tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'ipsec-next-2025-05-23' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next

Steffen Klassert says:

====================
1) Remove some unnecessary strscpy_pad() size arguments.
From Thorsten Blum.

2) Correct use of xso.real_dev on bonding offloads.
Patchset from Cosmin Ratiu.

3) Add hardware offload configuration to XFRM_MSG_MIGRATE.
From Chiachang Wang.

4) Refactor migration setup during cloning. This was
done after the clone was created. Now it is done
in the cloning function itself.
From Chiachang Wang.

5) Validate assignment of maximal possible SEQ number.
Prevent from setting to the maximum sequrnce number
as this would cause for traffic drop.
From Leon Romanovsky.

6) Prevent configuration of interface index when offload
is used. Hardware can't handle this case.i
From Leon Romanovsky.

7) Always use kfree_sensitive() for SA secret zeroization.
From Zilin Guan.

ipsec-next-2025-05-23

* tag 'ipsec-next-2025-05-23' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next:
xfrm: use kfree_sensitive() for SA secret zeroization
xfrm: prevent configuration of interface index when offload is used
xfrm: validate assignment of maximal possible SEQ number
xfrm: Refactor migration setup during the cloning process
xfrm: Migrate offload configuration
bonding: Fix multiple long standing offload races
bonding: Mark active offloaded xfrm_states
xfrm: Add explicit dev to .xdo_dev_state_{add,delete,free}
xfrm: Remove unneeded device check from validate_xmit_xfrm
xfrm: Use xdo.dev instead of xdo.real_dev
net/mlx5: Avoid using xso.real_dev unnecessarily
xfrm: Remove unnecessary strscpy_pad() size arguments
====================

Link: https://patch.msgid.link/20250523075611.3723340-1-steffen.klassert@secunet.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Paolo Abeni fdb06119 34d26315

+277 -201
+7 -3
Documentation/networking/xfrm_device.rst
··· 65 65 /* from include/linux/netdevice.h */ 66 66 struct xfrmdev_ops { 67 67 /* Crypto and Packet offload callbacks */ 68 - int (*xdo_dev_state_add) (struct xfrm_state *x, struct netlink_ext_ack *extack); 69 - void (*xdo_dev_state_delete) (struct xfrm_state *x); 70 - void (*xdo_dev_state_free) (struct xfrm_state *x); 68 + int (*xdo_dev_state_add)(struct net_device *dev, 69 + struct xfrm_state *x, 70 + struct netlink_ext_ack *extack); 71 + void (*xdo_dev_state_delete)(struct net_device *dev, 72 + struct xfrm_state *x); 73 + void (*xdo_dev_state_free)(struct net_device *dev, 74 + struct xfrm_state *x); 71 75 bool (*xdo_dev_offload_ok) (struct sk_buff *skb, 72 76 struct xfrm_state *x); 73 77 void (*xdo_dev_state_advance_esn) (struct xfrm_state *x);
+58 -61
drivers/net/bonding/bond_main.c
··· 453 453 454 454 /** 455 455 * bond_ipsec_add_sa - program device with a security association 456 + * @bond_dev: pointer to the bond net device 456 457 * @xs: pointer to transformer state struct 457 458 * @extack: extack point to fill failure reason 458 459 **/ 459 - static int bond_ipsec_add_sa(struct xfrm_state *xs, 460 + static int bond_ipsec_add_sa(struct net_device *bond_dev, 461 + struct xfrm_state *xs, 460 462 struct netlink_ext_ack *extack) 461 463 { 462 - struct net_device *bond_dev = xs->xso.dev; 463 464 struct net_device *real_dev; 464 465 netdevice_tracker tracker; 465 466 struct bond_ipsec *ipsec; ··· 496 495 goto out; 497 496 } 498 497 499 - xs->xso.real_dev = real_dev; 500 - err = real_dev->xfrmdev_ops->xdo_dev_state_add(xs, extack); 498 + err = real_dev->xfrmdev_ops->xdo_dev_state_add(real_dev, xs, extack); 501 499 if (!err) { 500 + xs->xso.real_dev = real_dev; 502 501 ipsec->xs = xs; 503 502 INIT_LIST_HEAD(&ipsec->list); 504 503 mutex_lock(&bond->ipsec_lock); ··· 540 539 if (ipsec->xs->xso.real_dev == real_dev) 541 540 continue; 542 541 543 - ipsec->xs->xso.real_dev = real_dev; 544 - if (real_dev->xfrmdev_ops->xdo_dev_state_add(ipsec->xs, NULL)) { 542 + if (real_dev->xfrmdev_ops->xdo_dev_state_add(real_dev, 543 + ipsec->xs, NULL)) { 545 544 slave_warn(bond_dev, real_dev, "%s: failed to add SA\n", __func__); 546 - ipsec->xs->xso.real_dev = NULL; 545 + continue; 547 546 } 547 + 548 + spin_lock_bh(&ipsec->xs->lock); 549 + /* xs might have been killed by the user during the migration 550 + * to the new dev, but bond_ipsec_del_sa() should have done 551 + * nothing, as xso.real_dev is NULL. 552 + * Delete it from the device we just added it to. The pending 553 + * bond_ipsec_free_sa() call will do the rest of the cleanup. 554 + */ 555 + if (ipsec->xs->km.state == XFRM_STATE_DEAD && 556 + real_dev->xfrmdev_ops->xdo_dev_state_delete) 557 + real_dev->xfrmdev_ops->xdo_dev_state_delete(real_dev, 558 + ipsec->xs); 559 + ipsec->xs->xso.real_dev = real_dev; 560 + spin_unlock_bh(&ipsec->xs->lock); 548 561 } 549 562 out: 550 563 mutex_unlock(&bond->ipsec_lock); ··· 566 551 567 552 /** 568 553 * bond_ipsec_del_sa - clear out this specific SA 554 + * @bond_dev: pointer to the bond net device 569 555 * @xs: pointer to transformer state struct 570 556 **/ 571 - static void bond_ipsec_del_sa(struct xfrm_state *xs) 557 + static void bond_ipsec_del_sa(struct net_device *bond_dev, 558 + struct xfrm_state *xs) 572 559 { 573 - struct net_device *bond_dev = xs->xso.dev; 574 560 struct net_device *real_dev; 575 - netdevice_tracker tracker; 576 - struct bond_ipsec *ipsec; 577 - struct bonding *bond; 578 - struct slave *slave; 579 561 580 - if (!bond_dev) 562 + if (!bond_dev || !xs->xso.real_dev) 581 563 return; 582 564 583 - rcu_read_lock(); 584 - bond = netdev_priv(bond_dev); 585 - slave = rcu_dereference(bond->curr_active_slave); 586 - real_dev = slave ? slave->dev : NULL; 587 - netdev_hold(real_dev, &tracker, GFP_ATOMIC); 588 - rcu_read_unlock(); 589 - 590 - if (!slave) 591 - goto out; 592 - 593 - if (!xs->xso.real_dev) 594 - goto out; 595 - 596 - WARN_ON(xs->xso.real_dev != real_dev); 565 + real_dev = xs->xso.real_dev; 597 566 598 567 if (!real_dev->xfrmdev_ops || 599 568 !real_dev->xfrmdev_ops->xdo_dev_state_delete || 600 569 netif_is_bond_master(real_dev)) { 601 570 slave_warn(bond_dev, real_dev, "%s: no slave xdo_dev_state_delete\n", __func__); 602 - goto out; 571 + return; 603 572 } 604 573 605 - real_dev->xfrmdev_ops->xdo_dev_state_delete(xs); 606 - out: 607 - netdev_put(real_dev, &tracker); 608 - mutex_lock(&bond->ipsec_lock); 609 - list_for_each_entry(ipsec, &bond->ipsec_list, list) { 610 - if (ipsec->xs == xs) { 611 - list_del(&ipsec->list); 612 - kfree(ipsec); 613 - break; 614 - } 615 - } 616 - mutex_unlock(&bond->ipsec_lock); 574 + real_dev->xfrmdev_ops->xdo_dev_state_delete(real_dev, xs); 617 575 } 618 576 619 577 static void bond_ipsec_del_sa_all(struct bonding *bond) ··· 612 624 slave_warn(bond_dev, real_dev, 613 625 "%s: no slave xdo_dev_state_delete\n", 614 626 __func__); 615 - } else { 616 - real_dev->xfrmdev_ops->xdo_dev_state_delete(ipsec->xs); 617 - if (real_dev->xfrmdev_ops->xdo_dev_state_free) 618 - real_dev->xfrmdev_ops->xdo_dev_state_free(ipsec->xs); 627 + continue; 619 628 } 629 + 630 + spin_lock_bh(&ipsec->xs->lock); 631 + ipsec->xs->xso.real_dev = NULL; 632 + /* Don't double delete states killed by the user. */ 633 + if (ipsec->xs->km.state != XFRM_STATE_DEAD) 634 + real_dev->xfrmdev_ops->xdo_dev_state_delete(real_dev, 635 + ipsec->xs); 636 + spin_unlock_bh(&ipsec->xs->lock); 637 + 638 + if (real_dev->xfrmdev_ops->xdo_dev_state_free) 639 + real_dev->xfrmdev_ops->xdo_dev_state_free(real_dev, 640 + ipsec->xs); 620 641 } 621 642 mutex_unlock(&bond->ipsec_lock); 622 643 } 623 644 624 - static void bond_ipsec_free_sa(struct xfrm_state *xs) 645 + static void bond_ipsec_free_sa(struct net_device *bond_dev, 646 + struct xfrm_state *xs) 625 647 { 626 - struct net_device *bond_dev = xs->xso.dev; 627 648 struct net_device *real_dev; 628 - netdevice_tracker tracker; 649 + struct bond_ipsec *ipsec; 629 650 struct bonding *bond; 630 - struct slave *slave; 631 651 632 652 if (!bond_dev) 633 653 return; 634 654 635 - rcu_read_lock(); 636 655 bond = netdev_priv(bond_dev); 637 - slave = rcu_dereference(bond->curr_active_slave); 638 - real_dev = slave ? slave->dev : NULL; 639 - netdev_hold(real_dev, &tracker, GFP_ATOMIC); 640 - rcu_read_unlock(); 641 656 642 - if (!slave) 643 - goto out; 644 - 657 + mutex_lock(&bond->ipsec_lock); 645 658 if (!xs->xso.real_dev) 646 659 goto out; 647 660 648 - WARN_ON(xs->xso.real_dev != real_dev); 661 + real_dev = xs->xso.real_dev; 649 662 650 - if (real_dev && real_dev->xfrmdev_ops && 663 + xs->xso.real_dev = NULL; 664 + if (real_dev->xfrmdev_ops && 651 665 real_dev->xfrmdev_ops->xdo_dev_state_free) 652 - real_dev->xfrmdev_ops->xdo_dev_state_free(xs); 666 + real_dev->xfrmdev_ops->xdo_dev_state_free(real_dev, xs); 653 667 out: 654 - netdev_put(real_dev, &tracker); 668 + list_for_each_entry(ipsec, &bond->ipsec_list, list) { 669 + if (ipsec->xs == xs) { 670 + list_del(&ipsec->list); 671 + kfree(ipsec); 672 + break; 673 + } 674 + } 675 + mutex_unlock(&bond->ipsec_lock); 655 676 } 656 677 657 678 /**
+11 -9
drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
··· 6480 6480 6481 6481 #if IS_ENABLED(CONFIG_CHELSIO_IPSEC_INLINE) 6482 6482 6483 - static int cxgb4_xfrm_add_state(struct xfrm_state *x, 6483 + static int cxgb4_xfrm_add_state(struct net_device *dev, 6484 + struct xfrm_state *x, 6484 6485 struct netlink_ext_ack *extack) 6485 6486 { 6486 - struct adapter *adap = netdev2adap(x->xso.dev); 6487 + struct adapter *adap = netdev2adap(dev); 6487 6488 int ret; 6488 6489 6489 6490 if (!mutex_trylock(&uld_mutex)) { ··· 6495 6494 if (ret) 6496 6495 goto out_unlock; 6497 6496 6498 - ret = adap->uld[CXGB4_ULD_IPSEC].xfrmdev_ops->xdo_dev_state_add(x, extack); 6497 + ret = adap->uld[CXGB4_ULD_IPSEC].xfrmdev_ops->xdo_dev_state_add(dev, x, 6498 + extack); 6499 6499 6500 6500 out_unlock: 6501 6501 mutex_unlock(&uld_mutex); ··· 6504 6502 return ret; 6505 6503 } 6506 6504 6507 - static void cxgb4_xfrm_del_state(struct xfrm_state *x) 6505 + static void cxgb4_xfrm_del_state(struct net_device *dev, struct xfrm_state *x) 6508 6506 { 6509 - struct adapter *adap = netdev2adap(x->xso.dev); 6507 + struct adapter *adap = netdev2adap(dev); 6510 6508 6511 6509 if (!mutex_trylock(&uld_mutex)) { 6512 6510 dev_dbg(adap->pdev_dev, ··· 6516 6514 if (chcr_offload_state(adap, CXGB4_XFRMDEV_OPS)) 6517 6515 goto out_unlock; 6518 6516 6519 - adap->uld[CXGB4_ULD_IPSEC].xfrmdev_ops->xdo_dev_state_delete(x); 6517 + adap->uld[CXGB4_ULD_IPSEC].xfrmdev_ops->xdo_dev_state_delete(dev, x); 6520 6518 6521 6519 out_unlock: 6522 6520 mutex_unlock(&uld_mutex); 6523 6521 } 6524 6522 6525 - static void cxgb4_xfrm_free_state(struct xfrm_state *x) 6523 + static void cxgb4_xfrm_free_state(struct net_device *dev, struct xfrm_state *x) 6526 6524 { 6527 - struct adapter *adap = netdev2adap(x->xso.dev); 6525 + struct adapter *adap = netdev2adap(dev); 6528 6526 6529 6527 if (!mutex_trylock(&uld_mutex)) { 6530 6528 dev_dbg(adap->pdev_dev, ··· 6534 6532 if (chcr_offload_state(adap, CXGB4_XFRMDEV_OPS)) 6535 6533 goto out_unlock; 6536 6534 6537 - adap->uld[CXGB4_ULD_IPSEC].xfrmdev_ops->xdo_dev_state_free(x); 6535 + adap->uld[CXGB4_ULD_IPSEC].xfrmdev_ops->xdo_dev_state_free(dev, x); 6538 6536 6539 6537 out_unlock: 6540 6538 mutex_unlock(&uld_mutex);
