Revision tags: v6.6.30 |
|
#
6c3020dc |
| 29-Apr-2024 |
Rahul Rameshbabu <rrameshbabu@nvidia.com> |
macsec: Detect if Rx skb is macsec-related for offloading devices that update md_dst
commit 642c984dd0e37dbaec9f87bd1211e5fac1f142bf upstream.
Can now correctly identify where the packets should be
macsec: Detect if Rx skb is macsec-related for offloading devices that update md_dst
commit 642c984dd0e37dbaec9f87bd1211e5fac1f142bf upstream.
Can now correctly identify where the packets should be delivered by using md_dst or its absence on devices that provide it.
This detection is not possible without device drivers that update md_dst. A fallback pattern should be used for supporting such device drivers. This fallback mode causes multicast messages to be cloned to both the non-macsec and macsec ports, independent of whether the multicast message received was encrypted over MACsec or not. Other non-macsec traffic may also fail to be handled correctly for devices in promiscuous mode.
Link: https://lore.kernel.org/netdev/ZULRxX9eIbFiVi7v@hog/ Cc: Sabrina Dubroca <sd@queasysnail.net> Cc: stable@vger.kernel.org Fixes: 860ead89b851 ("net/macsec: Add MACsec skb_metadata_dst Rx Data path support") Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com> Reviewed-by: Benjamin Poirier <bpoirier@nvidia.com> Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com> Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Link: https://lore.kernel.org/r/20240423181319.115860-4-rrameshbabu@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
Revision tags: v6.6.30 |
|
#
6c3020dc |
| 29-Apr-2024 |
Rahul Rameshbabu <rrameshbabu@nvidia.com> |
macsec: Detect if Rx skb is macsec-related for offloading devices that update md_dst
commit 642c984dd0e37dbaec9f87bd1211e5fac1f142bf upstream.
Can now correctly identify where the packets should be
macsec: Detect if Rx skb is macsec-related for offloading devices that update md_dst
commit 642c984dd0e37dbaec9f87bd1211e5fac1f142bf upstream.
Can now correctly identify where the packets should be delivered by using md_dst or its absence on devices that provide it.
This detection is not possible without device drivers that update md_dst. A fallback pattern should be used for supporting such device drivers. This fallback mode causes multicast messages to be cloned to both the non-macsec and macsec ports, independent of whether the multicast message received was encrypted over MACsec or not. Other non-macsec traffic may also fail to be handled correctly for devices in promiscuous mode.
Link: https://lore.kernel.org/netdev/ZULRxX9eIbFiVi7v@hog/ Cc: Sabrina Dubroca <sd@queasysnail.net> Cc: stable@vger.kernel.org Fixes: 860ead89b851 ("net/macsec: Add MACsec skb_metadata_dst Rx Data path support") Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com> Reviewed-by: Benjamin Poirier <bpoirier@nvidia.com> Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com> Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Link: https://lore.kernel.org/r/20240423181319.115860-4-rrameshbabu@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
Revision tags: v6.6.30 |
|
#
6c3020dc |
| 29-Apr-2024 |
Rahul Rameshbabu <rrameshbabu@nvidia.com> |
macsec: Detect if Rx skb is macsec-related for offloading devices that update md_dst
commit 642c984dd0e37dbaec9f87bd1211e5fac1f142bf upstream.
Can now correctly identify where the packets should be
macsec: Detect if Rx skb is macsec-related for offloading devices that update md_dst
commit 642c984dd0e37dbaec9f87bd1211e5fac1f142bf upstream.
Can now correctly identify where the packets should be delivered by using md_dst or its absence on devices that provide it.
This detection is not possible without device drivers that update md_dst. A fallback pattern should be used for supporting such device drivers. This fallback mode causes multicast messages to be cloned to both the non-macsec and macsec ports, independent of whether the multicast message received was encrypted over MACsec or not. Other non-macsec traffic may also fail to be handled correctly for devices in promiscuous mode.
Link: https://lore.kernel.org/netdev/ZULRxX9eIbFiVi7v@hog/ Cc: Sabrina Dubroca <sd@queasysnail.net> Cc: stable@vger.kernel.org Fixes: 860ead89b851 ("net/macsec: Add MACsec skb_metadata_dst Rx Data path support") Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com> Reviewed-by: Benjamin Poirier <bpoirier@nvidia.com> Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com> Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Link: https://lore.kernel.org/r/20240423181319.115860-4-rrameshbabu@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
Revision tags: v6.6.29, v6.6.28, v6.6.27, v6.6.26, v6.6.25, v6.6.24, v6.6.23, v6.6.16, v6.6.15, v6.6.14, v6.6.13, v6.6.12, v6.6.11, v6.6.10, v6.6.9, v6.6.8, v6.6.7, v6.6.6, v6.6.5, v6.6.4, v6.6.3, v6.6.2, v6.5.11, v6.6.1, v6.5.10, v6.6, v6.5.9, v6.5.8, v6.5.7, v6.5.6, v6.5.5 |
|
#
c8670b7b |
| 21-Sep-2023 |
Eric Dumazet <edumazet@google.com> |
net: add DEV_STATS_READ() helper
[ Upstream commit 0b068c714ca9479d2783cc333fff5bc2d4a6d45c ]
Companion of DEV_STATS_INC() & DEV_STATS_ADD().
This is going to be used in the series.
Use it in mac
net: add DEV_STATS_READ() helper
[ Upstream commit 0b068c714ca9479d2783cc333fff5bc2d4a6d45c ]
Companion of DEV_STATS_INC() & DEV_STATS_ADD().
This is going to be used in the series.
Use it in macsec_get_stats64().
Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Stable-dep-of: ff672b9ffeb3 ("ipvlan: properly track tx_errors") Signed-off-by: Sasha Levin <sashal@kernel.org>
show more ...
|
#
0412cc84 |
| 05-Oct-2023 |
Radu Pirea (NXP OSS) <radu-nicolae.pirea@oss.nxp.com> |
net: macsec: indicate next pn update when offloading
Indicate next PN update using update_pn flag in macsec_context. Offloaded MACsec implementations does not know whether or not the MACSEC_SA_ATTR_
net: macsec: indicate next pn update when offloading
Indicate next PN update using update_pn flag in macsec_context. Offloaded MACsec implementations does not know whether or not the MACSEC_SA_ATTR_PN attribute was passed for an SA update and assume that next PN should always updated, but this is not always true.
The PN can be reset to its initial value using the following command: $ ip macsec set macsec0 tx sa 0 off #octeontx2-pf case
Or, the update PN command will succeed even if the driver does not support PN updates. $ ip macsec set macsec0 tx sa 0 pn 1 on #mscc phy driver case
Comparing the initial PN with the new PN value is not a solution. When the user updates the PN using its initial value the command will succeed, even if the driver does not support it. Like this: $ ip macsec add macsec0 tx sa 0 pn 1 on key 00 \ ead3664f508eb06c40ac7104cdae4ce5 $ ip macsec set macsec0 tx sa 0 pn 1 on #mlx5 case
Signed-off-by: Radu Pirea (NXP OSS) <radu-nicolae.pirea@oss.nxp.com> Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
show more ...
|
Revision tags: v6.5.4, v6.5.3, v6.5.2 |
|
#
d3287e40 |
| 04-Sep-2023 |
Sabrina Dubroca <sd@queasysnail.net> |
Revert "net: macsec: preserve ingress frame ordering"
This reverts commit ab046a5d4be4c90a3952a0eae75617b49c0cb01b.
It was trying to work around an issue at the crypto layer by excluding ASYNC impl
Revert "net: macsec: preserve ingress frame ordering"
This reverts commit ab046a5d4be4c90a3952a0eae75617b49c0cb01b.
It was trying to work around an issue at the crypto layer by excluding ASYNC implementations of gcm(aes), because a bug in the AESNI version caused reordering when some requests bypassed the cryptd queue while older requests were still pending on the queue.
This was fixed by commit 38b2f68b4264 ("crypto: aesni - Fix cryptd reordering problem on gcm"), which pre-dates ab046a5d4be4.
Herbert Xu confirmed that all ASYNC implementations are expected to maintain the ordering of completions wrt requests, so we can use them in MACsec.
On my test machine, this restores the performance of a single netperf instance, from 1.4Gbps to 4.4Gbps.
