lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 11 Oct 2022 11:36:20 +0300 From: Leon Romanovsky <leon@...nel.org> To: Yinjun Zhang <yinjun.zhang@...igine.com> Cc: Simon Horman <simon.horman@...igine.com>, David Miller <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org, oss-drivers@...igine.com, Huanhuan Wang <huanhuan.wang@...igine.com>, chengtian.liu@...igine.com Subject: Re: [PATCH net-next v2 3/3] nfp: implement xfrm callbacks and expose ipsec offload feature to upper layer On Mon, Oct 10, 2022 at 03:14:34PM +0800, Yinjun Zhang wrote: > On Thu, Sep 29, 2022 at 11:26:24AM +0300, Leon Romanovsky wrote: > > On Tue, Sep 27, 2022 at 12:27:07PM +0200, Simon Horman wrote: > > > > > + mutex_lock(&ipd->lock); > > > + > > > + if (ipd->sa_free_cnt == 0) { > > > + nn_err(nn, "No space for xfrm offload\n"); > > > + err = -ENOSPC; > > > > Why don't you return EOPNOTSUPP? > > > > Here means no available sa. I think ENOSPC is more appropriate than > EOPNOTSUPP, and it looks like xfrm will fall back to software mode > when driver returns EOPNOTSUPP. Yes, and it is exactly what is expected. If device for some reason doesn't support crypto offload, SW path should be taken instead. > > > > +static void xfrm_invalidate(struct nfp_net *nn, unsigned int saidx, int is_del) > > > +{ > > > + struct nfp_net_ipsec_data *ipd = nn->ipsec_data; > > > + struct nfp_net_ipsec_sa_data *sa_data; > > > + struct nfp_ipsec_cfg_mssg msg; > > > + int err; > > > + > > > + sa_data = &ipd->sa_entries[saidx]; > > > + if (!sa_data->invalidated) { > > > + err = nfp_ipsec_cfg_cmd_issue(nn, NFP_IPSEC_CFG_MSSG_INV_SA, saidx, &msg); > > > + if (err) > > > + nn_warn(nn, "Failed to invalidate SA in hardware\n"); > > > + sa_data->invalidated = 1; > > > + } else if (is_del) { > > > + nn_warn(nn, "Unexpected invalidate state for offloaded saidx %d\n", saidx); > > > > You definitely need to clean all these not-possible flows. > > > > Do you mean clean those sa entries? We clean them by invalidating them. > You can see `xfrm_invalidate` is called in `nfp_net_xfrm_del_state`. No, I means that you can't call to invalidate with "Unexpected ..." state. You should ensure that free/invalidate/e.t.c logic operates on valid SAs only. Thanks
Powered by blists - more mailing lists