+12 -6
drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c
··· 75 75 static int ch_ipsec_xmit(struct sk_buff *skb, struct net_device *dev); 76 76 static void *ch_ipsec_uld_add(const struct cxgb4_lld_info *infop); 77 77 static void ch_ipsec_advance_esn_state(struct xfrm_state *x); 78 - static void ch_ipsec_xfrm_free_state(struct xfrm_state *x); 79 - static void ch_ipsec_xfrm_del_state(struct xfrm_state *x); 80 - static int ch_ipsec_xfrm_add_state(struct xfrm_state *x, 78 + static void ch_ipsec_xfrm_free_state(struct net_device *dev, 79 + struct xfrm_state *x); 80 + static void ch_ipsec_xfrm_del_state(struct net_device *dev, 81 + struct xfrm_state *x); 82 + static int ch_ipsec_xfrm_add_state(struct net_device *dev, 83 + struct xfrm_state *x, 81 84 struct netlink_ext_ack *extack); 82 85 83 86 static const struct xfrmdev_ops ch_ipsec_xfrmdev_ops = { ··· 226 223 * returns 0 on success, negative error if failed to send message to FPGA 227 224 * positive error if FPGA returned a bad response 228 225 */ 229 - static int ch_ipsec_xfrm_add_state(struct xfrm_state *x, 226 + static int ch_ipsec_xfrm_add_state(struct net_device *dev, 227 + struct xfrm_state *x, 230 228 struct netlink_ext_ack *extack) 231 229 { 232 230 struct ipsec_sa_entry *sa_entry; ··· 306 302 return res; 307 303 } 308 304 309 - static void ch_ipsec_xfrm_del_state(struct xfrm_state *x) 305 + static void ch_ipsec_xfrm_del_state(struct net_device *dev, 306 + struct xfrm_state *x) 310 307 { 311 308 /* do nothing */ 312 309 if (!x->xso.offload_handle) 313 310 return; 314 311 } 315 312 316 - static void ch_ipsec_xfrm_free_state(struct xfrm_state *x) 313 + static void ch_ipsec_xfrm_free_state(struct net_device *dev, 314 + struct xfrm_state *x) 317 315 { 318 316 struct ipsec_sa_entry *sa_entry; 319 317
+23 -18
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
··· 9 9 #define IXGBE_IPSEC_KEY_BITS 160 10 10 static const char aes_gcm_name[] = "rfc4106(gcm(aes))"; 11 11 12 - static void ixgbe_ipsec_del_sa(struct xfrm_state *xs); 12 + static void ixgbe_ipsec_del_sa(struct net_device *dev, struct xfrm_state *xs); 13 13 14 14 /** 15 15 * ixgbe_ipsec_set_tx_sa - set the Tx SA registers ··· 321 321 322 322 if (r->used) { 323 323 if (r->mode & IXGBE_RXTXMOD_VF) 324 - ixgbe_ipsec_del_sa(r->xs); 324 + ixgbe_ipsec_del_sa(adapter->netdev, r->xs); 325 325 else 326 326 ixgbe_ipsec_set_rx_sa(hw, i, r->xs->id.spi, 327 327 r->key, r->salt, ··· 330 330 331 331 if (t->used) { 332 332 if (t->mode & IXGBE_RXTXMOD_VF) 333 - ixgbe_ipsec_del_sa(t->xs); 333 + ixgbe_ipsec_del_sa(adapter->netdev, t->xs); 334 334 else 335 335 ixgbe_ipsec_set_tx_sa(hw, i, t->key, t->salt); 336 336 } ··· 417 417 418 418 /** 419 419 * ixgbe_ipsec_parse_proto_keys - find the key and salt based on the protocol 420 + * @dev: pointer to net device 420 421 * @xs: pointer to xfrm_state struct 421 422 * @mykey: pointer to key array to populate 422 423 * @mysalt: pointer to salt value to populate ··· 425 424 * This copies the protocol keys and salt to our own data tables. The 426 425 * 82599 family only supports the one algorithm. 427 426 **/ 428 - static int ixgbe_ipsec_parse_proto_keys(struct xfrm_state *xs, 427 + static int ixgbe_ipsec_parse_proto_keys(struct net_device *dev, 428 + struct xfrm_state *xs, 429 429 u32 *mykey, u32 *mysalt) 430 430 { 431 - struct net_device *dev = xs->xso.real_dev; 432 431 unsigned char *key_data; 433 432 char *alg_name = NULL; 434 433 int key_len; ··· 474 473 475 474 /** 476 475 * ixgbe_ipsec_check_mgmt_ip - make sure there is no clash with mgmt IP filters 476 + * @dev: pointer to net device 477 477 * @xs: pointer to transformer state struct 478 478 **/ 479 - static int ixgbe_ipsec_check_mgmt_ip(struct xfrm_state *xs) 479 + static int ixgbe_ipsec_check_mgmt_ip(struct net_device *dev, 480 + struct xfrm_state *xs) 480 481 { 481 - struct net_device *dev = xs->xso.real_dev; 482 482 struct ixgbe_adapter *adapter = ixgbe_from_netdev(dev); 483 483 struct ixgbe_hw *hw = &adapter->hw; 484 484 u32 mfval, manc, reg; ··· 558 556 559 557 /** 560 558 * ixgbe_ipsec_add_sa - program device with a security association 559 + * @dev: pointer to device to program 561 560 * @xs: pointer to transformer state struct 562 561 * @extack: extack point to fill failure reason 563 562 **/ 564 - static int ixgbe_ipsec_add_sa(struct xfrm_state *xs, 563 + static int ixgbe_ipsec_add_sa(struct net_device *dev, 564 + struct xfrm_state *xs, 565 565 struct netlink_ext_ack *extack) 566 566 { 567 - struct net_device *dev = xs->xso.real_dev; 568 567 struct ixgbe_adapter *adapter = ixgbe_from_netdev(dev); 569 568 struct ixgbe_ipsec *ipsec = adapter->ipsec; 570 569 struct ixgbe_hw *hw = &adapter->hw; ··· 584 581 return -EINVAL; 585 582 } 586 583 587 - if (ixgbe_ipsec_check_mgmt_ip(xs)) { 584 + if (ixgbe_ipsec_check_mgmt_ip(dev, xs)) { 588 585 NL_SET_ERR_MSG_MOD(extack, "IPsec IP addr clash with mgmt filters"); 589 586 return -EINVAL; 590 587 } ··· 618 615 rsa.decrypt = xs->ealg || xs->aead; 619 616 620 617 /* get the key and salt */ 621 - ret = ixgbe_ipsec_parse_proto_keys(xs, rsa.key, &rsa.salt); 