From patchwork Tue Mar 4 13:11:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hangbin Liu X-Patchwork-Id: 14000725 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EA8FB1FECDB; Tue, 4 Mar 2025 13:11:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741093900; cv=none; b=mFgTkheI9liKDyRdw9hS8Kxpd+id3ZASZWr51cxVBIfyeDjJdUGXSAbuwcd0CmFmYRCdaDInlLpD+Ra/Hc/Hs+1Zr0Aw0PChQ8fgQNDOytEwQOUQUDGEzmBV/oxTiPK1kCx1f9O3GyID1+EVSySFlXop2Bc0A2V/2NcgnnArjDg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741093900; c=relaxed/simple; bh=GwIopHlmLYklH7ZrM5n768kXiFLH4/g2LCd7tY6U6OM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=OsVZHGmvcFbDG0197JlKM1syC3jBn4yC/oAghy/YvN2Mj0K0LTbHHmknzQ8yE6BDlmJYUCGjJC5M418Hp0L2BBYU/2hTJoX/Z5lhDRfgXVEDfEDITK+faOAehHbFtYZ+XPssDbpNH73zDlqfauzaA47udmilGjqZxyUyKUaAZh8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=UWwnKI/B; arc=none smtp.client-ip=209.85.214.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="UWwnKI/B" Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-223a3c035c9so34685735ad.1; Tue, 04 Mar 2025 05:11:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741093898; x=1741698698; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Q2MGJ8JMhppZQszfAJNK6dxuubug61GKu1wl2xvExPQ=; b=UWwnKI/B+b3WhWQIFq4YQYiYaeKV3N/DhL8jkf7Emzkj+MgCppslpeCAAwTk8IszUE NDd0QOTaJGrSY4VKzZNnrfYlxaOLn71g7OZ2uudZ5Rfcw0OsO4D/YbXe/ytminZKcwR1 pLxu5LaOZNgPWpXo8j5eEcrlowqzkWID+6PvUvBgIwJOXDuJGhsbhZiQq9oWz9GR3ZvM kuNPLBbeYnWJCLnVElsDZpilofHDfg8uUC85oGW+LFfN2+lrbq9Eg8Pdfd+R5E+Ni/36 Fx/t7bK7oT3hG/EkpQNHTBO7i7sz3uhExcz1hpzRx9FMy14woz+/CIYbmr6zNCNH8Ql5 fDrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741093898; x=1741698698; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Q2MGJ8JMhppZQszfAJNK6dxuubug61GKu1wl2xvExPQ=; b=H9168krt8U808TvtopWorpTaYK7t+13Mpy+1c/IHHsbCsnO9oeNrUpGMNmyvScdBeV eG++NlzhQvOobZlNd/cNRlEgaZoD5a5Bkhs+yVFUkdkm/meayI5GlCiqg44hPhMx6YSN fRIQjiRRItNlTXzlkGbfecinJl/8+uJkT3S2q217y5ce662p2hPChilaavqx81FOrAI+ rSk1aWNcPPR/fl3kxx7ips2vf9ci95m0bBb8c6lLxTaxqZ6RT/+a/zQucigMQsV1/7ZI eeGzqrNVKzqKkNbMyVskkdK6NotbjM8dAzOfp+ob8AZOKLl5hH72FnoktkeqWqQItkAR 20Yg== X-Forwarded-Encrypted: i=1; AJvYcCVdaNjKV5yJMBl9Yrx1zVpQTHC9tECYie9lWV+G08oeyI+IxPZ91rLqE12voa/TMWEqm/CXIIHbmGlAlWw=@vger.kernel.org, AJvYcCVkQ7G5YL95BdJKx3M2EwGAP8UmAOuyP1BgJ27DG0j0c+dV0fulTzaeEFS304U6IFRKMwm147CJLKpVm3GsE0BH@vger.kernel.org X-Gm-Message-State: AOJu0YzoYM21vDR8IuqK6tyveLdyjW5+fP3Qdz10Ic5kPXtoLPA8Lu9/ tQsoBTqCOK8lXAA9ITpI5P6dQD34F7zWYgO1zq81I563t5MMO/Yvx0FcAjA9b9sEdw== X-Gm-Gg: ASbGncsvbGPzsDBRtiIU4gWSRrrkz5k/HIv07kToNG1fACnV7/7g03HS8PknLJCnxkd XP5loRsElrxB8uHq+OOHR8pIohLY6oGXUCqZSDwE7sQ8lt9PDQGGf9oXukqxo+WZVZvcKDsjv42 XNJ7x+EAK6YB2rdf3tx/NGnJ43mKGSzOQdZfLuJQvKMNNWZpgLac7hCslYpHsfIiEeDcbS0sVMU iLCz8NYIO2jrpVNxJYUtE1jjHEM0upuMr4nrI2BEtWCA21ChJtXJueFip4SI4lTPhEzkoZAuR+y hQCF21wVBeOsTksEW6E42FCcGoJXocD9UhAuJo7o3cBbyyiv2OltVLz2OFCHFNXT X-Google-Smtp-Source: AGHT+IG52ZlRFTI5KXHWV6Lj5w9KGHPuiprlHAFZt8l6xOEbJv9lPvHAhkWe5c1sqhSE/kDxckP/7Q== X-Received: by 2002:a17:902:eccf:b0:21f:892c:ea61 with SMTP id d9443c01a7336-223d978ef08mr57402485ad.19.1741093897844; Tue, 04 Mar 2025 05:11:37 -0800 (PST) Received: from fedora.dns.podman ([43.228.180.230]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7349fe2a668sm10824199b3a.30.2025.03.04.05.11.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Mar 2025 05:11:37 -0800 (PST) From: Hangbin Liu To: netdev@vger.kernel.org Cc: Jay Vosburgh , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Nikolay Aleksandrov , Simon Horman , Shuah Khan , Tariq Toukan , Jianbo Liu , Jarod Wilson , Steffen Klassert , Cosmin Ratiu , Petr Machata , linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, Hangbin Liu Subject: [PATCHv4 net 1/3] bonding: move IPsec deletion to bond_ipsec_free_sa Date: Tue, 4 Mar 2025 13:11:18 +0000 Message-ID: <20250304131120.31135-2-liuhangbin@gmail.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20250304131120.31135-1-liuhangbin@gmail.com> References: <20250304131120.31135-1-liuhangbin@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org The fixed commit placed mutex_lock() inside spin_lock_bh(), which triggers a warning: BUG: sleeping function called from invalid context at... Fix this by moving the IPsec deletion operation to bond_ipsec_free_sa, which is not held by spin_lock_bh(). Additionally, delete the IPsec list in bond_ipsec_del_sa_all() when the XFRM state is DEAD to prevent xdo_dev_state_free() from being triggered again in bond_ipsec_free_sa(). For bond_ipsec_free_sa(), there are now three conditions: 1. if (!slave): When no active device exists. 2. if (!xs->xso.real_dev): When xdo_dev_state_add() fails. 3. if (xs->xso.real_dev != real_dev): When an xs has already been freed by bond_ipsec_del_sa_all() due to migration, and the active slave has changed to a new device. At the same time, the xs is marked as DEAD due to the XFRM entry is removed, triggering xfrm_state_gc_task() and bond_ipsec_free_sa(). In all three cases, xdo_dev_state_free() should not be called, only xs should be removed from bond->ipsec list. At the same time, protect bond_ipsec_del_sa_all and bond_ipsec_add_sa_all with x->lock for each xs being processed. This prevents XFRM from concurrently initiating add/delete operations on the managed states. Fixes: 2aeeef906d5a ("bonding: change ipsec_lock from spin lock to mutex") Reported-by: Jakub Kicinski Closes: https://lore.kernel.org/netdev/20241212062734.182a0164@kernel.org Suggested-by: Cosmin Ratiu Signed-off-by: Hangbin Liu --- drivers/net/bonding/bond_main.c | 53 +++++++++++++++++++++++---------- 1 file changed, 37 insertions(+), 16 deletions(-) diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index e45bba240cbc..06b060d9b031 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -537,15 +537,22 @@ static void bond_ipsec_add_sa_all(struct bonding *bond) } list_for_each_entry(ipsec, &bond->ipsec_list, list) { + spin_lock_bh(&ipsec->xs->lock); + /* Skip dead xfrm states, they'll be freed later. */ + if (ipsec->xs->km.state == XFRM_STATE_DEAD) + goto next; + /* If new state is added before ipsec_lock acquired */ if (ipsec->xs->xso.real_dev == real_dev) - continue; + goto next; ipsec->xs->xso.real_dev = real_dev; if (real_dev->xfrmdev_ops->xdo_dev_state_add(ipsec->xs, NULL)) { slave_warn(bond_dev, real_dev, "%s: failed to add SA\n", __func__); ipsec->xs->xso.real_dev = NULL; } +next: + spin_unlock_bh(&ipsec->xs->lock); } out: mutex_unlock(&bond->ipsec_lock); @@ -560,7 +567,6 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs) struct net_device *bond_dev = xs->xso.dev; struct net_device *real_dev; netdevice_tracker tracker; - struct