Skip to content

Commit aa8bd0c

Browse files
raed-salemrleon
raed-salem
authored and
rleon
committed
net/mlx5e: Support IPsec acquire default SA
During XFRM stack acquire flow, a default SA is created to be updated later, once acquire netlink message is handled in user space. This SA is also passed to IPsec offload supporting driver, however this SA acts only as placeholder and does not have context suitable for offloading in HW yet. Identify this kind of SA by special offload flag (XFRM_DEV_OFFLOAD_FLAG_ACQ), and create a SW only context. In such cases with special mark so it won't be installed in HW in addition flow and on remove/delete free this SW only context. Signed-off-by: Raed Salem <raeds@nvidia.com> Link: https://lore.kernel.org/r/8f36d6b61631dcd73fef0a0ac623456030bc9db0.1678714336.git.leon@kernel.org Signed-off-by: Leon Romanovsky <leon@kernel.org>
1 parent b3beba1 commit aa8bd0c

File tree

1 file changed

+21
-5
lines changed
  • drivers/net/ethernet/mellanox/mlx5/core/en_accel

1 file changed

+21
-5
lines changed

drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c

Lines changed: 21 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -308,23 +308,28 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x,
308308
struct net_device *netdev = x->xso.real_dev;
309309
struct mlx5e_ipsec *ipsec;
310310
struct mlx5e_priv *priv;
311+
gfp_t gfp;
311312
int err;
312313

313314
priv = netdev_priv(netdev);
314315
if (!priv->ipsec)
315316
return -EOPNOTSUPP;
316317

317318
ipsec = priv->ipsec;
318-
err = mlx5e_xfrm_validate_state(priv->mdev, x, extack);
319-
if (err)
320-
return err;
321-
322-
sa_entry = kzalloc(sizeof(*sa_entry), GFP_KERNEL);
319+
gfp = (x->xso.flags & XFRM_DEV_OFFLOAD_FLAG_ACQ) ? GFP_ATOMIC : GFP_KERNEL;
320+
sa_entry = kzalloc(sizeof(*sa_entry), gfp);
323321
if (!sa_entry)
324322
return -ENOMEM;
325323

326324
sa_entry->x = x;
327325
sa_entry->ipsec = ipsec;
326+
/* Check if this SA is originated from acquire flow temporary SA */
327+
if (x->xso.flags & XFRM_DEV_OFFLOAD_FLAG_ACQ)
328+
goto out;
329+
330+
err = mlx5e_xfrm_validate_state(priv->mdev, x, extack);
331+
if (err)
332+
goto err_xfrm;
328333

329334
/* check esn */
330335
mlx5e_ipsec_update_esn_state(sa_entry);
@@ -353,6 +358,7 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x,
353358
mlx5e_ipsec_set_iv_esn : mlx5e_ipsec_set_iv;
354359

355360
INIT_WORK(&sa_entry->modify_work.work, _update_xfrm_state);
361+
out:
356362
x->xso.offload_handle = (unsigned long)sa_entry;
357363
return 0;
358364

@@ -372,6 +378,9 @@ static void mlx5e_xfrm_del_state(struct xfrm_state *x)
372378
struct mlx5e_ipsec *ipsec = sa_entry->ipsec;
373379
struct mlx5e_ipsec_sa_entry *old;
374380

381+
if (x->xso.flags & XFRM_DEV_OFFLOAD_FLAG_ACQ)
382+
return;
383+
375384
old = xa_erase_bh(&ipsec->sadb, sa_entry->ipsec_obj_id);
376385
WARN_ON(old != sa_entry);
377386
}
@@ -380,9 +389,13 @@ static void mlx5e_xfrm_free_state(struct xfrm_state *x)
380389
{
381390
struct mlx5e_ipsec_sa_entry *sa_entry = to_ipsec_sa_entry(x);
382391

392+
if (x->xso.flags & XFRM_DEV_OFFLOAD_FLAG_ACQ)
393+
goto sa_entry_free;
394+
383395
cancel_work_sync(&sa_entry->modify_work.work);
384396
mlx5e_accel_ipsec_fs_del_rule(sa_entry);
385397
mlx5_ipsec_free_sa_ctx(sa_entry);
398+
sa_entry_free:
386399
kfree(sa_entry);
387400
}
388401

@@ -486,6 +499,9 @@ static void mlx5e_xfrm_update_curlft(struct xfrm_state *x)
486499

487500
lockdep_assert_held(&x->lock);
488501

502+
if (x->xso.flags & XFRM_DEV_OFFLOAD_FLAG_ACQ)
503+
return;
504+
489505
if (sa_entry->attrs.soft_packet_limit == XFRM_INF)
490506
/* Limits are not configured, as soft limit
491507
* must be lowever than hard limit.

0 commit comments

Comments
 (0)