Commit 403b383a authored by Leon Romanovsky's avatar Leon Romanovsky Committed by Steffen Klassert

net/mlx5e: Store all XFRM SAs in Xarray

Instead of performing custom hash calculations, rely on FW that returns
unique identifier to every created SA. That identifier is Xarray ready,
which provides better semantic with efficient access.

In addition, store both TX and RX SAs to allow correlation between event
generated by HW when limits are armed and XFRM states.
Signed-off-by: default avatarLeon Romanovsky <leonro@nvidia.com>
Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
parent 7bddb659
...@@ -50,57 +50,6 @@ static struct mlx5e_ipsec_pol_entry *to_ipsec_pol_entry(struct xfrm_policy *x) ...@@ -50,57 +50,6 @@ static struct mlx5e_ipsec_pol_entry *to_ipsec_pol_entry(struct xfrm_policy *x)
return (struct mlx5e_ipsec_pol_entry *)x->xdo.offload_handle; return (struct mlx5e_ipsec_pol_entry *)x->xdo.offload_handle;
} }
struct xfrm_state *mlx5e_ipsec_sadb_rx_lookup(struct mlx5e_ipsec *ipsec,
unsigned int handle)
{
struct mlx5e_ipsec_sa_entry *sa_entry;
struct xfrm_state *ret = NULL;
rcu_read_lock();
hash_for_each_possible_rcu(ipsec->sadb_rx, sa_entry, hlist, handle)
if (sa_entry->handle == handle) {
ret = sa_entry->x;
xfrm_state_hold(ret);
break;
}
rcu_read_unlock();
return ret;
}
static int mlx5e_ipsec_sadb_rx_add(struct mlx5e_ipsec_sa_entry *sa_entry)
{
unsigned int handle = sa_entry->ipsec_obj_id;
struct mlx5e_ipsec *ipsec = sa_entry->ipsec;
struct mlx5e_ipsec_sa_entry *_sa_entry;
unsigned long flags;
rcu_read_lock();
hash_for_each_possible_rcu(ipsec->sadb_rx, _sa_entry, hlist, handle)
if (_sa_entry->handle == handle) {
rcu_read_unlock();
return -EEXIST;
}
rcu_read_unlock();
spin_lock_irqsave(&ipsec->sadb_rx_lock, flags);
sa_entry->handle = handle;
hash_add_rcu(ipsec->sadb_rx, &sa_entry->hlist, sa_entry->handle);
spin_unlock_irqrestore(&ipsec->sadb_rx_lock, flags);
return 0;
}
static void mlx5e_ipsec_sadb_rx_del(struct mlx5e_ipsec_sa_entry *sa_entry)
{
struct mlx5e_ipsec *ipsec = sa_entry->ipsec;
unsigned long flags;
spin_lock_irqsave(&ipsec->sadb_rx_lock, flags);
hash_del_rcu(&sa_entry->hlist);
spin_unlock_irqrestore(&ipsec->sadb_rx_lock, flags);
}
static bool mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry) static bool mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry)
{ {
struct xfrm_replay_state_esn *replay_esn; struct xfrm_replay_state_esn *replay_esn;
...@@ -291,6 +240,7 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x) ...@@ -291,6 +240,7 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x)
{ {
struct mlx5e_ipsec_sa_entry *sa_entry = NULL; struct mlx5e_ipsec_sa_entry *sa_entry = NULL;
struct net_device *netdev = x->xso.real_dev; struct net_device *netdev = x->xso.real_dev;
struct mlx5e_ipsec *ipsec;
struct mlx5e_priv *priv; struct mlx5e_priv *priv;
int err; int err;
...@@ -298,6 +248,7 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x) ...@@ -298,6 +248,7 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x)
if (!priv->ipsec) if (!priv->ipsec)
return -EOPNOTSUPP; return -EOPNOTSUPP;
ipsec = priv->ipsec;
err = mlx5e_xfrm_validate_state(x); err = mlx5e_xfrm_validate_state(x);
if (err) if (err)
return err; return err;
...@@ -309,7 +260,7 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x) ...@@ -309,7 +260,7 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x)
} }
sa_entry->x = x; sa_entry->x = x;
sa_entry->ipsec = priv->ipsec; sa_entry->ipsec = ipsec;
/* check esn */ /* check esn */
mlx5e_ipsec_update_esn_state(sa_entry); mlx5e_ipsec_update_esn_state(sa_entry);
...@@ -324,18 +275,22 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x) ...@@ -324,18 +275,22 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x)
if (err) if (err)
goto err_hw_ctx; goto err_hw_ctx;
if (x->xso.dir == XFRM_DEV_OFFLOAD_IN) { /* We use *_bh() variant because xfrm_timer_handler(), which runs
err = mlx5e_ipsec_sadb_rx_add(sa_entry); * in softirq context, can reach our state delete logic and we need
* xa_erase_bh() there.