bond_ipsec *ipsec; struct bonding *bond; struct slave *slave; @@ -592,15 +598,6 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs) real_dev->xfrmdev_ops->xdo_dev_state_delete(xs); out: netdev_put(real_dev, &tracker); - mutex_lock(&bond->ipsec_lock); - list_for_each_entry(ipsec, &bond->ipsec_list, list) { - if (ipsec->xs == xs) { - list_del(&ipsec->list); - kfree(ipsec); - break; - } - } - mutex_unlock(&bond->ipsec_lock); } static void bond_ipsec_del_sa_all(struct bonding *bond) @@ -617,8 +614,18 @@ static void bond_ipsec_del_sa_all(struct bonding *bond) mutex_lock(&bond->ipsec_lock); list_for_each_entry(ipsec, &bond->ipsec_list, list) { + spin_lock_bh(&ipsec->xs->lock); if (!ipsec->xs->xso.real_dev) - continue; + goto next; + + if (ipsec->xs->km.state == XFRM_STATE_DEAD) { + /* already dead no need to delete again */ + if (real_dev->xfrmdev_ops->xdo_dev_state_free) + real_dev->xfrmdev_ops->xdo_dev_state_free(ipsec->xs); + list_del(&ipsec->list); + kfree(ipsec); + goto next; + } if (!real_dev->xfrmdev_ops || !real_dev->xfrmdev_ops->xdo_dev_state_delete || @@ -631,6 +638,8 @@ static void bond_ipsec_del_sa_all(struct bonding *bond) if (real_dev->xfrmdev_ops->xdo_dev_state_free) real_dev->xfrmdev_ops->xdo_dev_state_free(ipsec->xs); } +next: + spin_unlock_bh(&ipsec->xs->lock); } mutex_unlock(&bond->ipsec_lock); } @@ -640,6 +649,7 @@ static void bond_ipsec_free_sa(struct xfrm_state *xs) struct net_device *bond_dev = xs->xso.dev; struct net_device *real_dev; netdevice_tracker tracker; + struct bond_ipsec *ipsec; struct bonding *bond; struct slave *slave; @@ -659,11 +669,22 @@ static void bond_ipsec_free_sa(struct xfrm_state *xs) if (!xs->xso.real_dev) goto out; - WARN_ON(xs->xso.real_dev != real_dev); + mutex_lock(&bond->ipsec_lock); + list_for_each_entry(ipsec, &bond->ipsec_list, list) { + if (ipsec->xs == xs) { + /* do xdo_dev_state_free if real_dev matches, + * otherwise only remove the list + */ + if (real_dev && real_dev->xfrmdev_ops && + real_dev->xfrmdev_ops->xdo_dev_state_free) + real_dev->xfrmdev_ops->xdo_dev_state_free(xs); + list_del(&ipsec->list); + kfree(ipsec); + break; + } + } + mutex_unlock(&bond->ipsec_lock); - if (real_dev && real_dev->xfrmdev_ops && - real_dev->xfrmdev_ops->xdo_dev_state_free) - real_dev->xfrmdev_ops->xdo_dev_state_free(xs); out: netdev_put(real_dev, &tracker); } From patchwork Tue Mar 4 13:11:19 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hangbin Liu X-Patchwork-Id: 14000726 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8F5051FECDB; Tue, 4 Mar 2025 13:11:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741093906; cv=none; b=n+NK1UQp+4TRkGVLyZfemnq1ts5ItwI4Aog5+y2ZK0AMNWy60qAJIvb6S+gj8xz1lOeSnwaxLHa8HVBtblziTBJ4gJFmA9K3LuMgCqSEasx8Mm4D0WuhSPQt9olg/sPtXN/Oo3IhcmbKLb9jluM1DvdasEtjjReBglZWSX+lGSg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741093906; c=relaxed/simple; bh=rnFMPWLGPgZPYYBXGEOWcNlR7wJoCsop/Kh/oaTC5Ns=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=SFjY+c/0eWmwiwGTjuXCVdHCzKNxKt88Ki14B/gxXRf8DbRUx4Gb+PYCzNaRn9y2mbjsAjv5CdbF+2fSeAlf8oWjs+o/vXjcBDsYmZap+GF27gg+MOkflYHl9r0P27lwNMdVHQU/BeEvE09q2dsS3sS6s7oyM94kI+e8T6a2lJ8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=CCBZt+sF; arc=none smtp.client-ip=209.85.214.