antonio Quartulli [this message]
2025-03-05 10:06 ` Sabrina Dubroca
2025-03-04 0:33 ` [PATCH v21 10/24] ovpn: store tunnel and transport statistics Antonio Quartulli
2025-03-04 0:33 ` [PATCH v21 11/24] ovpn: implement TCP transport Antonio Quartulli
2025-03-04 0:33 ` [PATCH v21 12/24] skb: implement skb_send_sock_locked_with_flags() Antonio Quartulli
2025-03-04 0:33 ` [PATCH v21 13/24] ovpn: add support for MSG_NOSIGNAL in tcp_sendmsg Antonio Quartulli
2025-03-04 0:33 ` [PATCH v21 14/24] ovpn: implement multi-peer support Antonio Quartulli
2025-03-04 0:33 ` [PATCH v21 15/24] ovpn: implement peer lookup logic Antonio Quartulli
2025-03-04 0:33 ` [PATCH v21 16/24] ovpn: implement keepalive mechanism Antonio Quartulli
2025-03-04 0:33 ` [PATCH v21 17/24] ovpn: add support for updating local UDP endpoint Antonio Quartulli
2025-03-04 0:33 ` [PATCH v21 18/24] ovpn: add support for peer floating Antonio Quartulli
2025-03-04 18:37 ` Sabrina Dubroca
2025-03-04 23:19 ` Antonio Quartulli
2025-03-05 0:19 ` Antonio Quartulli
2025-03-05 11:20 ` Sabrina Dubroca
2025-03-05 13:14 ` Antonio Quartulli
2025-03-05 16:56 ` Sabrina Dubroca
2025-03-06 10:02 ` Antonio Quartulli
2025-03-07 10:12 ` Sabrina Dubroca
2025-03-10 12:57 ` Antonio Quartulli
2025-03-10 22:32 ` Sabrina Dubroca
2025-03-04 0:33 ` [PATCH v21 19/24] ovpn: implement peer add/get/dump/delete via netlink Antonio Quartulli
2025-03-04 14:35 ` Sabrina Dubroca
2025-03-04 21:42 ` Antonio Quartulli
2025-03-04 0:33 ` [PATCH v21 20/24] ovpn: implement key add/get/del/swap " Antonio Quartulli
2025-03-04 12:00 ` Sabrina Dubroca
2025-03-04 12:11 ` Antonio Quartulli
2025-03-04 23:09 ` Sabrina Dubroca
2025-03-05 1:00 ` Antonio Quartulli
2025-03-05 10:11 ` Sabrina Dubroca
2025-03-05 13:17 ` Antonio Quartulli
2025-03-04 0:33 ` [PATCH v21 21/24] ovpn: kill key and notify userspace in case of IV exhaustion Antonio Quartulli
2025-03-04 0:33 ` [PATCH v21 22/24] ovpn: notify userspace when a peer is deleted Antonio Quartulli
2025-03-04 0:33 ` [PATCH v21 23/24] ovpn: add basic ethtool support Antonio Quartulli
2025-03-04 0:33 ` [PATCH v21 24/24] testing/selftests: add test tool and scripts for ovpn module Antonio Quartulli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8abd4290-cef5-4ea3-bdfc-b872c16efb8a@openvpn.net \
--to=antonio@openvpn.net \
--cc=andrew+netdev@lunn.ch \
--cc=donald.hunter@gmail.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=ryazanov.s.a@gmail.com \
--cc=sd@queasysnail.net \
--cc=shaw.leon@gmail.com \
--cc=shuah@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox