tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

net: skbuff: generalize the skb->decrypted bit

The ->decrypted bit can be reused for other crypto protocols.
Remove the direct dependency on TLS, add helpers to clean up
the ifdefs leaking out everywhere.

Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Jakub Kicinski and committed by
David S. Miller 9f06f87f 0d875bb4

+24 -24
+12 -3
include/linux/skbuff.h
··· 992 992 #ifdef CONFIG_NETFILTER_SKIP_EGRESS 993 993 __u8 nf_skip_egress:1; 994 994 #endif 995 - #ifdef CONFIG_TLS_DEVICE 995 + #ifdef CONFIG_SKB_DECRYPTED 996 996 __u8 decrypted:1; 997 997 #endif 998 998 __u8 slow_gro:1; ··· 1615 1615 static inline int skb_cmp_decrypted(const struct sk_buff *skb1, 1616 1616 const struct sk_buff *skb2) 1617 1617 { 1618 - #ifdef CONFIG_TLS_DEVICE 1618 + #ifdef CONFIG_SKB_DECRYPTED 1619 1619 return skb2->decrypted - skb1->decrypted; 1620 1620 #else 1621 1621 return 0; 1622 1622 #endif 1623 1623 } 1624 1624 1625 + static inline bool skb_is_decrypted(const struct sk_buff *skb) 1626 + { 1627 + #ifdef CONFIG_SKB_DECRYPTED 1628 + return skb->decrypted; 1629 + #else 1630 + return false; 1631 + #endif 1632 + } 1633 + 1625 1634 static inline void skb_copy_decrypted(struct sk_buff *to, 1626 1635 const struct sk_buff *from) 1627 1636 { 1628 - #ifdef CONFIG_TLS_DEVICE 1637 + #ifdef CONFIG_SKB_DECRYPTED 1629 1638 to->decrypted = from->decrypted; 1630 1639 #endif 1631 1640 }
+1 -3
include/net/sock.h
··· 2835 2835 2836 2836 if (sk && sk_fullsock(sk) && sk->sk_validate_xmit_skb) { 2837 2837 skb = sk->sk_validate_xmit_skb(sk, dev, skb); 2838 - #ifdef CONFIG_TLS_DEVICE 2839 - } else if (unlikely(skb->decrypted)) { 2838 + } else if (unlikely(skb_is_decrypted(skb))) { 2840 2839 pr_warn_ratelimited("unencrypted skb with no associated socket - dropping\n"); 2841 2840 kfree_skb(skb); 2842 2841 skb = NULL; 2843 - #endif 2844 2842 } 2845 2843 #endif 2846 2844
+3
net/Kconfig
··· 60 60 config NET_REDIRECT 61 61 bool 62 62 63 + config SKB_DECRYPTED 64 + bool 65 + 63 66 config SKB_EXTENSIONS 64 67 bool 65 68
+2 -3
net/core/sock.c
··· 2526 2526 2527 2527 static bool can_skb_orphan_partial(const struct sk_buff *skb) 2528 2528 { 2529 - #ifdef CONFIG_TLS_DEVICE 2530 2529 /* Drivers depend on in-order delivery for crypto offload, 2531 2530 * partial orphan breaks out-of-order-OK logic. 2532 2531 */ 2533 - if (skb->decrypted) 2532 + if (skb_is_decrypted(skb)) 2534 2533 return false; 2535 - #endif 2534 + 2536 2535 return (skb->destructor == sock_wfree || 2537 2536 (IS_ENABLED(CONFIG_INET) && skb->destructor == tcp_wfree)); 2538 2537 }
+3 -9
net/ipv4/tcp_input.c
··· 4805 4805 if (!mptcp_skb_can_collapse(to, from)) 4806 4806 return false; 4807 4807 4808 - #ifdef CONFIG_TLS_DEVICE 4809 - if (from->decrypted != to->decrypted) 4808 + if (skb_cmp_decrypted(from, to)) 4810 4809 return false; 4811 - #endif 4812 4810 4813 4811 if (!skb_try_coalesce(to, from, fragstolen, &delta)) 4814 4812 return false; ··· 5375 5377 break; 5376 5378 5377 5379 memcpy(nskb->cb, skb->cb, sizeof(skb->cb)); 5378 - #ifdef CONFIG_TLS_DEVICE 5379 - nskb->decrypted = skb->decrypted; 5380 - #endif 5380 + skb_copy_decrypted(nskb, skb); 5381 5381 TCP_SKB_CB(nskb)->seq = TCP_SKB_CB(nskb)->end_seq = start; 5382 5382 if (list) 5383 5383 __skb_queue_before(list, skb, nskb); ··· 5405 5409 !mptcp_skb_can_collapse(nskb, skb) || 5406 5410 (TCP_SKB_CB(skb)->tcp_flags & (TCPHDR_SYN | TCPHDR_FIN))) 5407 5411 goto end; 5408 - #ifdef CONFIG_TLS_DEVICE 5409 - if (skb->decrypted != nskb->decrypted) 5412 + if (skb_cmp_decrypted(skb, nskb)) 5410 5413 goto end; 5411 - #endif 5412 5414 } 5413 5415 } 5414 5416 }
+1 -3
net/ipv4/tcp_ipv4.c
··· 2044 2044 TCP_SKB_CB(skb)->tcp_flags) & TCPHDR_ACK) || 2045 2045 ((TCP_SKB_CB(tail)->tcp_flags ^ 2046 2046 TCP_SKB_CB(skb)->tcp_flags) & (TCPHDR_ECE | TCPHDR_CWR)) || 2047 - #ifdef CONFIG_TLS_DEVICE 2048 - tail->decrypted != skb->decrypted || 2049 - #endif 2050 2047 !mptcp_skb_can_collapse(tail, skb) || 2048 + skb_cmp_decrypted(tail, skb) || 2051 2049 thtail->doff != th->doff || 2052 2050 memcmp(thtail + 1, th + 1, hdrlen - sizeof(*th))) 2053 2051 goto no_coalesce;
+1 -3
net/ipv4/tcp_offload.c
··· 265 265 flush |= (len - 1) >= mss; 266 266 267 267 flush |= (ntohl(th2->seq) + skb_gro_len(p)) ^ ntohl(th->seq); 268 - #ifdef CONFIG_TLS_DEVICE 269 - flush |= p->decrypted ^ skb->decrypted; 270 - #endif 268 + flush |= skb_cmp_decrypted(p, skb); 271 269 272 270 if (flush || skb_gro_receive(p, skb)) { 273 271 mss = 1;
+1
net/tls/Kconfig
··· 20 20 config TLS_DEVICE 21 21 bool "Transport Layer Security HW offload" 22 22 depends on TLS 23 + select SKB_DECRYPTED 23 24 select SOCK_VALIDATE_XMIT 24 25 select SOCK_RX_QUEUE_MAPPING 25 26 default n