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CCBZt+sF" Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-22382657540so56809265ad.2; Tue, 04 Mar 2025 05:11:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741093904; x=1741698704; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=w2S2J9YC0kujf8OoTQU0Yx2LORzPMId7j+x/W3z5Nxc=; b=CCBZt+sFvwq2MROZZjn8A3ij58oVb1E8hmGcL/rwzzTs8SYVwDuxpkSsBjkZoIM175 whn7OaG5paMCCw5+lQOA3VKD4mkxzMZLrdj1W0KgpyDXIG8KUHuQGo10kWWhKDf9muRC 10rRBACTVhH1JLGyEfIo2D0m6qt+lhZR85YGl6X75Cq+hzZBPy26cQJEIKNOQn5te45b WQb8MrXkztVyI7ljdybUpQi6C6HJG3VJ8/RlYR+UMM/177l05kbx3I3rx6dowgHOgsmx L0KiaF0TTqidmIHDU7OLzgGqir2p1EJuj/P13ORbq7ZMyrhYtPEH1ZpImM+n3925rL93 gMJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741093904; x=1741698704; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=w2S2J9YC0kujf8OoTQU0Yx2LORzPMId7j+x/W3z5Nxc=; b=VUgVuYayngMQp3EI+5YsDjgjPXMRtVCQf9KzZmkctLQv+OrRwpcRmrXLeDwguhfhlB LcIjziuIUpBI4EQN5LCQeX7H6feXW4oEzl+8v0K1zUHnJrBIAIpJQRI81sCqVBciPIrt aNY6lnYsXdYK6yjPdBD8ObUtQ3pttGlrg3Ol/TPscY/tMQTdLl7AgLS+MiN2F+Vrankd jt3cNK1yieV8CfhAi8+hCuJkoR7bx1Q96mzq8ehqgcEH/ZuT8IrD+D1BsAvpDQluof+G BVk9Wd/eKMl2D+rT3BXKiEI4sDQwVx9lBFVC5DC5kt1PPzxjk1F7Oz5+kyPxk2Bk0wDy lLew== X-Forwarded-Encrypted: i=1; AJvYcCULbZdI63+TisMUO2DBIuhZZ4zIKcgP1CO1V/BAbFuClC8sRjMe/HUMZlWsuEBrH7CkcodSURse2woGT1k=@vger.kernel.org, AJvYcCWb4L7gVih7TxJZEh014FbFeBIudx47SaJE/a21KbpY4Ob94gTtVYxHk8hcGUo53NCGul/Ue1KYMZD6mPI3iWPC@vger.kernel.org X-Gm-Message-State: AOJu0YzLQB4zIPAKKYCev/jZb4g+biVESrawcwvsftxMqzcknj4wWzkT zfwf2aU+ijNZX5aIHHMLK8gQ2Ejh3QJFScyEpQB9FQkpdLt1a+AcquJReqjrAr/I4g== X-Gm-Gg: ASbGncvBiLq7lkN3nWk39phLirlfb5zyAQP1z7oQZtuk4+z/n71qGoHzT0/4TVgixwq GuvIuuSZEV57+eT8UEf1GC3GWxemNvLnYl368GYOJWXc68mkVz2Rp/QRYqpjRAL8lKDJOhia8KL fMjFDRYTUvvvgEKRUJMH4hDBOEE7zCQkYFbCbIPTG1EHkeMmySdR3cmVJxTUpQGfgLCEPl1M1CJ tpiiLJd13YoMAJQGOJ5q1Chw/4CIoWBijGTcw0ZbD13RSB6zaAzF302LIM5jGrLKijXfZHw4C/n n7569VpF0Nmbkiad1Xc4KzV4n1TYNskgyOxULmd93I4FVBi+Iqaog89oJWkYps/B X-Google-Smtp-Source: AGHT+IGYEuFl4VpW+rbLtTdgwznV034ZWw4oQI3xyYSP4kR6T7XRN/fYQ6ATJgqByuUB4llIgzYROg== X-Received: by 2002:a05:6a00:2191:b0:736:5504:e8b4 with SMTP id d2e1a72fcca58-7365504e9fdmr12491254b3a.19.1741093903604; Tue, 04 Mar 2025 05:11:43 -0800 (PST) Received: from fedora.dns.podman ([43.228.180.230]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7349fe2a668sm10824199b3a.30.2025.03.04.05.11.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Mar 2025 05:11:43 -0800 (PST) From: Hangbin Liu To: netdev@vger.kernel.org Cc: Jay Vosburgh , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Nikolay Aleksandrov , Simon Horman , Shuah Khan , Tariq Toukan , Jianbo Liu , Jarod Wilson , Steffen Klassert , Cosmin Ratiu , Petr Machata , linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, Hangbin Liu Subject: [PATCHv4 net 2/3] bonding: fix xfrm offload feature setup on active-backup mode Date: Tue, 4 Mar 2025 13:11:19 +0000 Message-ID: <20250304131120.31135-3-liuhangbin@gmail.