Thread (24 messages) 24 messages, 3 authors, 2025-10-29

Re: [EXTERNAL] Re: [PATCH net-next v5 15/15] octeontx2-pf: ipsec: Add XFRM state and policy hooks for inbound flows

From: Tanmay Jagdale <hidden>
Date: 2025-10-29 17:37:04
Also in: linux-crypto

Hi Sabrina,
quoted
+static int cn10k_ipsec_policy_add(struct xfrm_policy *x,
+				  struct netlink_ext_ack *extack)
+{
+	struct cn10k_inb_sw_ctx_info *inb_ctx_info = NULL, *inb_ctx;
+	struct net_device *netdev = x->xdo.dev;
+	bool disable_rule = true;
+	struct otx2_nic *pf;
+	int ret = 0;
+
+	if (x->xdo.dir != XFRM_DEV_OFFLOAD_IN) {
+		netdev_err(netdev, "ERR: Can only offload Inbound policies\n");
+		ret = -EINVAL;
missing goto/return?
Oops. Will fix this in the next version.
quoted
+	}
+
+	if (x->xdo.type != XFRM_DEV_OFFLOAD_PACKET) {
+		netdev_err(netdev, "ERR: Only Packet mode supported\n");
+		ret = -EINVAL;
missing goto/return?
ACK.
quoted
+	}
+
+	pf = netdev_priv(netdev);
+
+	/* If XFRM state was added before policy, then the inb_ctx_info instance
+	 * would be allocated there.
+	 */
+	list_for_each_entry(inb_ctx, &pf->ipsec.inb_sw_ctx_list, list) {
+		if (inb_ctx->reqid == x->xfrm_vec[0].reqid) {
+			inb_ctx_info = inb_ctx;
+			disable_rule = false;
+			break;
+		}
+	}
+
+	if (!inb_ctx_info) {
+		/* Allocate a structure to track SA related info in driver */
+		inb_ctx_info = devm_kzalloc(pf->dev, sizeof(*inb_ctx_info), GFP_KERNEL);
I'm not so familiar with devm_*, but according to the kdoc for
devm_kmalloc, this will get freed automatically when the driver goes
away (but not earlier). This could take a long time. Shouldn't this be
manually freed in the error path of this function, and somewhere
during the policy_delete/policy_free calls?
Yes I agree. Will free this memory in the error paths.
I see that you've got a devm_kfree in cn10k_ipsec_inb_add_state, so
something similar here?
Yes sure.
[...]
quoted
+static void cn10k_ipsec_policy_free(struct xfrm_policy *x)
+{
+	return;
 }
The stack can handle a NULL .xdo_dev_policy_free, so this empty
implementation is not needed. But I'm not sure releasing all
policy-related resources at delete time (even via WQ) is safe, so
possibly some of the work done in cn10k_ipsec_policy_delete should be
moved here (similar comment for the existing cn10k_ipsec_del_state
code vs adding .xdo_dev_state_free).
Okay sure. I'll revisit the policy and state delete/free routines and
see what can be split between these functions.
-- 
Sabrina
Thanks,
Tanmay
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help