Re: [PATCH net-next V2 2/4] net/mlx5: Implement devlink port function cmds to control ipsec_crypto

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Simon Horman <simon.horman@corigine.com>
To: Dima Chumak <dchumak@nvidia.com>
Cc: "David S. Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>,
	Eric Dumazet <edumazet@google.com>,
	Paolo Abeni <pabeni@redhat.com>,
	netdev@vger.kernel.org, Jiri Pirko <jiri@resnulli.us>,
	Leon Romanovsky <leon@kernel.org>,
	Saeed Mahameed <saeedm@nvidia.com>
Subject: Re: [PATCH net-next V2 2/4] net/mlx5: Implement devlink port function cmds to control ipsec_crypto
Date: Sun, 23 Apr 2023 19:41:20 +0200	[thread overview]
Message-ID: <ZEVtwNsM+/VLWp6G@corigine.com> (raw)
In-Reply-To: <20230421104901.897946-3-dchumak@nvidia.com>

On Fri, Apr 21, 2023 at 01:48:59PM +0300, Dima Chumak wrote:
> Implement devlink port function commands to enable / disable IPsec
> crypto offloads.  This is used to control the IPsec capability of the
> device.
> 
> When ipsec_crypto is enabled for a VF, it prevents adding IPsec crypto
> offloads on the PF, because the two cannot be active simultaneously due
> to HW constraints. Conversely, if there are any active IPsec crypto
> offloads on the PF, it's not allowed to enable ipsec_crypto on a VF,
> until PF IPsec offloads are cleared.
> 
> Signed-off-by: Dima Chumak <dchumak@nvidia.com>

Hi Dima,

I noticed a few issues in error handling, mostly flagged by smatch.

> @@ -622,6 +624,7 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x,
>  	struct mlx5e_ipsec_sa_entry *sa_entry = NULL;
>  	struct net_device *netdev = x->xso.real_dev;
>  	struct mlx5e_ipsec *ipsec;
> +	struct mlx5_eswitch *esw;
>  	struct mlx5e_priv *priv;
>  	gfp_t gfp;
>  	int err;
> @@ -646,6 +649,11 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x,
>  	if (err)
>  		goto err_xfrm;

goto err_xfrm will now result in a call to
mlx5_eswitch_ipsec_offloads_count_dec().
But mlx5_eswitch_ipsec_offloads_count_inc is not called
until a few lines below.
This seems inconsistent to me.


>  
> +	esw = priv->mdev->priv.eswitch;
> +	if (esw && mlx5_esw_vport_ipsec_offload_enabled(esw))
> +		return -EBUSY;

I think a goto is needed here in order to unwind correctly.

> +	mlx5_eswitch_ipsec_offloads_count_inc(priv->mdev);
> +
>  	/* check esn */
>  	if (x->props.flags & XFRM_STATE_ESN)
>  		mlx5e_ipsec_update_esn_state(sa_entry);
> @@ -711,6 +719,7 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x,
>  	kfree(sa_entry->work->data);
>  	kfree(sa_entry->work);
>  err_xfrm:
> +	mlx5_eswitch_ipsec_offloads_count_dec(priv->mdev);
>  	kfree(sa_entry);
>  	NL_SET_ERR_MSG_MOD(extack, "Device failed to offload this policy");
>  	return err;
> @@ -734,6 +743,7 @@ static void mlx5e_xfrm_del_state(struct xfrm_state *x)
>  		/* Make sure that no ARP requests are running in parallel */
>  		flush_workqueue(ipsec->wq);
>  
> +	mlx5_eswitch_ipsec_offloads_count_dec(ipsec->mdev);
>  }
>  
>  static void mlx5e_xfrm_free_state(struct xfrm_state *x)
> @@ -1007,6 +1017,7 @@ static int mlx5e_xfrm_add_policy(struct xfrm_policy *x,
>  {
>  	struct net_device *netdev = x->xdo.real_dev;
>  	struct mlx5e_ipsec_pol_entry *pol_entry;
> +	struct mlx5_eswitch *esw;
>  	struct mlx5e_priv *priv;
>  	int err;
>  
> @@ -1027,6 +1038,11 @@ static int mlx5e_xfrm_add_policy(struct xfrm_policy *x,
>  	pol_entry->x = x;
>  	pol_entry->ipsec = priv->ipsec;
>  
> +	esw = priv->mdev->priv.eswitch;
> +	if (esw && mlx5_esw_vport_ipsec_offload_enabled(esw))
> +		return -EBUSY;

I think this leaks pol_entry.

> +	mlx5_eswitch_ipsec_offloads_count_inc(priv->mdev);
> +
>  	mlx5e_ipsec_build_accel_pol_attrs(pol_entry, &pol_entry->attrs);
>  	err = mlx5e_accel_ipsec_fs_add_pol(pol_entry);
>  	if (err)

...

next prev parent reply	other threads:[~2023-04-23 17:41 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-04-21 10:48 [PATCH net-next V2 0/4] devlink: Add port function attributes Dima Chumak
2023-04-21 10:48 ` [PATCH net-next V2 1/4] devlink: Expose port function commands to control IPsec crypto offloads Dima Chumak
2023-04-21 10:48 ` [PATCH net-next V2 2/4] net/mlx5: Implement devlink port function cmds to control ipsec_crypto Dima Chumak
2023-04-23 16:30   ` Leon Romanovsky
2023-04-23 17:41   ` Simon Horman [this message]
2023-04-21 10:49 ` [PATCH net-next V2 3/4] devlink: Expose port function commands to control IPsec packet offloads Dima Chumak
2023-04-21 10:49 ` [PATCH net-next V2 4/4] net/mlx5: Implement devlink port function cmds to control ipsec_packet Dima Chumak

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZEVtwNsM+/VLWp6G@corigine.com \
    --to=simon.horman@corigine.com \
    --cc=davem@davemloft.net \
    --cc=dchumak@nvidia.com \
    --cc=edumazet@google.com \
    --cc=jiri@resnulli.us \
    --cc=kuba@kernel.org \
    --cc=leon@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=saeedm@nvidia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).