tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge branch 'nfp-tls-fixes-for-initial-TLS-support'

Jakub Kicinski says:

====================
nfp: tls: fixes for initial TLS support

This series brings various fixes to nfp tls offload recently added
to net-next.

First 4 patches revolve around device mailbox communication, trying
to make it more reliable. Next patch fixes statistical counter.
Patch 6 improves the TX resync if device communication failed.
Patch 7 makes sure we remove keys from memory after talking to FW.
Patch 8 adds missing tls context initialization, we fill in the
context information from various places based on the configuration
and looks like we missed the init in the case of where TX is
offloaded, but RX wasn't initialized yet. Patches 9 and 10 make
the nfp driver undo TLS state changes if we need to drop the
frame (e.g. due to DMA mapping error).

Last but not least TLS fallback should not adjust socket memory
after skb_orphan_partial(). This code will go away once we forbid
orphaning of skbs in need of crypto, but that's "real" -next
material, so lets do a quick fix.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller b14a260e 3cab2afb

+143 -50
+5 -3
drivers/net/ethernet/mellanox/mlx5/core/en_accel/tls.c
··· 160 160 direction == TLS_OFFLOAD_CTX_DIR_TX); 161 161 } 162 162 163 - static void mlx5e_tls_resync(struct net_device *netdev, struct sock *sk, 164 - u32 seq, u8 *rcd_sn_data, 165 - enum tls_offload_ctx_dir direction) 163 + static int mlx5e_tls_resync(struct net_device *netdev, struct sock *sk, 164 + u32 seq, u8 *rcd_sn_data, 165 + enum tls_offload_ctx_dir direction) 166 166 { 167 167 struct tls_context *tls_ctx = tls_get_ctx(sk); 168 168 struct mlx5e_priv *priv = netdev_priv(netdev); ··· 177 177 be64_to_cpu(rcd_sn)); 178 178 mlx5_accel_tls_resync_rx(priv->mdev, rx_ctx->handle, seq, rcd_sn); 179 179 atomic64_inc(&priv->tls->sw_stats.rx_tls_resync_reply); 180 + 181 + return 0; 180 182 } 181 183 182 184 static const struct tlsdev_ops mlx5e_tls_ops = {
+4
drivers/net/ethernet/netronome/nfp/ccm.h
··· 118 118 struct sk_buff * 119 119 nfp_ccm_mbox_msg_alloc(struct nfp_net *nn, unsigned int req_size, 120 120 unsigned int reply_size, gfp_t flags); 121 + int __nfp_ccm_mbox_communicate(struct nfp_net *nn, struct sk_buff *skb, 122 + enum nfp_ccm_type type, 123 + unsigned int reply_size, 124 + unsigned int max_reply_size, bool critical); 121 125 int nfp_ccm_mbox_communicate(struct nfp_net *nn, struct sk_buff *skb, 122 126 enum nfp_ccm_type type, 123 127 unsigned int reply_size,
+20 -11
drivers/net/ethernet/netronome/nfp/ccm_mbox.c
··· 13 13 * form a batch. Threads come in with CMSG formed in an skb, then 14 14 * enqueue that skb onto the request queue. If threads skb is first 15 15 * in queue this thread will handle the mailbox operation. It copies 16 - * up to 16 messages into the mailbox (making sure that both requests 16 + * up to 64 messages into the mailbox (making sure that both requests 17 17 * and replies will fit. After FW is done processing the batch it 18 18 * copies the data out and wakes waiting threads. 19 19 * If a thread is waiting it either gets its the message completed ··· 23 23 * to limit potential cache line bounces. 24 24 */ 25 25 26 - #define NFP_CCM_MBOX_BATCH_LIMIT 16 26 + #define NFP_CCM_MBOX_BATCH_LIMIT 64 27 27 #define NFP_CCM_TIMEOUT (NFP_NET_POLL_TIMEOUT * 1000) 28 - #define NFP_CCM_MAX_QLEN 256 28 + #define NFP_CCM_MAX_QLEN 1024 29 29 30 30 enum nfp_net_mbox_cmsg_state { 31 31 NFP_NET_MBOX_CMSG_STATE_QUEUED, ··· 515 515 516 516 static int 517 517 nfp_ccm_mbox_msg_enqueue(struct nfp_net *nn, struct sk_buff *skb, 518 - enum nfp_ccm_type type) 518 + enum nfp_ccm_type type, bool critical) 519 519 { 520 520 struct nfp_ccm_hdr *hdr; 521 521 522 522 assert_spin_locked(&nn->mbox_cmsg.queue.lock); 523 523 524 - if (nn->mbox_cmsg.queue.qlen >= NFP_CCM_MAX_QLEN) { 524 + if (!critical && nn->mbox_cmsg.queue.qlen >= NFP_CCM_MAX_QLEN) { 525 525 nn_dp_warn(&nn->dp, "mailbox request queue too long\n"); 526 526 return -EBUSY; 527 527 } ··· 536 536 return 0; 537 537 } 538 538 539 - int nfp_ccm_mbox_communicate(struct nfp_net *nn, struct sk_buff *skb, 540 - enum nfp_ccm_type type, 541 - unsigned int reply_size, 542 - unsigned int max_reply_size) 539 + int __nfp_ccm_mbox_communicate(struct nfp_net *nn, struct sk_buff *skb, 540 + enum nfp_ccm_type type, 541 + unsigned int reply_size, 542 + unsigned int max_reply_size, bool critical) 543 543 { 544 544 int err; 545 545 ··· 550 550 551 551 spin_lock_bh(&nn->mbox_cmsg.queue.lock); 552 552 553 - err = nfp_ccm_mbox_msg_enqueue(nn, skb, type); 553 + err = nfp_ccm_mbox_msg_enqueue(nn, skb, type, critical); 554 554 if (err) 555 555 goto err_unlock; 556 556 ··· 592 592 err_free_skb: 593 593 dev_kfree_skb_any(skb); 594 594 return err; 595 + } 596 + 597 + int nfp_ccm_mbox_communicate(struct nfp_net *nn, struct sk_buff *skb, 598 + enum nfp_ccm_type type, 599 + unsigned int reply_size, 600 + unsigned int max_reply_size) 601 + { 602 + return __nfp_ccm_mbox_communicate(nn, skb, type, reply_size, 603 + max_reply_size, false); 595 604 } 596 605 597 606 static void nfp_ccm_mbox_post_runq_work(struct work_struct *work) ··· 659 650 660 651 spin_lock_bh(&nn->mbox_cmsg.queue.lock); 661 652 662 - err = nfp_ccm_mbox_msg_enqueue(nn, skb, type); 653 + err = nfp_ccm_mbox_msg_enqueue(nn, skb, type, false); 663 654 if (err) 664 655 goto err_unlock; 665 656
+2
drivers/net/ethernet/netronome/nfp/crypto/fw.h
··· 31 31 u8 key_len; 32 32 __be16 ipver_vlan __packed; 33 33 u8 l4_proto; 34 + #define NFP_NET_TLS_NON_ADDR_KEY_LEN 8 35 + u8 l3_addrs[0]; 34 36 }; 35 37 36 38 struct nfp_crypto_req_add_back {
+66 -27
drivers/net/ethernet/netronome/nfp/crypto/tls.c
