Commit 7681a4f5 authored by Leon Romanovsky's avatar Leon Romanovsky Committed by Jakub Kicinski
Browse files

xfrm: extend add state callback to set failure reason 



Almost all validation logic is in the drivers, but they are
missing reliable way to convey failure reason to userspace
applications.

Let's use extack to return this information to users.

Signed-off-by: default avatarLeon Romanovsky <leonro@nvidia.com>
Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 1bb70c5a

Documentation/networking/xfrm_device.rst

+1 −1
Original line number Diff line number Diff line
@@ -64,7 +64,7 @@ Callbacks to implement 
  /* from include/linux/netdevice.h */

  struct xfrmdev_ops {

        /* Crypto and Packet offload callbacks */

	int	(*xdo_dev_state_add) (struct xfrm_state *x);

	int	(*xdo_dev_state_add) (struct xfrm_state *x, struct netlink_ext_ack *extack);

	void	(*xdo_dev_state_delete) (struct xfrm_state *x);

	void	(*xdo_dev_state_free) (struct xfrm_state *x);

	bool	(*xdo_dev_offload_ok) (struct sk_buff *skb,

drivers/net/bonding/bond_main.c

+5 −3
Original line number Diff line number Diff line
@@ -419,8 +419,10 @@ static int bond_vlan_rx_kill_vid(struct net_device *bond_dev, 
/**

 * bond_ipsec_add_sa - program device with a security association

 * @xs: pointer to transformer state struct

 * @extack: extack point to fill failure reason

 **/

static int bond_ipsec_add_sa(struct xfrm_state *xs)

static int bond_ipsec_add_sa(struct xfrm_state *xs,

			     struct netlink_ext_ack *extack)

{

	struct net_device *bond_dev = xs->xso.dev;

	struct bond_ipsec *ipsec;
@@ -454,7 +456,7 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs) 
	}

	xs->xso.real_dev = slave->dev;



	err = slave->dev->xfrmdev_ops->xdo_dev_state_add(xs);

	err = slave->dev->xfrmdev_ops->xdo_dev_state_add(xs, extack);

	if (!err) {

		ipsec->xs = xs;

		INIT_LIST_HEAD(&ipsec->list);
@@ -494,7 +496,7 @@ static void bond_ipsec_add_sa_all(struct bonding *bond) 
	spin_lock_bh(&bond->ipsec_lock);

	list_for_each_entry(ipsec, &bond->ipsec_list, list) {

		ipsec->xs->xso.real_dev = slave->dev;

		if (slave->dev->xfrmdev_ops->xdo_dev_state_add(ipsec->xs)) {

		if (slave->dev->xfrmdev_ops->xdo_dev_state_add(ipsec->xs, NULL)) {

			slave_warn(bond_dev, slave->dev, "%s: failed to add SA\n", __func__);

			ipsec->xs->xso.real_dev = NULL;

		}

drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c

+3 −2
Original line number Diff line number Diff line
@@ -6490,7 +6490,8 @@ static const struct tlsdev_ops cxgb4_ktls_ops = { 


#if IS_ENABLED(CONFIG_CHELSIO_IPSEC_INLINE)



static int cxgb4_xfrm_add_state(struct xfrm_state *x)

static int cxgb4_xfrm_add_state(struct xfrm_state *x,

				struct netlink_ext_ack *extack)

{

	struct adapter *adap = netdev2adap(x->xso.dev);

	int ret;
@@ -6504,7 +6505,7 @@ static int cxgb4_xfrm_add_state(struct xfrm_state *x) 
	if (ret)

		goto out_unlock;



	ret = adap->uld[CXGB4_ULD_IPSEC].xfrmdev_ops->xdo_dev_state_add(x);

	ret = adap->uld[CXGB4_ULD_IPSEC].xfrmdev_ops->xdo_dev_state_add(x, extack);



out_unlock:

	mutex_unlock(&uld_mutex);

drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c

+4 −2
Original line number Diff line number Diff line
@@ -80,7 +80,8 @@ static void *ch_ipsec_uld_add(const struct cxgb4_lld_info *infop); 
static void ch_ipsec_advance_esn_state(struct xfrm_state *x);

static void ch_ipsec_xfrm_free_state(struct xfrm_state *x);

static void ch_ipsec_xfrm_del_state(struct xfrm_state *x);

static int ch_ipsec_xfrm_add_state(struct xfrm_state *x);

static int ch_ipsec_xfrm_add_state(struct xfrm_state *x,

				   struct netlink_ext_ack *extack);



static const struct xfrmdev_ops ch_ipsec_xfrmdev_ops = {

	.xdo_dev_state_add      = ch_ipsec_xfrm_add_state,
@@ -226,7 +227,8 @@ static int ch_ipsec_setkey(struct xfrm_state *x, 
 * returns 0 on success, negative error if failed to send message to FPGA

 * positive error if FPGA returned a bad response

 */

static int ch_ipsec_xfrm_add_state(struct xfrm_state *x)

static int ch_ipsec_xfrm_add_state(struct xfrm_state *x,

				   struct netlink_ext_ack *extack)

{

	struct ipsec_sa_entry *sa_entry;

	int res = 0;

drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c

+4 −2
Original line number Diff line number Diff line
@@ -557,8 +557,10 @@ static int ixgbe_ipsec_check_mgmt_ip(struct xfrm_state *xs) 
/**

 * ixgbe_ipsec_add_sa - program device with a security association

 * @xs: pointer to transformer state struct

 * @extack: extack point to fill failure reason

 **/

static int ixgbe_ipsec_add_sa(struct xfrm_state *xs)

static int ixgbe_ipsec_add_sa(struct xfrm_state *xs,

			      struct netlink_ext_ack *extack)

{

	struct net_device *dev = xs->xso.real_dev;

	struct ixgbe_adapter *adapter = netdev_priv(dev);
@@ -950,7 +952,7 @@ int ixgbe_ipsec_vf_add_sa(struct ixgbe_adapter *adapter, u32 *msgbuf, u32 vf) 
	memcpy(xs->aead->alg_name, aes_gcm_name, sizeof(aes_gcm_name));



	/* set up the HW offload */

	err = ixgbe_ipsec_add_sa(xs);

	err = ixgbe_ipsec_add_sa(xs, NULL);

	if (err)

		goto err_aead;