618 + ret = ixgbe_ipsec_parse_proto_keys(dev, xs, rsa.key, &rsa.salt); 622 619 if (ret) { 623 620 NL_SET_ERR_MSG_MOD(extack, "Failed to get key data for Rx SA table"); 624 621 return ret; ··· 727 724 if (xs->id.proto & IPPROTO_ESP) 728 725 tsa.encrypt = xs->ealg || xs->aead; 729 726 730 - ret = ixgbe_ipsec_parse_proto_keys(xs, tsa.key, &tsa.salt); 727 + ret = ixgbe_ipsec_parse_proto_keys(dev, xs, tsa.key, &tsa.salt); 731 728 if (ret) { 732 729 NL_SET_ERR_MSG_MOD(extack, "Failed to get key data for Tx SA table"); 733 730 memset(&tsa, 0, sizeof(tsa)); ··· 755 752 756 753 /** 757 754 * ixgbe_ipsec_del_sa - clear out this specific SA 755 + * @dev: pointer to device to program 758 756 * @xs: pointer to transformer state struct 759 757 **/ 760 - static void ixgbe_ipsec_del_sa(struct xfrm_state *xs) 758 + static void ixgbe_ipsec_del_sa(struct net_device *dev, struct xfrm_state *xs) 761 759 { 762 - struct net_device *dev = xs->xso.real_dev; 763 760 struct ixgbe_adapter *adapter = ixgbe_from_netdev(dev); 764 761 struct ixgbe_ipsec *ipsec = adapter->ipsec; 765 762 struct ixgbe_hw *hw = &adapter->hw; ··· 844 841 continue; 845 842 if (ipsec->rx_tbl[i].mode & IXGBE_RXTXMOD_VF && 846 843 ipsec->rx_tbl[i].vf == vf) 847 - ixgbe_ipsec_del_sa(ipsec->rx_tbl[i].xs); 844 + ixgbe_ipsec_del_sa(adapter->netdev, 845 + ipsec->rx_tbl[i].xs); 848 846 } 849 847 850 848 /* search tx sa table */ ··· 854 850 continue; 855 851 if (ipsec->tx_tbl[i].mode & IXGBE_RXTXMOD_VF && 856 852 ipsec->tx_tbl[i].vf == vf) 857 - ixgbe_ipsec_del_sa(ipsec->tx_tbl[i].xs); 853 + ixgbe_ipsec_del_sa(adapter->netdev, 854 + ipsec->tx_tbl[i].xs); 858 855 } 859 856 } 860 857 ··· 935 930 memcpy(xs->aead->alg_name, aes_gcm_name, sizeof(aes_gcm_name)); 936 931 937 932 /* set up the HW offload */ 938 - err = ixgbe_ipsec_add_sa(xs, NULL); 933 + err = ixgbe_ipsec_add_sa(adapter->netdev, xs, NULL); 939 934 if (err) 940 935 goto err_aead; 941 936 ··· 1039 1034 xs = ipsec->tx_tbl[sa_idx].xs; 1040 1035 } 1041 1036 1042 - ixgbe_ipsec_del_sa(xs); 1037 + ixgbe_ipsec_del_sa(adapter->netdev, xs); 1043 1038 1044 1039 /* remove the xs that was made-up in the add request */ 1045 1040 kfree_sensitive(xs);
+13 -8
drivers/net/ethernet/intel/ixgbevf/ipsec.c
··· 201 201 202 202 /** 203 203 * ixgbevf_ipsec_parse_proto_keys - find the key and salt based on the protocol 204 + * @dev: pointer to net device to program 204 205 * @xs: pointer to xfrm_state struct 205 206 * @mykey: pointer to key array to populate 206 207 * @mysalt: pointer to salt value to populate ··· 209 208 * This copies the protocol keys and salt to our own data tables. The 210 209 * 82599 family only supports the one algorithm. 211 210 **/ 212 - static int ixgbevf_ipsec_parse_proto_keys(struct xfrm_state *xs, 211 + static int ixgbevf_ipsec_parse_proto_keys(struct net_device *dev, 212 + struct xfrm_state *xs, 213 213 u32 *mykey, u32 *mysalt) 214 214 { 215 - struct net_device *dev = xs->xso.real_dev; 216 215 unsigned char *key_data; 217 216 char *alg_name = NULL; 218 217 int key_len; ··· 257 256 258 257 /** 259 258 * ixgbevf_ipsec_add_sa - program device with a security association 259 + * @dev: pointer to net device to program 260 260 * @xs: pointer to transformer state struct 261 261 * @extack: extack point to fill failure reason 262 262 **/ 263 - static int ixgbevf_ipsec_add_sa(struct xfrm_state *xs, 263 + static int ixgbevf_ipsec_add_sa(struct net_device *dev, 264 + struct xfrm_state *xs, 264 265 struct netlink_ext_ack *extack) 265 266 { 266 - struct net_device *dev = xs->xso.real_dev; 267 267 struct ixgbevf_adapter *adapter; 268 268 struct ixgbevf_ipsec *ipsec; 269 269 u16 sa_idx; ··· 312 310 rsa.decrypt = xs->ealg || xs->aead; 313 311 314 312 /* get the key and salt */ 315 - ret = ixgbevf_ipsec_parse_proto_keys(xs, rsa.key, &rsa.salt); 313 + ret = ixgbevf_ipsec_parse_proto_keys(dev, xs, rsa.key, 314 + &rsa.salt); 316 315 if (ret) { 317 316 NL_SET_ERR_MSG_MOD(extack, "Failed to get key data for Rx SA table"); 318 317 return ret; ··· 366 363 if (xs->id.proto & IPPROTO_ESP) 367 364 tsa.encrypt = xs->ealg || xs->aead; 368 365 369 - ret = ixgbevf_ipsec_parse_proto_keys(xs, tsa.key, &tsa.salt); 366 + ret = ixgbevf_ipsec_parse_proto_keys(dev, xs, tsa.key, 367 + &tsa.salt); 370 368 if (ret) { 371 369 NL_SET_ERR_MSG_MOD(extack, "Failed to get key data for Tx SA table"); 372 370 memset(&tsa, 0, sizeof(tsa)); ··· 392 388 393 389 /** 394 390 * ixgbevf_ipsec_del_sa - clear out this specific SA 391 + * @dev: pointer to net device to program 395 392 * @xs: pointer to transformer state struct 396 393 **/ 397 - static void ixgbevf_ipsec_del_sa(struct xfrm_state *xs) 394 + static void ixgbevf_ipsec_del_sa(struct net_device *dev, 395 + struct xfrm_state *xs) 398 396 { 399 - struct net_device *dev = xs->xso.real_dev; 400 397 struct ixgbevf_adapter *adapter; 401 398 struct ixgbevf_ipsec *ipsec; 402 399 u16 sa_idx;
+9 -9
drivers/net/ethernet/marvell/octeontx2/nic/cn10k_ipsec.c