*/
err = xa_insert_bh(&ipsec->sadb, sa_entry->ipsec_obj_id, sa_entry,
GFP_KERNEL);
if (err) if (err)
goto err_add_rule; goto err_add_rule;
} else {
if (x->xso.dir == XFRM_DEV_OFFLOAD_OUT)
sa_entry->set_iv_op = (x->props.flags & XFRM_STATE_ESN) ? sa_entry->set_iv_op = (x->props.flags & XFRM_STATE_ESN) ?
mlx5e_ipsec_set_iv_esn : mlx5e_ipsec_set_iv; mlx5e_ipsec_set_iv_esn : mlx5e_ipsec_set_iv;
}
INIT_WORK(&sa_entry->modify_work.work, _update_xfrm_state); INIT_WORK(&sa_entry->modify_work.work, _update_xfrm_state);
x->xso.offload_handle = (unsigned long)sa_entry; x->xso.offload_handle = (unsigned long)sa_entry;
goto out; return 0;
err_add_rule: err_add_rule:
mlx5e_accel_ipsec_fs_del_rule(sa_entry); mlx5e_accel_ipsec_fs_del_rule(sa_entry);
...@@ -350,9 +305,11 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x) ...@@ -350,9 +305,11 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x)
static void mlx5e_xfrm_del_state(struct xfrm_state *x) static void mlx5e_xfrm_del_state(struct xfrm_state *x)
{ {
struct mlx5e_ipsec_sa_entry *sa_entry = to_ipsec_sa_entry(x); struct mlx5e_ipsec_sa_entry *sa_entry = to_ipsec_sa_entry(x);
struct mlx5e_ipsec *ipsec = sa_entry->ipsec;
struct mlx5e_ipsec_sa_entry *old;
if (x->xso.dir == XFRM_DEV_OFFLOAD_IN) old = xa_erase_bh(&ipsec->sadb, sa_entry->ipsec_obj_id);
mlx5e_ipsec_sadb_rx_del(sa_entry); WARN_ON(old != sa_entry);
} }
static void mlx5e_xfrm_free_state(struct xfrm_state *x) static void mlx5e_xfrm_free_state(struct xfrm_state *x)
...@@ -379,8 +336,7 @@ void mlx5e_ipsec_init(struct mlx5e_priv *priv) ...@@ -379,8 +336,7 @@ void mlx5e_ipsec_init(struct mlx5e_priv *priv)
if (!ipsec) if (!ipsec)
return; return;
hash_init(ipsec->sadb_rx); xa_init_flags(&ipsec->sadb, XA_FLAGS_ALLOC);
spin_lock_init(&ipsec->sadb_rx_lock);
ipsec->mdev = priv->mdev; ipsec->mdev = priv->mdev;
ipsec->wq = alloc_ordered_workqueue("mlx5e_ipsec: %s", 0, ipsec->wq = alloc_ordered_workqueue("mlx5e_ipsec: %s", 0,
priv->netdev->name); priv->netdev->name);
......