Link: https://lore.kernel.org/netdev/9328d206c5d9f9239cae27e62e74de40b258471d.1692279161.git.sd@queasysnail.net/T/ Link: https://lore.kernel.org/netdev/1b0cec71-d084-8153-2ba4-72ce71abeb65@byu.edu/ Link: https://lore.kernel.org/netdev/d335ddaa-18dc-f9f0-17ee-9783d3b2ca29@mailbox.tu-dresden.de/ Fixes: ab046a5d4be4 ("net: macsec: preserve ingress frame ordering") Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Link: https://lore.kernel.org/r/11c952469d114db6fb29242e1d9545e61f52f512.1693757159.git.sd@queasysnail.net Signed-off-by: Paolo Abeni <pabeni@redhat.com>
show more ...
|
Revision tags: v6.1.51, v6.5.1, v6.1.50, v6.5, v6.1.49, v6.1.48, v6.1.46, v6.1.45, v6.1.44, v6.1.43, v6.1.42, v6.1.41, v6.1.40, v6.1.39, v6.1.38, v6.1.37, v6.1.36, v6.4, v6.1.35, v6.1.34, v6.1.33, v6.1.32, v6.1.31, v6.1.30, v6.1.29, v6.1.28, v6.1.27, v6.1.26, v6.3, v6.1.25, v6.1.24, v6.1.23, v6.1.22, v6.1.21, v6.1.20, v6.1.19, v6.1.18, v6.1.17, v6.1.16, v6.1.15, v6.1.14, v6.1.13, v6.2, v6.1.12, v6.1.11, v6.1.10, v6.1.9, v6.1.8, v6.1.7, v6.1.6, v6.1.5, v6.0.19, v6.0.18, v6.1.4, v6.1.3, v6.0.17, v6.1.2, v6.0.16, v6.1.1, v6.0.15, v6.0.14, v6.0.13, v6.1, v6.0.12, v6.0.11, v6.0.10, v5.15.80, v6.0.9, v5.15.79, v6.0.8, v5.15.78, v6.0.7, v5.15.77, v5.15.76, v6.0.6, v6.0.5, v5.15.75, v6.0.4, v6.0.3, v6.0.2, v5.15.74, v5.15.73, v6.0.1, v5.15.72, v6.0, v5.15.71, v5.15.70, v5.15.69, v5.15.68, v5.15.67, v5.15.66, v5.15.65, v5.15.64, v5.15.63, v5.15.62, v5.15.61, v5.15.60, v5.15.59, v5.19, v5.15.58, v5.15.57, v5.15.56, v5.15.55, v5.15.54, v5.15.53, v5.15.52, v5.15.51, v5.15.50, v5.15.49, v5.15.48, v5.15.47, v5.15.46, v5.15.45, v5.15.44, v5.15.43, v5.15.42, v5.18, v5.15.41, v5.15.40, v5.15.39, v5.15.38 |
|
#
f132fdd9 |
| 02-May-2022 |
Patrisious Haddad <phaddad@nvidia.com> |
macsec: add functions to get macsec real netdevice and check offload
Given a macsec net_device add two functions to return the real net_device for that device, and check if that macsec device is off
macsec: add functions to get macsec real netdevice and check offload
Given a macsec net_device add two functions to return the real net_device for that device, and check if that macsec device is offloaded or not.
This is needed for auxiliary drivers that implement MACsec offload, but have flows which are triggered over the macsec net_device, this allows the drivers in such cases to verify if the device is offloaded or not, and to access the real device of that macsec device, which would belong to the driver, and would be needed for the offload procedure.
Signed-off-by: Patrisious Haddad <phaddad@nvidia.com> Reviewed-by: Raed Salem <raeds@nvidia.com> Reviewed-by: Mark Zhang <markzhang@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
show more ...
|
#
bf98bbe9 |
| 10-Aug-2023 |
Li Zetao <lizetao1@huawei.com> |
net: macsec: Use helper functions to update stats
Use the helper functions dev_sw_netstats_rx_add() and dev_sw_netstats_tx_add() to update stats, which helps to provide code readability.
Signed-off
net: macsec: Use helper functions to update stats
Use the helper functions dev_sw_netstats_rx_add() and dev_sw_netstats_tx_add() to update stats, which helps to provide code readability.
Signed-off-by: Li Zetao <lizetao1@huawei.com> Reviewed-by: Simon Horman <horms@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
#
32d0a49d |
| 04-Aug-2023 |
Eric Dumazet <edumazet@google.com> |
macsec: use DEV_STATS_INC()
syzbot/KCSAN reported data-races in macsec whenever dev->stats fields are updated.
It appears all of these updates can happen from multiple cpus.
Adopt SMP safe DEV_STA
macsec: use DEV_STATS_INC()
syzbot/KCSAN reported data-races in macsec whenever dev->stats fields are updated.
It appears all of these updates can happen from multiple cpus.
Adopt SMP safe DEV_STATS_INC() to update dev->stats fields.
Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver") Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
#
0c0cf3db |
| 13-Jun-2023 |
Fedor Pchelkin <pchelkin@ispras.ru> |
net: macsec: fix double free of percpu stats
Inside macsec_add_dev() we free percpu macsec->secy.tx_sc.stats and macsec->stats on some of the memory allocation failure paths. However, the net_device
net: macsec: fix double free of percpu stats
Inside macsec_add_dev() we free percpu macsec->secy.tx_sc.stats and macsec->stats on some of the memory allocation failure paths. However, the net_device is already registered to that moment: in macsec_newlink(), just before calling macsec_add_dev(). This means that during unregister process its priv_destructor - macsec_free_netdev() - will be called and will free the stats again.
Remove freeing percpu stats inside macsec_add_dev() because macsec_free_netdev() will correctly free the already allocated ones. The pointers to unallocated stats stay NULL, and free_percpu() treats that correctly.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 0a28bfd4971f ("net/macsec: Add MACsec skb_metadata_dst Tx Data path support") Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver") Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
#
7661351a |
| 19-Apr-2023 |
Emeel Hakim <ehakim@nvidia.com> |
macsec: Don't rely solely on the dst MAC address to identify destination MACsec device
Offloading device drivers will mark offloaded MACsec SKBs with the corresponding SCI in the skb_metadata_dst so
macsec: Don't rely solely on the dst MAC address to identify destination MACsec device
Offloading device drivers will mark offloaded MACsec SKBs with the corresponding SCI in the skb_metadata_dst so the macsec rx handler will know to which interface to divert those skbs, in case of a marked skb and a mismatch on the dst MAC address, divert the skb to the macsec net_device where the macsec rx_handler will be called to consider cases where relying solely on the dst MAC address is insufficient.
One such instance is when using MACsec with a VLAN as an inner header, where the packet structure is ETHERNET | SECTAG | VLAN. In such a scenario, the dst MAC address in the ethernet header will correspond to the VLAN MAC address, resulting in a mismatch.
Signed-off-by: Emeel Hakim <ehakim@nvidia.com> Reviewed-by: Subbaraya Sundeep <sbhatta@marvell.com> Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
#
23b8b93b |
| 06-Feb-2023 |
Herbert Xu <herbert@gondor.apana.org.au> |
net: macsec: Remove completion function scaffolding
This patch removes the temporary scaffolding now that the comletion function signature has been converted.
Signed-off-by: Herbert Xu <herbert@gon
net: macsec: Remove completion function scaffolding
This patch removes the temporary scaffolding now that the comletion function signature has been converted.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
show more ...
|
#
30859e97 |
| 06-Feb-2023 |
Herbert Xu <herbert@gondor.apana.org.au> |
net: macsec: Add scaffolding to change completion function signature
This patch adds temporary scaffolding so that the Crypto API completion function can take a void * instead of crypto_async_reques
net: macsec: Add scaffolding to change completion function signature
This patch adds temporary scaffolding so that the Crypto API completion function can take a void * instead of crypto_async_request. Once affected users have been converted this can be removed.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Acked-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
show more ...
|
#
723e8a48 |
| 11-Jan-2023 |
Emeel Hakim <ehakim@nvidia.com> |
macsec: dump IFLA_MACSEC_OFFLOAD attribute as part of macsec dump
Support dumping offload netlink attribute in macsec's device attributes dump. Change macsec_get_size to consider the offload attribu
macsec: dump IFLA_MACSEC_OFFLOAD attribute as part of macsec dump
Support dumping offload netlink attribute in macsec's device attributes dump. Change macsec_get_size to consider the offload attribute in the calculations of the required room for dumping the device netlink attributes.
Signed-off-by: Emeel Hakim <ehakim@nvidia.com> Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
show more ...
|
#
15f17355 |
| 11-Jan-2023 |
Emeel Hakim <ehakim@nvidia.com> |
macsec: add support for IFLA_MACSEC_OFFLOAD in macsec_changelink
Add support for changing Macsec offload selection through the netlink layer by implementing the relevant changes in macsec_changelink
macsec: add support for IFLA_MACSEC_OFFLOAD in macsec_changelink
Add support for changing Macsec offload selection through the netlink layer by implementing the relevant changes in macsec_changelink.
Since the handling in macsec_changelink is similar to macsec_upd_offload, update macsec_upd_offload to use a common helper function to avoid duplication.