··· 663 663 return -EOPNOTSUPP; 664 664 } 665 665 666 - static int cn10k_ipsec_outb_add_state(struct xfrm_state *x, 666 + static int cn10k_ipsec_outb_add_state(struct net_device *dev, 667 + struct xfrm_state *x, 667 668 struct netlink_ext_ack *extack) 668 669 { 669 - struct net_device *netdev = x->xso.dev; 670 670 struct cn10k_tx_sa_s *sa_entry; 671 671 struct qmem *sa_info; 672 672 struct otx2_nic *pf; ··· 676 676 if (err) 677 677 return err; 678 678 679 - pf = netdev_priv(netdev); 679 + pf = netdev_priv(dev); 680 680 681 681 err = qmem_alloc(pf->dev, &sa_info, pf->ipsec.sa_size, OTX2_ALIGN); 682 682 if (err) ··· 700 700 return 0; 701 701 } 702 702 703 - static int cn10k_ipsec_add_state(struct xfrm_state *x, 703 + static int cn10k_ipsec_add_state(struct net_device *dev, 704 + struct xfrm_state *x, 704 705 struct netlink_ext_ack *extack) 705 706 { 706 707 if (x->xso.dir == XFRM_DEV_OFFLOAD_IN) 707 708 return cn10k_ipsec_inb_add_state(x, extack); 708 709 else 709 - return cn10k_ipsec_outb_add_state(x, extack); 710 + return cn10k_ipsec_outb_add_state(dev, x, extack); 710 711 } 711 712 712 - static void cn10k_ipsec_del_state(struct xfrm_state *x) 713 + static void cn10k_ipsec_del_state(struct net_device *dev, struct xfrm_state *x) 713 714 { 714 - struct net_device *netdev = x->xso.dev; 715 715 struct cn10k_tx_sa_s *sa_entry; 716 716 struct qmem *sa_info; 717 717 struct otx2_nic *pf; ··· 720 720 if (x->xso.dir == XFRM_DEV_OFFLOAD_IN) 721 721 return; 722 722 723 - pf = netdev_priv(netdev); 723 + pf = netdev_priv(dev); 724 724 725 725 sa_info = (struct qmem *)x->xso.offload_handle; 726 726 sa_entry = (struct cn10k_tx_sa_s *)sa_info->base; ··· 732 732 733 733 err = cn10k_outb_write_sa(pf, sa_info); 734 734 if (err) 735 - netdev_err(netdev, "Error (%d) deleting SA\n", err); 735 + netdev_err(dev, "Error (%d) deleting SA\n", err); 736 736 737 737 x->xso.offload_handle = 0; 738 738 qmem_free(pf->dev, sa_info);
+11 -17
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
··· 259 259 struct mlx5_accel_esp_xfrm_attrs *attrs) 260 260 { 261 261 struct mlx5_core_dev *mdev = mlx5e_ipsec_sa2dev(sa_entry); 262 - struct xfrm_state *x = sa_entry->x; 263 - struct net_device *netdev; 262 + struct net_device *netdev = sa_entry->dev; 264 263 struct neighbour *n; 265 264 u8 addr[ETH_ALEN]; 266 265 const void *pkey; ··· 268 269 if (attrs->mode != XFRM_MODE_TUNNEL || 269 270 attrs->type != XFRM_DEV_OFFLOAD_PACKET) 270 271 return; 271 - 272 - netdev = x->xso.real_dev; 273 272 274 273 mlx5_query_mac_address(mdev, addr); 275 274 switch (attrs->dir) { ··· 689 692 return 0; 690 693 } 691 694 692 - static int mlx5e_xfrm_add_state(struct xfrm_state *x, 695 + static int mlx5e_xfrm_add_state(struct net_device *dev, 696 + struct xfrm_state *x, 693 697 struct netlink_ext_ack *extack) 694 698 { 695 699 struct mlx5e_ipsec_sa_entry *sa_entry = NULL; 696 - struct net_device *netdev = x->xso.real_dev; 697 700 struct mlx5e_ipsec *ipsec; 698 701 struct mlx5e_priv *priv; 699 702 gfp_t gfp; 700 703 int err; 701 704 702 - priv = netdev_priv(netdev); 705 + priv = netdev_priv(dev); 703 706 if (!priv->ipsec) 704 707 return -EOPNOTSUPP; 705 708 ··· 710 713 return -ENOMEM; 711 714 712 715 sa_entry->x = x; 716 + sa_entry->dev = dev; 713 717 sa_entry->ipsec = ipsec; 714 718 /* Check if this SA is originated from acquire flow temporary SA */ 715 719 if (x->xso.flags & XFRM_DEV_OFFLOAD_FLAG_ACQ) ··· 807 809 return err; 808 810 } 809 811 810 - static void mlx5e_xfrm_del_state(struct xfrm_state *x) 812 + static void mlx5e_xfrm_del_state(struct net_device *dev, struct xfrm_state *x) 811 813 { 812 814 struct mlx5e_ipsec_sa_entry *sa_entry = to_ipsec_sa_entry(x); 813 815 struct mlx5e_ipsec *ipsec = sa_entry->ipsec; ··· 820 822 WARN_ON(old != sa_entry); 821 823 } 822 824 823 - static void mlx5e_xfrm_free_state(struct xfrm_state *x) 825 + static void mlx5e_xfrm_free_state(struct net_device *dev, struct xfrm_state *x) 824 826 { 825 827 struct mlx5e_ipsec_sa_entry *sa_entry = to_ipsec_sa_entry(x); 826 828 struct mlx5e_ipsec *ipsec = sa_entry->ipsec; ··· 853 855 struct mlx5e_ipsec_sa_entry *sa_entry; 854 856 struct mlx5e_ipsec *ipsec; 855 857 struct neighbour *n = ptr; 856 - struct net_device *netdev; 857 - struct xfrm_state *x; 858 858 unsigned long idx; 859 859 860 860 if (event != NETEVENT_NEIGH_UPDATE || !(n->nud_state & NUD_VALID)) ··· 872 876 continue; 873 877 } 874 878 875 - x = sa_entry->x; 876 - netdev = x->xso.real_dev; 877 879 data = sa_entry->work->data; 878 880 879 - neigh_ha_snapshot(data->addr, n, netdev); 881 + neigh_ha_snapshot(data->addr, n, sa_entry->dev); 880 882 queue_work(ipsec->wq, &sa_entry->work->work); 881 883 } 882 884 ··· 990 996 size_t headers; 991 997 992 998 lockdep_assert(lockdep_is_held(&x->lock) || 993 - lockdep_is_held(&dev_net(x->xso.real_dev)->xfrm.xfrm_cfg_mutex) || 994 - lockdep_is_held(&dev_net(x->xso.real_dev)->xfrm.xfrm_state_lock)); 999 + lockdep_is_held(&net->xfrm.xfrm_cfg_mutex) || 1000 + lockdep_is_held(&net->xfrm.xfrm_state_lock)); 995 1001 996 1002 if (x->xso.flags & XFRM_DEV_OFFLOAD_FLAG_ACQ) 997 1003 return; ··· 1164 1170 static int mlx5e_xfrm_add_policy(struct xfrm_policy *x, 1165 1171 struct netlink_ext_ack *extack) 1166 1172 { 1167 - struct net_device *netdev = x->xdo.real_dev; 1173 + struct net_device *netdev = x->xdo.dev; 1168 1174 struct mlx5e_ipsec_pol_entry *pol_entry; 1169 1175 struct mlx5e_priv *priv; 1170 1176 int err;
+1
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
··· 274 274 struct mlx5e_ipsec_sa_entry { 275 275 struct mlx5e_ipsec_esn_state esn_state; 276 276 struct xfrm_state *x; 277 + struct net_device *dev; 277 278 struct mlx5e_ipsec *ipsec; 278 279 struct mlx5_accel_esp_xfrm_attrs attrs; 279 280 void (*set_iv_op)(struct sk_buff *skb, struct xfrm_state *x,
+5 -6
drivers/net/ethernet/netronome/nfp/crypto/ipsec.c