··· 4 4 #include <linux/bitfield.h> 5 5 #include <linux/ipv6.h> 6 6 #include <linux/skbuff.h> 7 + #include <linux/string.h> 7 8 #include <net/tls.h> 8 9 9 10 #include "../ccm.h" ··· 113 112 struct nfp_crypto_reply_simple *reply; 114 113 int err; 115 114 116 - err = nfp_ccm_mbox_communicate(nn, skb, type, 117 - sizeof(*reply), sizeof(*reply)); 115 + err = __nfp_ccm_mbox_communicate(nn, skb, type, 116 + sizeof(*reply), sizeof(*reply), 117 + type == NFP_CCM_TYPE_CRYPTO_DEL); 118 118 if (err) { 119 119 nn_dp_warn(&nn->dp, "failed to %s TLS: %d\n", name, err); 120 120 return err; ··· 148 146 NFP_CCM_TYPE_CRYPTO_DEL); 149 147 } 150 148 149 + static void 150 + nfp_net_tls_set_ipver_vlan(struct nfp_crypto_req_add_front *front, u8 ipver) 151 + { 152 + front->ipver_vlan = cpu_to_be16(FIELD_PREP(NFP_NET_TLS_IPVER, ipver) | 153 + FIELD_PREP(NFP_NET_TLS_VLAN, 154 + NFP_NET_TLS_VLAN_UNUSED)); 155 + } 156 + 157 + static void 158 + nfp_net_tls_assign_conn_id(struct nfp_net *nn, 159 + struct nfp_crypto_req_add_front *front) 160 + { 161 + u32 len; 162 + u64 id; 163 + 164 + id = atomic64_inc_return(&nn->ktls_conn_id_gen); 165 + len = front->key_len - NFP_NET_TLS_NON_ADDR_KEY_LEN; 166 + 167 + memcpy(front->l3_addrs, &id, sizeof(id)); 168 + memset(front->l3_addrs + sizeof(id), 0, len - sizeof(id)); 169 + } 170 + 151 171 static struct nfp_crypto_req_add_back * 152 - nfp_net_tls_set_ipv4(struct nfp_crypto_req_add_v4 *req, struct sock *sk, 153 - int direction) 172 + nfp_net_tls_set_ipv4(struct nfp_net *nn, struct nfp_crypto_req_add_v4 *req, 173 + struct sock *sk, int direction) 154 174 { 155 175 struct inet_sock *inet = inet_sk(sk); 156 176 157 177 req->front.key_len += sizeof(__be32) * 2; 158 - req->front.ipver_vlan = cpu_to_be16(FIELD_PREP(NFP_NET_TLS_IPVER, 4) | 159 - FIELD_PREP(NFP_NET_TLS_VLAN, 160 - NFP_NET_TLS_VLAN_UNUSED)); 161 178 162 179 if (direction == TLS_OFFLOAD_CTX_DIR_TX) { 163 - req->src_ip = inet->inet_saddr; 164 - req->dst_ip = inet->inet_daddr; 180 + nfp_net_tls_assign_conn_id(nn, &req->front); 165 181 } else { 166 182 req->src_ip = inet->inet_daddr; 167 183 req->dst_ip = inet->inet_saddr; ··· 189 169 } 190 170 191 171 static struct nfp_crypto_req_add_back * 192 - nfp_net_tls_set_ipv6(struct nfp_crypto_req_add_v6 *req, struct sock *sk, 193 - int direction) 172 + nfp_net_tls_set_ipv6(struct nfp_net *nn, struct nfp_crypto_req_add_v6 *req, 173 + struct sock *sk, int direction) 194 174 { 195 175 #if IS_ENABLED(CONFIG_IPV6) 196 176 struct ipv6_pinfo *np = inet6_sk(sk); 197 177 198 178 req->front.key_len += sizeof(struct in6_addr) * 2; 199 - req->front.ipver_vlan = cpu_to_be16(FIELD_PREP(NFP_NET_TLS_IPVER, 6) | 200 - FIELD_PREP(NFP_NET_TLS_VLAN, 201 - NFP_NET_TLS_VLAN_UNUSED)); 202 179 203 180 if (direction == TLS_OFFLOAD_CTX_DIR_TX) { 204 - memcpy(req->src_ip, &np->saddr, sizeof(req->src_ip)); 205 - memcpy(req->dst_ip, &sk->sk_v6_daddr, sizeof(req->dst_ip)); 181 + nfp_net_tls_assign_conn_id(nn, &req->front); 