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20250304131120.31135-1-liuhangbin@gmail.com> References: <20250304131120.31135-1-liuhangbin@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org The active-backup bonding mode supports XFRM ESP offload. However, when a bond is added using command like `ip link add bond0 type bond mode 1 miimon 100`, the `ethtool -k` command shows that the XFRM ESP offload is disabled. This occurs because, in bond_newlink(), we change bond link first and register bond device later. So the XFRM feature update in bond_option_mode_set() is not called as the bond device is not yet registered, leading to the offload feature not being set successfully. To resolve this issue, we can modify the code order in bond_newlink() to ensure that the bond device is registered first before changing the bond link parameters. This change will allow the XFRM ESP offload feature to be correctly enabled. Fixes: 007ab5345545 ("bonding: fix feature flag setting at init time") Signed-off-by: Hangbin Liu --- drivers/net/bonding/bond_main.c | 2 +- drivers/net/bonding/bond_netlink.c | 16 +++++++++------- include/net/bonding.h | 1 + 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index 06b060d9b031..1fd2c0a5b13d 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -4410,7 +4410,7 @@ void bond_work_init_all(struct bonding *bond) INIT_DELAYED_WORK(&bond->slave_arr_work, bond_slave_arr_handler); } -static void bond_work_cancel_all(struct bonding *bond) +void bond_work_cancel_all(struct bonding *bond) { cancel_delayed_work_sync(&bond->mii_work); cancel_delayed_work_sync(&bond->arp_work); diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c index 2a6a424806aa..ed16af6db557 100644 --- a/drivers/net/bonding/bond_netlink.c +++ b/drivers/net/bonding/bond_netlink.c @@ -568,18 +568,20 @@ static int bond_newlink(struct net *src_net, struct net_device *bond_dev, struct nlattr *tb[], struct nlattr *data[], struct netlink_ext_ack *extack) { + struct bonding *bond = netdev_priv(bond_dev); int err; - err = bond_changelink(bond_dev, tb, data, extack); - if (err < 0) + err = register_netdevice(bond_dev); + if (err) return err; - err = register_netdevice(bond_dev); - if (!err) { - struct bonding *bond = netdev_priv(bond_dev); + netif_carrier_off(bond_dev); + bond_work_init_all(bond); - netif_carrier_off(bond_dev); - bond_work_init_all(bond); + err = bond_changelink(bond_dev, tb, data, extack); + if (err) { + bond_work_cancel_all(bond); + unregister_netdevice(bond_dev); } return err; diff --git a/include/net/bonding.h b/include/net/bonding.h index 8bb5f016969f..e5e005cd2e17 100644 --- a/include/net/bonding.h +++ b/include/net/bonding.h @@ -707,6 +707,7 @@ struct bond_vlan_tag *bond_verify_device_path(struct net_device *start_dev, int bond_update_slave_arr(struct bonding *bond, struct slave *skipslave); void bond_slave_arr_work_rearm(struct bonding *bond, unsigned long delay); void bond_work_init_all(struct bonding *bond); +void bond_work_cancel_all(struct bonding *bond); #ifdef CONFIG_PROC_FS void bond_create_proc_entry(struct bonding *bond); From patchwork Tue Mar 4 13:11:20 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hangbin Liu X-Patchwork-Id: 14000727 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 57F63204C1E; Tue, 4 Mar 2025 13:11:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741093912; cv=none; b=cf7PBcFWKsDD5Xvfzr7yIa/WE/1g7AyX2wFSEIhMW+EODUT5ACvfw7z0vG/eeFdlx0jtT/NkxG8OiToLeYrgPR+j+etg2Ed3t4RFSyM3009uyIuKpx7MMZWcPgIVo5CyJnDpOgvywWDSnB1VZEj2mA1MeRITtBCWzBm+/h9XbIM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741093912; c=relaxed/simple; bh=CVNUGFCMu8pB9FIblXe0H3eHuWlR9XEnZTlypbRs3rU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=nObE9Urku7aG+tl9wo5f2/HaLOgs/rHcyDODRAfSwGFR+JBArl/CPWALwKWndWi8VWMFXn1WQvRnH6KTG3juXt4qruGdD5X43amV6djc+1d5TmNSNb4ry4cMQRLH1obRzB6EwzEu0r8YYHLxel5GECiO7sFv17CLm2l4BSl2CPQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Umx4xlsM; arc=none smtp.client-ip=209.85.214.