··· 266 266 } 267 267 } 268 268 269 - static int nfp_net_xfrm_add_state(struct xfrm_state *x, 269 + static int nfp_net_xfrm_add_state(struct net_device *dev, 270 + struct xfrm_state *x, 270 271 struct netlink_ext_ack *extack) 271 272 { 272 - struct net_device *netdev = x->xso.real_dev; 273 273 struct nfp_ipsec_cfg_mssg msg = {}; 274 274 int i, key_len, trunc_len, err = 0; 275 275 struct nfp_ipsec_cfg_add_sa *cfg; 276 276 struct nfp_net *nn; 277 277 unsigned int saidx; 278 278 279 - nn = netdev_priv(netdev); 279 + nn = netdev_priv(dev); 280 280 cfg = &msg.cfg_add_sa; 281 281 282 282 /* General */ ··· 546 546 return 0; 547 547 } 548 548 549 - static void nfp_net_xfrm_del_state(struct xfrm_state *x) 549 + static void nfp_net_xfrm_del_state(struct net_device *dev, struct xfrm_state *x) 550 550 { 551 551 struct nfp_ipsec_cfg_mssg msg = { 552 552 .cmd = NFP_IPSEC_CFG_MSSG_INV_SA, 553 553 .sa_idx = x->xso.offload_handle - 1, 554 554 }; 555 - struct net_device *netdev = x->xso.real_dev; 556 555 struct nfp_net *nn; 557 556 int err; 558 557 559 - nn = netdev_priv(netdev); 558 + nn = netdev_priv(dev); 560 559 err = nfp_net_sched_mbox_amsg_work(nn, NFP_NET_CFG_MBOX_CMD_IPSEC, &msg, 561 560 sizeof(msg), nfp_net_ipsec_cfg); 562 561 if (err)
+7 -8
drivers/net/netdevsim/ipsec.c
··· 85 85 return -ENOSPC; 86 86 } 87 87 88 - static int nsim_ipsec_parse_proto_keys(struct xfrm_state *xs, 88 + static int nsim_ipsec_parse_proto_keys(struct net_device *dev, 89 + struct xfrm_state *xs, 89 90 u32 *mykey, u32 *mysalt) 90 91 { 91 92 const char aes_gcm_name[] = "rfc4106(gcm(aes))"; 92 - struct net_device *dev = xs->xso.real_dev; 93 93 unsigned char *key_data; 94 94 char *alg_name = NULL; 95 95 int key_len; ··· 129 129 return 0; 130 130 } 131 131 132 - static int nsim_ipsec_add_sa(struct xfrm_state *xs, 132 + static int nsim_ipsec_add_sa(struct net_device *dev, 133 + struct xfrm_state *xs, 133 134 struct netlink_ext_ack *extack) 134 135 { 135 136 struct nsim_ipsec *ipsec; 136 - struct net_device *dev; 137 137 struct netdevsim *ns; 138 138 struct nsim_sa sa; 139 139 u16 sa_idx; 140 140 int ret; 141 141 142 - dev = xs->xso.real_dev; 143 142 ns = netdev_priv(dev); 144 143 ipsec = &ns->ipsec; 145 144 ··· 173 174 sa.crypt = xs->ealg || xs->aead; 174 175 175 176 /* get the key and salt */ 176 - ret = nsim_ipsec_parse_proto_keys(xs, sa.key, &sa.salt); 177 + ret = nsim_ipsec_parse_proto_keys(dev, xs, sa.key, &sa.salt); 177 178 if (ret) { 178 179 NL_SET_ERR_MSG_MOD(extack, "Failed to get key data for SA table"); 179 180 return ret; ··· 199 200 return 0; 200 201 } 201 202 202 - static void nsim_ipsec_del_sa(struct xfrm_state *xs) 203 + static void nsim_ipsec_del_sa(struct net_device *dev, struct xfrm_state *xs) 203 204 { 204 - struct netdevsim *ns = netdev_priv(xs->xso.real_dev); 205 + struct netdevsim *ns = netdev_priv(dev); 205 206 struct nsim_ipsec *ipsec = &ns->ipsec; 206 207 u16 sa_idx; 207 208
+7 -3
include/linux/netdevice.h
··· 1013 1013 1014 1014 #ifdef CONFIG_XFRM_OFFLOAD 1015 1015 struct xfrmdev_ops { 1016 - int (*xdo_dev_state_add) (struct xfrm_state *x, struct netlink_ext_ack *extack); 1017 - void (*xdo_dev_state_delete) (struct xfrm_state *x); 1018 - void (*xdo_dev_state_free) (struct xfrm_state *x); 1016 + int (*xdo_dev_state_add)(struct net_device *dev, 1017 + struct xfrm_state *x, 1018 + struct netlink_ext_ack *extack); 1019 + void (*xdo_dev_state_delete)(struct net_device *dev, 1020 + struct xfrm_state *x); 1021 + void (*xdo_dev_state_free)(struct net_device *dev, 1022 + struct xfrm_state *x); 1019 1023 bool (*xdo_dev_offload_ok) (struct sk_buff *skb, 1020 1024 struct xfrm_state *x); 1021 1025 void (*xdo_dev_state_advance_esn) (struct xfrm_state *x);
+17 -2
include/net/xfrm.h
··· 147 147 }; 148 148 149 149 struct xfrm_dev_offload { 150 + /* The device for this offload. 151 + * Device drivers should not use this directly, as that will prevent 152 + * them from working with bonding device. Instead, the device passed 153 + * to the add/delete callbacks should be used. 154 + */ 150 155 struct net_device *dev; 151 156 netdevice_tracker dev_tracker; 157 + /* This is a private pointer used by the bonding driver (and eventually 158 + * should be moved there). Device drivers should not use it. 159 + * Protected by xfrm_state.lock AND bond.ipsec_lock in most cases, 160 + * except in the .xdo_dev_state_del() flow, where only xfrm_state.lock 161 + * is held. 162 + */ 152 163 struct net_device *real_dev; 153 164 unsigned long offload_handle; 154 165 u8 dir : 2; ··· 1903 1892 u32 if_id); 1904 1893 struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x, 1905 1894 struct xfrm_migrate *m, 1906 - struct xfrm_encap_tmpl *encap); 1895 + struct xfrm_encap_tmpl *encap, 1896 + struct net *net, 1897 + struct xfrm_user_offload *xuo, 1898 + struct netlink_ext_ack *extack); 1907 1899 int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, 1908 1900 struct xfrm_migrate *m, int num_bundles, 1909 1901 struct xfrm_kmaddress *k, struct net *net, 1910 1902 struct xfrm_encap_tmpl *encap, u32 if_id, 1911 - struct netlink_ext_ack *extack); 1903 + struct netlink_ext_ack *extack, 1904 + struct xfrm_user_offload *xuo); 1912 1905 #endif 1913 1906 1914 1907 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
+1 -1
net/key/af_key.c
··· 2630 2630 } 2631 2631 2632 2632 return xfrm_migrate(&sel, dir, XFRM_POLICY_TYPE_MAIN, m, i, 2633 - kma ? &k : NULL, net, NULL, 0, NULL); 2633 + kma ? &k : NULL, net, NULL, 0, NULL, NULL); 2634 2634 2635 2635 out: 2636 2636 return err;
+7 -11
net/xfrm/xfrm_device.c
··· 145 145 return NULL; 146 146 } 147 147 148 - /* This skb was already validated on the upper/virtual dev */ 149 - if ((x->xso.dev != dev) && (x->xso.real_dev == dev)) 150 - return skb; 151 - 152 148 local_irq_save(flags); 153 149 sd = this_cpu_ptr(&softnet_data); 154 150 err = !skb_queue_empty(&sd->xfrm_backlog); ··· 155 159 return skb; 156 160 } 157 161 158 - if (skb_is_gso(skb) && (unlikely(x->xso.dev != dev) || 159 - unlikely(xmit_xfrm_check_overflow(skb)))) { 162 + if (skb_is_gso(skb) && unlikely(xmit_xfrm_check_overflow(skb))) { 160 163 struct sk_buff *segs; 161 164 162 165 /* Packet got rerouted, fixup features and segment it. */ ··· 251 256 return -EINVAL; 252 257 } 253 258 259 + if (xuo->flags & XFRM_OFFLOAD_INBOUND && x->if_id) { 260 + NL_SET_ERR_MSG(extack, "XFRM if_id is not supported in RX path"); 261 + return -EINVAL; 262 + } 263 + 254 264 is_packet_offload = xuo->flags & XFRM_OFFLOAD_PACKET; 255 265 256 266 /* We don't yet support TFC padding. */ ··· 314 314 315 315 xso->dev = dev; 316 316 netdev_tracker_alloc(dev, &xso->dev_tracker, GFP_ATOMIC); 317 - xso->real_dev = dev; 318 317 319 318 if (xuo->flags & XFRM_OFFLOAD_INBOUND) 320 319 xso->dir = XFRM_DEV_OFFLOAD_IN; ··· 325 326 else 326 327 xso->type = XFRM_DEV_OFFLOAD_CRYPTO; 327 328 328 - err = dev->xfrmdev_ops->xdo_dev_state_add(x, extack); 329 + err = dev->xfrmdev_ops->xdo_dev_state_add(dev, x, extack); 329 330 if (err) { 330 331 xso->dev = NULL; 331 332 xso->dir = 0; 332 - xso->real_dev = NULL; 333 333 netdev_put(dev, &xso->dev_tracker); 334 334 xso->type = XFRM_DEV_OFFLOAD_UNSPECIFIED; 335 335 ··· 376 378 377 379 xdo->dev = dev; 378 380 netdev_tracker_alloc(dev, &xdo->dev_tracker, GFP_ATOMIC); 379 - xdo->real_dev = dev; 380 381 xdo->type = XFRM_DEV_OFFLOAD_PACKET; 381 382 switch (dir) { 382 383 case XFRM_POLICY_IN: ··· 397 400 err = dev->xfrmdev_ops->xdo_dev_policy_add(xp, extack); 398 401 if (err) { 399 402 xdo->dev = NULL; 400 - xdo->real_dev = NULL; 401 403 xdo->type = XFRM_DEV_OFFLOAD_UNSPECIFIED; 402 404 xdo->dir = 0; 403 405 netdev_put(dev, &xdo->dev_tracker);
+2 -2
net/xfrm/xfrm_policy.c
··· 4633 4633 struct xfrm_migrate *m, int num_migrate, 4634 4634 struct xfrm_kmaddress *k, struct net *net, 4635 4635 struct xfrm_encap_tmpl *encap, u32 if_id, 4636 - struct netlink_ext_ack *extack) 4636 + struct netlink_ext_ack *extack, struct xfrm_user_offload *xuo) 4637 4637 { 4638 4638 int i, err, nx_cur = 0, nx_new = 0; 4639 4639 struct xfrm_policy *pol = NULL; ··· 4666 4666 if ((x = xfrm_migrate_state_find(mp, net, if_id))) { 4667 4667 x_cur[nx_cur] = x; 4668 4668 nx_cur++; 4669 - xc = xfrm_state_migrate(x, mp, encap); 4669 + xc = xfrm_state_migrate(x, mp, encap, net, xuo, extack); 4670 4670 if (xc) { 4671 4671 x_new[nx_new] = xc; 4672 4672 nx_new++;
+27 -19
net/xfrm/xfrm_state.c
··· 599 599 x->mode_cbs->destroy_state(x); 600 600 hrtimer_cancel(&x->mtimer); 601 601 timer_delete_sync(&x->rtimer); 602 - kfree(x->aead); 603 - kfree(x->aalg); 604 - kfree(x->ealg); 602 + kfree_sensitive(x->aead); 603 + kfree_sensitive(x->aalg); 604 + kfree_sensitive(x->ealg); 605 605 kfree(x->calg); 606 606 kfree(x->encap); 607 607 kfree(x->coaddr); ··· 767 767 struct net_device *dev = READ_ONCE(xso->dev); 768 768 769 769 if (dev) { 770 - dev->xfrmdev_ops->xdo_dev_state_delete(x); 770 + dev->xfrmdev_ops->xdo_dev_state_delete(dev, x); 771 771 spin_lock_bh(&xfrm_state_dev_gc_lock); 772 772 hlist_add_head(&x->dev_gclist, &xfrm_state_dev_gc_list); 773 773 spin_unlock_bh(&xfrm_state_dev_gc_lock); ··· 789 789 spin_unlock_bh(&xfrm_state_dev_gc_lock); 790 790 791 791 if (dev->xfrmdev_ops->xdo_dev_state_free) 792 - dev->xfrmdev_ops->xdo_dev_state_free(x); 792 + dev->xfrmdev_ops->xdo_dev_state_free(dev, x); 793 793 WRITE_ONCE(xso->dev, NULL); 794 794 xso->type = XFRM_DEV_OFFLOAD_UNSPECIFIED; 795 795 netdev_put(dev, &xso->dev_tracker); ··· 1548 1548 if (pol->xdo.type == XFRM_DEV_OFFLOAD_PACKET) { 1549 1549 struct xfrm_dev_offload *xdo = &pol->xdo; 1550 1550 struct xfrm_dev_offload *xso = &x->xso; 1551 + struct net_device *dev = xdo->dev; 1551 1552 1552 1553 xso->type = XFRM_DEV_OFFLOAD_PACKET; 1553 1554 xso->dir = xdo->dir; 1554 - xso->dev = xdo->dev; 1555 - xso->real_dev = xdo->real_dev; 1555 + xso->dev = dev; 1556 1556 xso->flags = XFRM_DEV_OFFLOAD_FLAG_ACQ; 1557 - netdev_hold(xso->dev, &xso->dev_tracker, GFP_ATOMIC); 1558 - error = xso->dev->xfrmdev_ops->xdo_dev_state_add(x, NULL); 1557 + netdev_hold(dev, &xso->dev_tracker, GFP_ATOMIC); 1558 + error = dev->xfrmdev_ops->xdo_dev_state_add(dev, x, 1559 + NULL); 1559 1560 if (error) { 1560 1561 xso->dir = 0; 1561 - netdev_put(xso->dev, &xso->dev_tracker); 1562 + netdev_put(dev, &xso->dev_tracker); 1562 1563 xso->dev = NULL; 1563 - xso->real_dev = NULL; 1564 1564 xso->type = XFRM_DEV_OFFLOAD_UNSPECIFIED; 1565 1565 x->km.state = XFRM_STATE_DEAD; 1566 1566 to_put = x; ··· 1958 1958 return 0; 1959 1959 } 1960 1960 1961 - static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, 1962 - struct xfrm_encap_tmpl *encap) 1961 + static struct xfrm_state *xfrm_state_clone_and_setup(struct xfrm_state *orig, 1962 + struct xfrm_encap_tmpl *encap, 1963 + struct xfrm_migrate *m) 1963 1964 { 1964 1965 struct net *net = xs_net(orig); 1965 1966 struct xfrm_state *x = xfrm_state_alloc(net); ··· 2059 2058 goto error; 2060 2059 } 2061 2060 2061 + 2062 + x->props.family = m->new_family; 2063 + memcpy(&x->id.daddr, &m->new_daddr, sizeof(x->id.daddr)); 2064 + memcpy(&x->props.saddr, &m->new_saddr, sizeof(x->props.saddr)); 2065 + 2062 2066 return x; 2063 2067 2064 2068 error: ··· 2126 2120 2127 2121 struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x, 2128 2122 struct xfrm_migrate *m, 2129 - struct xfrm_encap_tmpl *encap) 2123 + struct xfrm_encap_tmpl *encap, 2124 + struct net *net, 2125 + struct xfrm_user_offload *xuo, 2126 + struct netlink_ext_ack *extack) 2130 2127 { 2131 2128 struct xfrm_state *xc; 2132 2129 2133 - xc = xfrm_state_clone(x, encap); 2130 + xc = xfrm_state_clone_and_setup(x, encap, m); 2134 2131 if (!xc) 2135 2132 return NULL; 2136 - 2137 - xc->props.family = m->new_family; 2138 2133 2139 2134 if (xfrm_init_state(xc) < 0) 2140 2135 goto error; 2141 2136 2142 - memcpy(&xc->id.daddr, &m->new_daddr, sizeof(xc->id.daddr)); 2143 - memcpy(&xc->props.saddr, &m->new_saddr, sizeof(xc->props.saddr)); 2137 + /* configure the hardware if offload is requested */ 2138 + if (xuo && xfrm_dev_state_add(net, xc, xuo, extack)) 2139 + goto error; 2144 2140 2145 2141 /* add state */ 2146 2142 if (xfrm_addr_equal(&x->id.daddr, &m->new_daddr, m->new_family)) {
+59 -18
net/xfrm/xfrm_user.c
··· 178 178 "Replay seq and seq_hi should be 0 for output SA"); 179 179 return -EINVAL; 180 180 } 181 - if (rs->oseq_hi && !(p->flags & XFRM_STATE_ESN)) { 182 - NL_SET_ERR_MSG( 183 - extack, 184 - "Replay oseq_hi should be 0 in non-ESN mode for output SA"); 185 - return -EINVAL; 181 + 182 + if (!(p->flags & XFRM_STATE_ESN)) { 183 + if (rs->oseq_hi) { 184 + NL_SET_ERR_MSG( 185 + extack, 186 + "Replay oseq_hi should be 0 in non-ESN mode for output SA"); 187 + return -EINVAL; 188 + } 189 + if (rs->oseq == U32_MAX) { 190 + NL_SET_ERR_MSG( 191 + extack, 192 + "Replay oseq should be less than 0xFFFFFFFF in non-ESN mode for output SA"); 193 + return -EINVAL; 194 + } 195 + } else { 196 + if (rs->oseq == U32_MAX && rs->oseq_hi == U32_MAX) { 197 + NL_SET_ERR_MSG( 198 + extack, 199 + "Replay oseq and oseq_hi should be less than 0xFFFFFFFF for output SA"); 200 + return -EINVAL; 201 + } 186 202 } 187 203 if (rs->bmp_len) { 188 204 NL_SET_ERR_MSG(extack, "Replay bmp_len should 0 for output SA"); ··· 212 196 "Replay oseq and oseq_hi should be 0 for input SA"); 213 197 return -EINVAL; 214 198 } 215 - if (rs->seq_hi && !(p->flags & XFRM_STATE_ESN)) { 216 - NL_SET_ERR_MSG( 217 - extack, 218 - "Replay seq_hi should be 0 in non-ESN mode for input SA"); 219 - return -EINVAL; 199 + if (!(p->flags & XFRM_STATE_ESN)) { 200 + if (rs->seq_hi) { 201 + NL_SET_ERR_MSG( 202 + extack, 203 + "Replay seq_hi should be 0 in non-ESN mode for input SA"); 204 + return -EINVAL; 205 + } 206 + 207 + if (rs->seq == U32_MAX) { 208 + NL_SET_ERR_MSG( 209 + extack, 210 + "Replay seq should be less than 0xFFFFFFFF in non-ESN mode for input SA"); 211 + return -EINVAL; 212 + } 213 + } else { 214 + if (rs->seq == U32_MAX && rs->seq_hi == U32_MAX) { 215 + NL_SET_ERR_MSG( 216 + extack, 217 + "Replay seq and seq_hi should be less than 0xFFFFFFFF for input SA"); 218 + return -EINVAL; 219 + } 220 220 } 221 221 } 222 222 ··· 1205 1173 if (!nla) 1206 1174 return -EMSGSIZE; 1207 1175 algo = nla_data(nla); 1208 - strscpy_pad(algo->alg_name, auth->alg_name, sizeof(algo->alg_name)); 1176 + strscpy_pad(algo->alg_name, auth->alg_name); 1209 1177 1210 1178 if (redact_secret && auth->alg_key_len) 1211 1179 memset(algo->alg_key, 0, (auth->alg_key_len + 7) / 8); ··· 1218 1186 if (!nla) 1219 1187 return -EMSGSIZE; 1220 1188 ap = nla_data(nla); 1221 - strscpy_pad(ap->alg_name, auth->alg_name, sizeof(ap->alg_name)); 1189 + strscpy_pad(ap->alg_name, auth->alg_name); 1222 1190 ap->alg_key_len = auth->alg_key_len; 1223 1191 ap->alg_trunc_len = auth->alg_trunc_len; 1224 1192 if (redact_secret && auth->alg_key_len) ··· 1239 1207 return -EMSGSIZE; 1240 1208 1241 1209 ap = nla_data(nla); 1242 - strscpy_pad(ap->alg_name, aead->alg_name, sizeof(ap->alg_name)); 1210 + strscpy_pad(ap->alg_name, aead->alg_name); 1243 1211 ap->alg_key_len = aead->alg_key_len; 1244 1212 ap->alg_icv_len = aead->alg_icv_len; 1245 1213 ··· 1261 1229 return -EMSGSIZE; 1262 1230 1263 1231 ap = nla_data(nla); 1264 - strscpy_pad(ap->alg_name, ealg->alg_name, sizeof(ap->alg_name)); 1232 + strscpy_pad(ap->alg_name, ealg->alg_name); 1265 1233 ap->alg_key_len = ealg->alg_key_len; 1266 1234 1267 1235 if (redact_secret && ealg->alg_key_len) ··· 1282 1250 return -EMSGSIZE; 1283 1251 1284 1252 ap = nla_data(nla); 1285 - strscpy_pad(ap->alg_name, calg->alg_name, sizeof(ap->alg_name)); 1253 + strscpy_pad(ap->alg_name, calg->alg_name); 1286 1254 ap->alg_key_len = 0; 1287 1255 1288 1256 return 0; ··· 3101 3069 int n = 0; 3102 3070 struct net *net = sock_net(skb->sk); 3103 3071 struct xfrm_encap_tmpl *encap = NULL; 3072 + struct xfrm_user_offload *xuo = NULL; 3104 3073 u32 if_id = 0; 3105 3074 3106 3075 if (!attrs[XFRMA_MIGRATE]) { ··· 3132 3099 if (attrs[XFRMA_IF_ID]) 3133 3100 if_id = nla_get_u32(attrs[XFRMA_IF_ID]); 3134 3101 3102 + if (attrs[XFRMA_OFFLOAD_DEV]) { 3103 + xuo = kmemdup(nla_data(attrs[XFRMA_OFFLOAD_DEV]), 3104 + sizeof(*xuo), GFP_KERNEL); 3105 + if (!xuo) { 3106 + err = -ENOMEM; 3107 + goto error; 3108 + } 3109 + } 3135 3110 err = xfrm_migrate(&pi->sel, pi->dir, type, m, n, kmp, net, encap, 3136 - if_id, extack); 3137 - 3111 + if_id, extack, xuo); 3112 + error: 3138 3113 kfree(encap); 3139 - 3114 + kfree(xuo); 3140 3115 return err; 3141 3116 } 3142 3117 #else