206 182 } else { 207 183 memcpy(req->src_ip, &sk->sk_v6_daddr, sizeof(req->src_ip)); 208 184 memcpy(req->dst_ip, &np->saddr, sizeof(req->dst_ip)); ··· 218 202 front->l4_proto = IPPROTO_TCP; 219 203 220 204 if (direction == TLS_OFFLOAD_CTX_DIR_TX) { 221 - back->src_port = inet->inet_sport; 222 - back->dst_port = inet->inet_dport; 205 + back->src_port = 0; 206 + back->dst_port = 0; 223 207 } else { 224 208 back->src_port = inet->inet_dport; 225 209 back->dst_port = inet->inet_sport; ··· 273 257 struct nfp_crypto_reply_add *reply; 274 258 struct sk_buff *skb; 275 259 size_t req_sz; 260 + void *req; 276 261 bool ipv6; 277 262 int err; 278 263 ··· 316 299 317 300 front = (void *)skb->data; 318 301 front->ep_id = 0; 319 - front->key_len = 8; 302 + front->key_len = NFP_NET_TLS_NON_ADDR_KEY_LEN; 320 303 front->opcode = nfp_tls_1_2_dir_to_opcode(direction); 321 304 memset(front->resv, 0, sizeof(front->resv)); 322 305 306 + nfp_net_tls_set_ipver_vlan(front, ipv6 ? 6 : 4); 307 + 308 + req = (void *)skb->data; 323 309 if (ipv6) 324 - back = nfp_net_tls_set_ipv6((void *)skb->data, sk, direction); 310 + back = nfp_net_tls_set_ipv6(nn, req, sk, direction); 325 311 else 326 - back = nfp_net_tls_set_ipv4((void *)skb->data, sk, direction); 312 + back = nfp_net_tls_set_ipv4(nn, req, sk, direction); 327 313 328 314 nfp_net_tls_set_l4(front, back, sk, direction); 329 315 ··· 341 321 memcpy(&back->salt, tls_ci->salt, TLS_CIPHER_AES_GCM_128_SALT_SIZE); 342 322 memcpy(back->rec_no, tls_ci->rec_seq, sizeof(tls_ci->rec_seq)); 343 323 324 + /* Get an extra ref on the skb so we can wipe the key after */ 325 + skb_get(skb); 326 + 344 327 err = nfp_ccm_mbox_communicate(nn, skb, NFP_CCM_TYPE_CRYPTO_ADD, 345 328 sizeof(*reply), sizeof(*reply)); 329 + reply = (void *)skb->data; 330 + 331 + /* We depend on CCM MBOX code not reallocating skb we sent 332 + * so we can clear the key material out of the memory. 333 + */ 334 + if (!WARN_ON_ONCE((u8 *)back < skb->head || 335 + (u8 *)back > skb_end_pointer(skb)) && 336 + !WARN_ON_ONCE((u8 *)&reply[1] > (u8 *)back)) 337 + memzero_explicit(back, sizeof(*back)); 338 + dev_consume_skb_any(skb); /* the extra ref from skb_get() above */ 339 + 346 340 if (err) { 347 - nn_dp_warn(&nn->dp, "failed to add TLS: %d\n", err); 341 + nn_dp_warn(&nn->dp, "failed to add TLS: %d (%d)\n", 342 + err, direction == TLS_OFFLOAD_CTX_DIR_TX); 348 343 /* communicate frees skb on error */ 349 344 goto err_conn_remove; 350 345 } 351 346 352 - reply = (void *)skb->data; 353 347 err = -be32_to_cpu(reply->error); 354 348 if (err) { 355 349 if (err == -ENOSPC) { ··· 417 383 nfp_net_tls_del_fw(nn, ntls->fw_handle); 418 384 } 419 385 420 - static void 386 + static int 421 387 nfp_net_tls_resync(struct net_device *netdev, struct sock *sk, u32 seq, 422 388 u8 *rcd_sn, enum tls_offload_ctx_dir direction) 423 389 { ··· 426 392 struct nfp_crypto_req_update *req; 427 393 struct sk_buff *skb; 428 394 gfp_t flags; 395 + int err; 429 396 430 397 flags = direction == TLS_OFFLOAD_CTX_DIR_TX ? GFP_KERNEL : GFP_ATOMIC; 431 398 skb = nfp_net_tls_alloc_simple(nn, sizeof(*req), flags); 432 399 if (!skb) 433 - return; 400 + return -ENOMEM; 434 401 435 402 ntls = tls_driver_ctx(sk, direction); 436 403 req = (void *)skb->data; ··· 443 408 memcpy(req->rec_no, rcd_sn, sizeof(req->rec_no)); 444 409 445 410 if (direction == TLS_OFFLOAD_CTX_DIR_TX) { 446 - nfp_net_tls_communicate_simple(nn, skb, "sync", 447 - NFP_CCM_TYPE_CRYPTO_UPDATE); 411 + err = nfp_net_tls_communicate_simple(nn, skb, "sync", 412 + NFP_CCM_TYPE_CRYPTO_UPDATE); 413 + if (err) 414 + return err; 448 415 ntls->next_seq = seq; 449 416 } else { 450 417 nfp_ccm_mbox_post(nn, skb, NFP_CCM_TYPE_CRYPTO_UPDATE, 451 418 sizeof(struct nfp_crypto_reply_simple)); 452 419 } 420 + 421 + return 0; 453 422 } 454 423 455 424 static const struct tlsdev_ops nfp_net_tls_ops = {
+3
drivers/net/ethernet/netronome/nfp/nfp_net.h
··· 583 583 * @tlv_caps: Parsed TLV capabilities 584 584 * @ktls_tx_conn_cnt: Number of offloaded kTLS TX connections 585 585 * @ktls_rx_conn_cnt: Number of offloaded kTLS RX connections 586 + * @ktls_conn_id_gen: Trivial generator for kTLS connection ids (for TX) 586 587 * @ktls_no_space: Counter of firmware rejecting kTLS connection due to 587 588 * lack of space 588 589 * @mbox_cmsg: Common Control Message via vNIC mailbox state ··· 670 669 671 670 unsigned int ktls_tx_conn_cnt; 672 671 unsigned int ktls_rx_conn_cnt; 672 + 673 + atomic64_t ktls_conn_id_gen; 673 674 674 675 atomic_t ktls_no_space; 675 676
+28 -4
drivers/net/ethernet/netronome/nfp/nfp_net_common.c
··· 822 822 u64_stats_update_end(&r_vec->tx_sync); 823 823 } 824 824 825 - #ifdef CONFIG_TLS_DEVICE 826 825 static struct sk_buff * 827 826 nfp_net_tls_tx(struct nfp_net_dp *dp, struct nfp_net_r_vector *r_vec, 828 827 struct sk_buff *skb, u64 *tls_handle, int *nr_frags) 829 828 { 829 + #ifdef CONFIG_TLS_DEVICE 830 830 struct nfp_net_tls_offload_ctx *ntls; 831 831 struct sk_buff *nskb; 832 832 bool resync_pending; ··· 880 880 881 881 if (datalen) { 882 882 u64_stats_update_begin(&r_vec->tx_sync); 883 - r_vec->hw_tls_tx++; 883 + if (!skb_is_gso(skb)) 884 + r_vec->hw_tls_tx++; 885 + else 886 + r_vec->hw_tls_tx += skb_shinfo(skb)->gso_segs; 884 887 u64_stats_update_end(&r_vec->tx_sync); 885 888 } 886 889 887 890 memcpy(tls_handle, ntls->fw_handle, sizeof(ntls->fw_handle)); 888 891 ntls->next_seq += datalen; 892 + #endif 889 893 return skb; 890 894 } 895 + 896 + static void nfp_net_tls_tx_undo(struct sk_buff *skb, u64 tls_handle) 897 + { 898 + #ifdef CONFIG_TLS_DEVICE 899 + struct nfp_net_tls_offload_ctx *ntls; 900 + u32 datalen, seq; 901 + 902 + if (!tls_handle) 903 + return; 904 + if (WARN_ON_ONCE(!skb->sk || !tls_is_sk_tx_device_offloaded(skb->sk))) 905 + return; 906 + 907 + datalen = skb->len - (skb_transport_offset(skb) + tcp_hdrlen(skb)); 908 + seq = ntohl(tcp_hdr(skb)->seq); 909 + 910 + ntls = tls_driver_ctx(skb->sk, TLS_OFFLOAD_CTX_DIR_TX); 911 + if (ntls->next_seq == seq + datalen) 912 + ntls->next_seq = seq; 913 + else 914 + WARN_ON_ONCE(1); 891 915 #endif 916 + } 892 917 893 918 static void nfp_net_tx_xmit_more_flush(struct nfp_net_tx_ring *tx_ring) 894 919 { ··· 1007 982 return NETDEV_TX_BUSY; 1008 983 } 1009 984 1010 - #ifdef CONFIG_TLS_DEVICE 1011 985 skb = nfp_net_tls_tx(dp, r_vec, skb, &tls_handle, &nr_frags); 1012 986 if (unlikely(!skb)) { 1013 987 nfp_net_tx_xmit_more_flush(tx_ring); 1014 988 return NETDEV_TX_OK; 1015 989 } 1016 - #endif 1017 990 1018 991 md_bytes = nfp_net_prep_tx_meta(skb, tls_handle); 1019 992 if (unlikely(md_bytes < 0)) ··· 1124 1101 u64_stats_update_begin(&r_vec->tx_sync); 1125 1102 r_vec->tx_errors++; 1126 1103 u64_stats_update_end(&r_vec->tx_sync); 1104 + nfp_net_tls_tx_undo(skb, tls_handle); 1127 1105 dev_kfree_skb_any(skb); 1128 1106 return NETDEV_TX_OK; 1129 1107 }
+3 -3
include/net/tls.h
··· 304 304 void (*tls_dev_del)(struct net_device *netdev, 305 305 struct tls_context *ctx, 306 306 enum tls_offload_ctx_dir direction); 307 - void (*tls_dev_resync)(struct net_device *netdev, 308 - struct sock *sk, u32 seq, u8 *rcd_sn, 309 - enum tls_offload_ctx_dir direction); 307 + int (*tls_dev_resync)(struct net_device *netdev, 308 + struct sock *sk, u32 seq, u8 *rcd_sn, 309 + enum tls_offload_ctx_dir direction); 310 310 }; 311 311 312 312 enum tls_offload_sync_type {
+8 -2
net/tls/tls_device.c
··· 214 214 { 215 215 struct net_device *netdev; 216 216 struct sk_buff *skb; 217 + int err = 0; 217 218 u8 *rcd_sn; 218 219 219 220 skb = tcp_write_queue_tail(sk); ··· 226 225 down_read(&device_offload_lock); 227 226 netdev = tls_ctx->netdev; 228 227 if (netdev) 229 - netdev->tlsdev_ops->tls_dev_resync(netdev, sk, seq, rcd_sn, 230 - TLS_OFFLOAD_CTX_DIR_TX); 228 + err = netdev->tlsdev_ops->tls_dev_resync(netdev, sk, seq, 229 + rcd_sn, 230 + TLS_OFFLOAD_CTX_DIR_TX); 231 231 up_read(&device_offload_lock); 232 + if (err) 233 + return; 232 234 233 235 clear_bit_unlock(TLS_TX_SYNC_SCHED, &tls_ctx->flags); 234 236 } ··· 883 879 goto free_offload_ctx; 884 880 } 885 881 882 + prot->version = crypto_info->version; 883 + prot->cipher_type = crypto_info->cipher_type; 886 884 prot->prepend_size = TLS_HEADER_SIZE + nonce_size; 887 885 prot->tag_size = tag_size; 888 886 prot->overhead_size = prot->prepend_size + prot->tag_size;
+4
net/tls/tls_device_fallback.c
··· 209 209 210 210 update_chksum(nskb, headln); 211 211 212 + /* sock_efree means skb must gone through skb_orphan_partial() */ 213 + if (nskb->destructor == sock_efree) 214 + return; 215 + 212 216 delta = nskb->truesize - skb->truesize; 213 217 if (likely(delta < 0)) 214 218 WARN_ON_ONCE(refcount_sub_and_test(-delta, &sk->sk_wmem_alloc));