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Umx4xlsM" Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-22349dc31bcso96959365ad.3; Tue, 04 Mar 2025 05:11:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741093909; x=1741698709; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=e/wzkrlUs9VbfhOoJaGuLKCbDq4g35qaZwr6L+mmw+E=; b=Umx4xlsMmGrnaNJuRrin5vi8ZAt2w883ENa/opm5Ef1E2b5FCGMRuI80/nNjvxxje+ AnLrqhGu/leSnSjl8jSbImGreK5/nIfZsTXlB+CU6XhtIUKJaRQOZYQv4hys7dlfyINa vu5MTzKTRwJ59XwvjdbVwrIAqITsAs0HMGHqDFz3y583jbr5M6xNDv1TtDkscpGF7Xb2 bQvCYvBGRjTzdR6/FKxwuY+rIoADtGliOmsJQMMchtwBqkc1XLBZJe91g8jnSdqd5YqG 5A9WP0uKdMgrhEV4NMQ1FN/Kmme/p/ir1qAIihXoVwdm+wu5kCXLDvjE8eT1Q0WdQBQ6 Pulw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741093909; x=1741698709; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=e/wzkrlUs9VbfhOoJaGuLKCbDq4g35qaZwr6L+mmw+E=; b=C5jfnGFO81nvtt4ct78pMATQkDcRmhdhmVVtKVSUg16gg6KXP1I036FY3zZwM7L/uK Uq+vD7WtEDdWJ5P9z1K5b5ovLtXguDtp37VsN4LSTZYFzdHen6eXT+v9Pg2e/6ymvBSJ 1YYzxW0MJn356N5iHzisje+Bn9czUpzGSaHu3Q6xkofT3Td14pzkJK0Yffx0CyjQU7ih glYE+PPTMd9WpsqyoDnfh/QPk54PAou4AcPvzmY+VZ2PGjdnkDV52CT2vN5QKO13GpCM Q2CoDmQIS+x823Biq99MhSrMfmH+Lh3OQsJMkKbN3c4UM+0wuXUCzBPKxoJm+gajv3ge MHvA== X-Forwarded-Encrypted: i=1; AJvYcCWe1ID/rFDeg3PWH70IGGr/pDtcUgFr3bljjeATIR6qXJMewftK3TCKcJ7f1mm2Njc3re/BcaNYLmwFxrB2Huvl@vger.kernel.org, AJvYcCXT5dudQoiYWJquUMjbhL7dFlsn1mghXZu80eRliAU/aqdqyQttuXt+W0v/ca0VEeuQBDQvZnqF1udJDTc=@vger.kernel.org X-Gm-Message-State: AOJu0YzhdQ9BmOTDh5gTiHNuI1F8EsSMbf8g3tmwTTM7K/0ZyQiiFyBB S9uvl3xuNeA6h8fnlVXUV1fNAoeH1OJICAf4LTzzKgPgt96pvpazOhwmgVqun2Qo6Q== X-Gm-Gg: ASbGncsK+DpUXnnwofic7SG/1KTaumH9MKObL6vcLs1BNnlJjoQv/u2jRAHDF+uhahw y7BDw8y7fzx1X01Q+cnDyYUbwJv5AnF9UcZsZgBegHTxEHEwxf+Vam+Fb5NFy3cbM6IG2vD6lEA ebirlpxs08QUlzCN+uhCdpQpI2ERX0Bf3F3DeZyT05KAMC94OclQWVGtQqpljXrQnzRvA1mhuxC WLlQaTGPGr1Ak/ldcAXkNsPfsnl4MfNNYa9QJDsGSG/tJtU6KDGd0rHmED5RMS3RCIqRk7DcIaw Eb4rNXkOovBu8eVUfBk9ELGvUBSIOSsvocRxC1H2ESRDwDRnuvMYpm4MmWRI7P1z X-Google-Smtp-Source: AGHT+IHe8Mh/cx2X8WKXOhydai9XajBG4/GGVd21BbCnkpbCoVM9apiwu2b/ffJQSIAjHk4+KoolSQ== X-Received: by 2002:aa7:88c7:0:b0:736:5486:781d with SMTP id d2e1a72fcca58-73654867c2fmr11847921b3a.19.1741093909312; Tue, 04 Mar 2025 05:11:49 -0800 (PST) Received: from fedora.dns.podman ([43.228.180.230]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7349fe2a668sm10824199b3a.30.2025.03.04.05.11.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Mar 2025 05:11:48 -0800 (PST) From: Hangbin Liu To: netdev@vger.kernel.org Cc: Jay Vosburgh , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Nikolay Aleksandrov , Simon Horman , Shuah Khan , Tariq Toukan , Jianbo Liu , Jarod Wilson , Steffen Klassert , Cosmin Ratiu , Petr Machata , linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, Hangbin Liu Subject: [PATCHv4 net 3/3] selftests: bonding: add ipsec offload test Date: Tue, 4 Mar 2025 13:11:20 +0000 Message-ID: <20250304131120.31135-4-liuhangbin@gmail.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20250304131120.31135-1-liuhangbin@gmail.com> References: <20250304131120.31135-1-liuhangbin@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org This introduces a test for IPSec offload over bonding, utilizing netdevsim for the testing process, as veth interfaces do not support IPSec offload. The test will ensure that the IPSec offload functionality remains operational even after a failover event occurs in the bonding configuration. Here is the test result: TEST: bond_ipsec_offload (active_slave eth0) [ OK ] TEST: bond_ipsec_offload (active_slave eth1) [ OK ] Signed-off-by: Hangbin Liu --- .../selftests/drivers/net/bonding/Makefile | 3 +- .../drivers/net/bonding/bond_ipsec_offload.sh | 154 ++++++++++++++++++ .../selftests/drivers/net/bonding/config | 4 + 3 files changed, 160 insertions(+), 1 deletion(-) create mode 100755 tools/testing/selftests/drivers/net/bonding/bond_ipsec_offload.sh diff --git a/tools/testing/selftests/drivers/net/bonding/Makefile b/tools/testing/selftests/drivers/net/bonding/Makefile index 2b10854e4b1e..d5a7de16d33a 100644 --- a/tools/testing/selftests/drivers/net/bonding/Makefile +++ b/tools/testing/selftests/drivers/net/bonding/Makefile @@ -10,7 +10,8 @@ TEST_PROGS := \ mode-2-recovery-updelay.sh \ bond_options.sh \ bond-eth-type-change.sh \ - bond_macvlan_ipvlan.sh + bond_macvlan_ipvlan.sh \ + bond_ipsec_offload.sh TEST_FILES := \ lag_lib.sh \ diff --git a/tools/testing/selftests/drivers/net/bonding/bond_ipsec_offload.sh b/tools/testing/selftests/drivers/net/bonding/bond_ipsec_offload.sh new file mode 100755 index 000000000000..4b19949a4c33 --- /dev/null +++ b/tools/testing/selftests/drivers/net/bonding/bond_ipsec_offload.sh @@ -0,0 +1,154 @@ +#!/bin/bash +# SPDX-License-Identifier: GPL-2.0 + +# IPsec over bonding offload test: +# +# +----------------+ +# | bond0 | +# | | | +# | eth0 eth1 | +# +---+-------+----+ +# +# We use netdevsim instead of physical interfaces +#------------------------------------------------------------------- +# Example commands +# ip x s add proto esp src 192.0.2.1 dst 192.0.2.2 \ +# spi 0x07 mode transport reqid 0x07 replay-window 32 \ +# aead 'rfc4106(gcm(aes))' 1234567890123456dcba 128 \ +# sel src 192.0.2.1/24 dst 192.0.2.2/24 +# offload dev bond0 dir out +# ip x p add dir out src 192.0.2.1/24 dst 192.0.2.2/24 \ +# tmpl proto esp src 192.0.2.1 dst 192.0.2.2 \ +# spi 0x07 mode transport reqid 0x07 +# +#------------------------------------------------------------------- + +lib_dir=$(dirname "$0") +source "$lib_dir"/../../../net/lib.sh +algo="aead rfc4106(gcm(aes)) 0x3132333435363738393031323334353664636261 128" +srcip=192.0.2.1 +dstip=192.0.2.2 +ipsec0=/sys/kernel/debug/netdevsim/netdevsim0/ports/0/ipsec +ipsec1=/sys/kernel/debug/netdevsim/netdevsim0/ports/1/ipsec +active_slave="" + +active_slave_changed() +{ + local old_active_slave=$1 + local new_active_slave=$(ip -n ${ns} -d -j link show bond0 | \ + jq -r ".[].linkinfo.info_data.active_slave") + [ "$new_active_slave" != "$old_active_slave" -a "$new_active_slave" != "null" ] +} + +test_offload() +{ + # use ping to exercise the Tx path + ip netns exec $ns ping -I bond0 -c 3 -W 1 -i 0 $dstip >/dev/null + + active_slave=$(ip -n ${ns} -d -j link show bond0 | \ + jq -r ".[].linkinfo.info_data.active_slave") + + if [ $active_slave = $nic0 ]; then + sysfs=$ipsec0 + elif [ $active_slave = $nic1 ]; then + sysfs=$ipsec1 + else + check_err 1 "bond_ipsec_offload invalid active_slave $active_slave" + fi + + # The tx/rx order in sysfs may changed after failover + grep -q "SA count=2 tx=3" $sysfs && grep -q "tx ipaddr=$dstip" $sysfs + check_err $? "incorrect tx count with link ${active_slave}" + + log_test bond_ipsec_offload "active_slave ${active_slave}" +} + +setup_env() +{ + if ! mount | grep -q debugfs; then + mount -t debugfs none /sys/kernel/debug/ &> /dev/null + defer umount /sys/kernel/debug/ + + fi + + # setup netdevsim since dummy/veth dev doesn't have offload support + if [ ! -w /sys/bus/netdevsim/new_device ] ; then + modprobe -q netdevsim + if [ $? -ne 0 ]; then + echo "SKIP: can't load netdevsim for ipsec offload" + exit $ksft_skip + fi + defer modprobe -r netdevsim + fi + + setup_ns ns + defer cleanup_ns $ns +} + +setup_bond() +{ + ip -n $ns link add bond0 type bond mode active-backup miimon 100 + ip -n $ns addr add $srcip/24 dev bond0 + ip -n $ns link set bond0 up + + ifaces=$(ip netns exec $ns bash -c ' + sysfsnet=/sys/bus/netdevsim/devices/netdevsim0/net/ + echo "0 2" > /sys/bus/netdevsim/new_device + while [ ! -d $sysfsnet ] ; do :; done + udevadm settle + ls $sysfsnet + ') + nic0=$(echo $ifaces | cut -f1 -d ' ') + nic1=$(echo $ifaces | cut -f2 -d ' ') + ip -n $ns link set $nic0 master bond0 + ip -n $ns link set $nic1 master bond0 + + # we didn't create a peer, make sure we can Tx by adding a permanent + # neighbour this need to be added after enslave + ip -n $ns neigh add $dstip dev bond0 lladdr 00:11:22:33:44:55 + + # create offloaded SAs, both in and out + ip -n $ns x p add dir out src $srcip/24 dst $dstip/24 \ + tmpl proto esp src $srcip dst $dstip spi 9 \ + mode transport reqid 42 + + ip -n $ns x p add dir in src $dstip/24 dst $srcip/24 \ + tmpl proto esp src $dstip dst $srcip spi 9 \ + mode transport reqid 42 + + ip -n $ns x s add proto esp src $srcip dst $dstip spi 9 \ + mode transport reqid 42 $algo sel src $srcip/24 dst $dstip/24 \ + offload dev bond0 dir out + + ip -n $ns x s add proto esp src $dstip dst $srcip spi 9 \ + mode transport reqid 42 $algo sel src $dstip/24 dst $srcip/24 \ + offload dev bond0 dir in + + # does offload show up in ip output + lines=`ip -n $ns x s list | grep -c "crypto offload parameters: dev bond0 dir"` + if [ $lines -ne 2 ] ; then + check_err 1 "bond_ipsec_offload SA offload missing from list output" + fi +} + +trap defer_scopes_cleanup EXIT +setup_env +setup_bond + +# start Offload testing +test_offload + +# do failover and re-test +ip -n $ns link set $active_slave down +slowwait 5 active_slave_changed $active_slave +test_offload + +# make sure offload get removed from driver +ip -n $ns x s flush +ip -n $ns x p flush +line0=$(grep -c "SA count=0" $ipsec0) +line1=$(grep -c "SA count=0" $ipsec1) +[ $line0 -ne 1 -o $line1 -ne 1 ] +check_fail $? "bond_ipsec_offload SA not removed from driver" + +exit $EXIT_STATUS diff --git a/tools/testing/selftests/drivers/net/bonding/config b/tools/testing/selftests/drivers/net/bonding/config index dad4e5fda4db..054fb772846f 100644 --- a/tools/testing/selftests/drivers/net/bonding/config +++ b/tools/testing/selftests/drivers/net/bonding/config @@ -9,3 +9,7 @@ CONFIG_NET_CLS_FLOWER=y CONFIG_NET_SCH_INGRESS=y CONFIG_NLMON=y CONFIG_VETH=y +CONFIG_INET_ESP=y +CONFIG_INET_ESP_OFFLOAD=y +CONFIG_XFRM_USER=m +CONFIG_NETDEVSIM=m