...@@ -120,8 +120,7 @@ struct mlx5e_ipsec_aso { ...@@ -120,8 +120,7 @@ struct mlx5e_ipsec_aso {
struct mlx5e_ipsec { struct mlx5e_ipsec {
struct mlx5_core_dev *mdev; struct mlx5_core_dev *mdev;
DECLARE_HASHTABLE(sadb_rx, MLX5E_IPSEC_SADB_RX_BITS); struct xarray sadb;
spinlock_t sadb_rx_lock; /* Protects sadb_rx */
struct mlx5e_ipsec_sw_stats sw_stats; struct mlx5e_ipsec_sw_stats sw_stats;
struct mlx5e_ipsec_hw_stats hw_stats; struct mlx5e_ipsec_hw_stats hw_stats;
struct workqueue_struct *wq; struct workqueue_struct *wq;
...@@ -150,9 +149,7 @@ struct mlx5e_ipsec_modify_state_work { ...@@ -150,9 +149,7 @@ struct mlx5e_ipsec_modify_state_work {
}; };
struct mlx5e_ipsec_sa_entry { struct mlx5e_ipsec_sa_entry {
struct hlist_node hlist; /* Item in SADB_RX hashtable */
struct mlx5e_ipsec_esn_state esn_state; struct mlx5e_ipsec_esn_state esn_state;
unsigned int handle; /* Handle in SADB_RX */
struct xfrm_state *x; struct xfrm_state *x;
struct mlx5e_ipsec *ipsec; struct mlx5e_ipsec *ipsec;
struct mlx5_accel_esp_xfrm_attrs attrs; struct mlx5_accel_esp_xfrm_attrs attrs;
...@@ -193,9 +190,6 @@ void mlx5e_ipsec_init(struct mlx5e_priv *priv); ...@@ -193,9 +190,6 @@ void mlx5e_ipsec_init(struct mlx5e_priv *priv);
void mlx5e_ipsec_cleanup(struct mlx5e_priv *priv); void mlx5e_ipsec_cleanup(struct mlx5e_priv *priv);
void mlx5e_ipsec_build_netdev(struct mlx5e_priv *priv); void mlx5e_ipsec_build_netdev(struct mlx5e_priv *priv);
struct xfrm_state *mlx5e_ipsec_sadb_rx_lookup(struct mlx5e_ipsec *dev,
unsigned int handle);
void mlx5e_accel_ipsec_fs_cleanup(struct mlx5e_ipsec *ipsec); void mlx5e_accel_ipsec_fs_cleanup(struct mlx5e_ipsec *ipsec);
int mlx5e_accel_ipsec_fs_init(struct mlx5e_ipsec *ipsec); int mlx5e_accel_ipsec_fs_init(struct mlx5e_ipsec *ipsec);
int mlx5e_accel_ipsec_fs_add_rule(struct mlx5e_ipsec_sa_entry *sa_entry); int mlx5e_accel_ipsec_fs_add_rule(struct mlx5e_ipsec_sa_entry *sa_entry);
......
...@@ -314,8 +314,8 @@ void mlx5e_ipsec_offload_handle_rx_skb(struct net_device *netdev, ...@@ -314,8 +314,8 @@ void mlx5e_ipsec_offload_handle_rx_skb(struct net_device *netdev,
u32 ipsec_meta_data = be32_to_cpu(cqe->ft_metadata); u32 ipsec_meta_data = be32_to_cpu(cqe->ft_metadata);
struct mlx5e_priv *priv = netdev_priv(netdev); struct mlx5e_priv *priv = netdev_priv(netdev);
struct mlx5e_ipsec *ipsec = priv->ipsec; struct mlx5e_ipsec *ipsec = priv->ipsec;
struct mlx5e_ipsec_sa_entry *sa_entry;
struct xfrm_offload *xo; struct xfrm_offload *xo;
struct xfrm_state *xs;
struct sec_path *sp; struct sec_path *sp;
u32 sa_handle; u32 sa_handle;
...@@ -326,13 +326,17 @@ void mlx5e_ipsec_offload_handle_rx_skb(struct net_device *netdev, ...@@ -326,13 +326,17 @@ void mlx5e_ipsec_offload_handle_rx_skb(struct net_device *netdev,
return; return;
} }
xs = mlx5e_ipsec_sadb_rx_lookup(ipsec, sa_handle); rcu_read_lock();
if (unlikely(!xs)) { sa_entry = xa_load(&ipsec->sadb, sa_handle);
if (unlikely(!sa_entry)) {
rcu_read_unlock();
atomic64_inc(&ipsec->sw_stats.ipsec_rx_drop_sadb_miss); atomic64_inc(&ipsec->sw_stats.ipsec_rx_drop_sadb_miss);
return; return;
} }
xfrm_state_hold(sa_entry->x);
rcu_read_unlock();
sp->xvec[sp->len++] = xs; sp->xvec[sp->len++] = sa_entry->x;
sp->olen++; sp->olen++;
xo = xfrm_offload(skb); xo = xfrm_offload(skb);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment