From: Sabrina Dubroca <sd@queasysnail.net>
To: Bharat Bhushan <bbhushan2@marvell.com>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
sgoutham@marvell.com, gakula@marvell.com, sbhatta@marvell.com,
hkelam@marvell.com, davem@davemloft.net, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com, jerinj@marvell.com,
lcherian@marvell.com, richardcochran@gmail.com,
bharatb.linux@gmail.com
Subject: Re: [net-next PATCH v8 5/8] cn10k-ipsec: Add SA add/del support for outb ipsec crypto offload
Date: Tue, 3 Sep 2024 11:37:56 +0200 [thread overview]
Message-ID: <ZtbY9AF1fjUCcBOH@hog> (raw)
In-Reply-To: <20240903045937.1759543-6-bbhushan2@marvell.com>
2024-09-03, 10:29:34 +0530, Bharat Bhushan wrote:
> +static int cn10k_ipsec_validate_state(struct xfrm_state *x)
> +{
> + struct net_device *netdev = x->xso.dev;
> +
> + if (x->props.aalgo != SADB_AALG_NONE) {
> + netdev_err(netdev, "Cannot offload authenticated xfrm states\n");
This should use extack, to return this information directly to the
application that's creating the invalid config. You can propagate it
from cn10k_ipsec_add_state down to this function, and then:
NL_SET_ERR_MSG_MOD(extack, "Cannot offload authenticated xfrm states");
> +static int cn10k_ipsec_inb_add_state(struct xfrm_state *x)
> +{
> + struct net_device *netdev = x->xso.dev;
> +
> + netdev_err(netdev, "xfrm inbound offload not supported\n");
Here too, extack.
> + return -EOPNOTSUPP;
> +}
> +
> +static int cn10k_ipsec_outb_add_state(struct xfrm_state *x)
> +{
> + struct net_device *netdev = x->xso.dev;
> + struct cn10k_tx_sa_s *sa_entry;
> + struct cpt_ctx_info_s *sa_info;
> + struct otx2_nic *pf;
> + int err;
> +
> + err = cn10k_ipsec_validate_state(x);
> + if (err)
> + return err;
> +
> + pf = netdev_priv(netdev);
> + if (!mutex_trylock(&pf->ipsec.lock)) {
Why not wait until we can take the lock? Failing to offload the state
because this lock is temporarily busy isn't nice to users.
> + netdev_err(netdev, "IPSEC device is busy\n");
> + return -EBUSY;
> + }
> +
> + if (!(pf->flags & OTX2_FLAG_IPSEC_OFFLOAD_ENABLED)) {
> + netdev_err(netdev, "IPSEC not enabled/supported on device\n");
You should also use extack in this function.
[...]
> +static void cn10k_ipsec_del_state(struct xfrm_state *x)
> +{
> + struct net_device *netdev = x->xso.dev;
> + struct cn10k_tx_sa_s *sa_entry;
> + struct cpt_ctx_info_s *sa_info;
> + struct otx2_nic *pf;
> + int sa_index;
> +
> + if (x->xso.dir == XFRM_DEV_OFFLOAD_IN)
> + return;
> +
> + pf = netdev_priv(netdev);
> + if (!mutex_trylock(&pf->ipsec.lock)) {
> + netdev_err(netdev, "IPSEC device is busy\n");
> + return;
If we can't take the lock, we leave the state installed on the device
and leak some memory? That's not good. I assume we're going to reach
HW limits if this happens a bunch of times, and then we can't offload
ipsec at all anymore?
I think it would be better to wait until we can take the lock.
--
Sabrina
next prev parent reply other threads:[~2024-09-03 9:38 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-03 4:59 [net-next PATCH v8 0/8] cn10k-ipsec: Add outbound inline ipsec support Bharat Bhushan
2024-09-03 4:59 ` [net-next PATCH v8 1/8] octeontx2-pf: map skb data as device writeable Bharat Bhushan
2024-09-03 4:59 ` [net-next PATCH v8 2/8] octeontx2-pf: Move skb fragment map/unmap to common code Bharat Bhushan
2024-09-03 4:59 ` [net-next PATCH v8 3/8] octeontx2-af: Disable backpressure between CPT and NIX Bharat Bhushan
2024-09-03 4:59 ` [net-next PATCH v8 4/8] cn10k-ipsec: Init hardware for outbound ipsec crypto offload Bharat Bhushan
2024-09-03 4:59 ` [net-next PATCH v8 5/8] cn10k-ipsec: Add SA add/del support for outb " Bharat Bhushan
2024-09-03 9:37 ` Sabrina Dubroca [this message]
2024-09-03 10:33 ` Bharat Bhushan
2024-09-03 11:53 ` Sabrina Dubroca
2024-09-03 4:59 ` [net-next PATCH v8 6/8] cn10k-ipsec: Process outbound " Bharat Bhushan
2024-09-03 4:59 ` [net-next PATCH v8 7/8] cn10k-ipsec: Allow ipsec crypto offload for skb with SA Bharat Bhushan
2024-09-03 4:59 ` [net-next PATCH v8 8/8] cn10k-ipsec: Enable outbound ipsec crypto offload Bharat Bhushan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZtbY9AF1fjUCcBOH@hog \
--to=sd@queasysnail.net \
--cc=bbhushan2@marvell.com \
--cc=bharatb.linux@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=gakula@marvell.com \
--cc=hkelam@marvell.com \
--cc=jerinj@marvell.com \
--cc=kuba@kernel.org \
--cc=lcherian@marvell.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=richardcochran@gmail.com \
--cc=sbhatta@marvell.com \
--cc=sgoutham@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).