Example for setting offload for a macsec device: ip link set macsec0 type macsec offload mac
Signed-off-by: Emeel Hakim <ehakim@nvidia.com> Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
show more ...
|
#
f3b4a00f |
| 11-Dec-2022 |
Emeel Hakim <ehakim@nvidia.com> |
net: macsec: fix net device access prior to holding a lock
Currently macsec offload selection update routine accesses the net device prior to holding the relevant lock. Fix by holding the lock prior
net: macsec: fix net device access prior to holding a lock
Currently macsec offload selection update routine accesses the net device prior to holding the relevant lock. Fix by holding the lock prior to the device access.
Fixes: dcb780fb2795 ("net: macsec: add nla support for changing the offloading selection") Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Emeel Hakim <ehakim@nvidia.com> Link: https://lore.kernel.org/r/20221211075532.28099-1-ehakim@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
show more ...
|
#
38099024 |
| 07-Dec-2022 |
Emeel Hakim <ehakim@nvidia.com> |
macsec: add missing attribute validation for offload
Add missing attribute validation for IFLA_MACSEC_OFFLOAD to the netlink policy.
Fixes: 791bb3fcafce ("net: macsec: add support for specifying of
macsec: add missing attribute validation for offload
Add missing attribute validation for IFLA_MACSEC_OFFLOAD to the netlink policy.
Fixes: 791bb3fcafce ("net: macsec: add support for specifying offload upon link creation") Signed-off-by: Emeel Hakim <ehakim@nvidia.com> Reviewed-by: Jiri Pirko <jiri@nvidia.com> Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Link: https://lore.kernel.org/r/20221207101618.989-1-ehakim@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
show more ...
|
#
7cef6b73 |
| 17-Nov-2022 |
YueHaibing <yuehaibing@huawei.com> |
macsec: Fix invalid error code set
'ret' is defined twice in macsec_changelink(), when it is set in macsec_is_offloaded case, it will be invalid before return.
Fixes: 3cf3227a21d1 ("net: macsec: ha
macsec: Fix invalid error code set
'ret' is defined twice in macsec_changelink(), when it is set in macsec_is_offloaded case, it will be invalid before return.
Fixes: 3cf3227a21d1 ("net: macsec: hardware offloading infrastructure") Signed-off-by: YueHaibing <yuehaibing@huawei.com> Reviewed-by: Saeed Mahameed <saeed@kernel.org> Reviewed-by: Antoine Tenart <atenart@kernel.org> Link: https://lore.kernel.org/r/20221118011249.48112-1-yuehaibing@huawei.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
show more ...
|
#
aaab73f8 |
| 02-Nov-2022 |
Sabrina Dubroca <sd@queasysnail.net> |
macsec: clear encryption keys from the stack after setting up offload
macsec_add_rxsa and macsec_add_txsa copy the key to an on-stack offloading context to pass it to the drivers, but leaves it ther
macsec: clear encryption keys from the stack after setting up offload
macsec_add_rxsa and macsec_add_txsa copy the key to an on-stack offloading context to pass it to the drivers, but leaves it there when it's done. Clear it with memzero_explicit as soon as it's not needed anymore.
Fixes: 3cf3227a21d1 ("net: macsec: hardware offloading infrastructure") Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Reviewed-by: Antoine Tenart <atenart@kernel.org> Reviewed-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
#
80df4706 |
| 02-Nov-2022 |
Sabrina Dubroca <sd@queasysnail.net> |
macsec: fix detection of RXSCs when toggling offloading
macsec_is_configured incorrectly uses secy->n_rx_sc to check if some RXSCs exist. secy->n_rx_sc only counts the number of active RXSCs, but th
macsec: fix detection of RXSCs when toggling offloading
macsec_is_configured incorrectly uses secy->n_rx_sc to check if some RXSCs exist. secy->n_rx_sc only counts the number of active RXSCs, but there can also be inactive SCs as well, which may be stored in the driver (in case we're disabling offloading), or would have to be pushed to the device (in case we're trying to enable offloading).
As long as RXSCs active on creation and never turned off, the issue is not visible.
Fixes: dcb780fb2795 ("net: macsec: add nla support for changing the offloading selection") Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Reviewed-by: Antoine Tenart <atenart@kernel.org> Reviewed-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
#
73a4b31c |
| 02-Nov-2022 |
Sabrina Dubroca <sd@queasysnail.net> |
macsec: fix secy->n_rx_sc accounting
secy->n_rx_sc is supposed to be the number of _active_ rxsc's within a secy. This is then used by macsec_send_sci to help decide if we should add the SCI to the
macsec: fix secy->n_rx_sc accounting
secy->n_rx_sc is supposed to be the number of _active_ rxsc's within a secy. This is then used by macsec_send_sci to help decide if we should add the SCI to the header or not.
This logic is currently broken when we create a new RXSC and turn it off at creation, as create_rx_sc always sets ->active to true (and immediately uses that to increment n_rx_sc), and only later macsec_add_rxsc sets rx_sc->active.
Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver") Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Reviewed-by: Antoine Tenart <atenart@kernel.org> Reviewed-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
#
93a30947 |
| 02-Nov-2022 |
Sabrina Dubroca <sd@queasysnail.net> |
macsec: delete new rxsc when offload fails
Currently we get an inconsistent state: - netlink returns the error to userspace - the RXSC is installed but not offloaded
Then the device could get con
macsec: delete new rxsc when offload fails
Currently we get an inconsistent state: - netlink returns the error to userspace - the RXSC is installed but not offloaded
Then the device could get confused when we try to add an RXSA, because the RXSC isn't supposed to exist.
Fixes: 3cf3227a21d1 ("net: macsec: hardware offloading infrastructure") Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Reviewed-by: Antoine Tenart <atenart@kernel.org> Reviewed-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
#
8bcd560a |
| 02-Nov-2022 |
Sabrina Dubroca <sd@queasysnail.net> |
Revert "net: macsec: report real_dev features when HW offloading is enabled"
This reverts commit c850240b6c4132574a00f2da439277ab94265b66.
That commit tried to improve the performance of macsec off
Revert "net: macsec: report real_dev features when HW offloading is enabled"
This reverts commit c850240b6c4132574a00f2da439277ab94265b66.
That commit tried to improve the performance of macsec offload by taking advantage of some of the NIC's features, but in doing so, broke macsec offload when the lower device supports both macsec and ipsec offload, as the ipsec offload feature flags (mainly NETIF_F_HW_ESP) were copied from the real device. Since the macsec device doesn't provide xdo_* ops, the XFRM core rejects the registration of the new macsec device in xfrm_api_check.
Example perf trace when running ip link add link eni1np1 type macsec port 4 offload mac
ip 737 [003] 795.477676: probe:xfrm_dev_event__REGISTER name="macsec0" features=0x1c000080014869 xfrm_dev_event+0x3a notifier_call_chain+0x47 register_netdevice+0x846 macsec_newlink+0x25a
ip 737 [003] 795.477687: probe:xfrm_dev_event__return ret=0x8002 (NOTIFY_BAD) notifier_call_chain+0x47 register_netdevice+0x846 macsec_newlink+0x25a
dev->features includes NETIF_F_HW_ESP (0x04000000000000), so xfrm_api_check returns NOTIFY_BAD because we don't have dev->xfrmdev_ops on the macsec device.
We could probably propagate GSO and a few other features from the lower device, similar to macvlan. This will be done in a future patch.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Reviewed-by: Antoine Tenart <atenart@kernel.org> Reviewed-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
#
068c38ad |
| 26-Oct-2022 |
Thomas Gleixner <tglx@linutronix.de> |
net: Remove the obsolte u64_stats_fetch_*_irq() users (drivers).
Now that the 32bit UP oddity is gone and 32bit uses always a sequence count, there is no need for the fetch_irq() variants anymore.
net: Remove the obsolte u64_stats_fetch_*_irq() users (drivers).
Now that the 32bit UP oddity is gone and 32bit uses always a sequence count, there is no need for the fetch_irq() variants anymore.
Convert to the regular interface.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
show more ...
|
#
c52add61 |
| 23-Sep-2022 |
Sabrina Dubroca <sd@queasysnail.net> |
macsec: don't free NULL metadata_dst
Commit 0a28bfd4971f added a metadata_dst to each tx_sc, but that's only allocated when macsec_add_dev has run, which happens after device registration. If the re
macsec: don't free NULL metadata_dst
Commit 0a28bfd4971f added a metadata_dst to each tx_sc, but that's only allocated when macsec_add_dev has run, which happens after device registration. If the requested or computed SCI already exists, or if linking to the lower device fails, we will panic because metadata_dst_free can't handle NULL.
Reproducer: ip link add link $lower type macsec ip link add link $lower type macsec
Fixes: 0a28bfd4971f ("net/macsec: Add MACsec skb_metadata_dst Tx Data path support") Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Acked-by: Raed Salem <raeds@nvidia.com> Link: https://lore.kernel.org/r/60f2a1965fe553e2cade9472407d0fafff8de8ce.1663923580.git.sd@queasysnail.net Signed-off-by: Jakub Kicinski <kuba@kernel.org>
show more ...
|