Avoid SKB coalescing if eor bit is set in one of the relevant
SKBs.
Fixes: c134ecb87817 ("tcp: Make use of MSG_EOR in tcp_sendmsg")
Signed-off-by: Ilya Lesokhin
---
Changes from v4:
- Remove Gerrit Change-Id
Changes from v3:
- Fix coding style
Chang
Avoid SKB coalescing if eor bit is set in one of the relevant
SKBs.
Change-Id: I64d4f9874f2e23b3fd03daddccbefed53e098028
Fixes: c134ecb87817 ("tcp: Make use of MSG_EOR in tcp_sendmsg")
Signed-off-by: Ilya Lesokhin
---
net/ipv4/tcp_output.c | 25 +
1 file c
Avoid SKB coalescing if eor bit is set in one of the relevant
SKBs.
Fixes: c134ecb87817 ("tcp: Make use of MSG_EOR in tcp_sendmsg")
Signed-off-by: Ilya Lesokhin
---
net/ipv4/tcp_output.c | 26 ++
1 file changed, 26 insertions(+)
diff --git a/net/ipv4/tcp_outp
Avoid SKB coalescing if eor bit is set in one of the relevant
SKBs.
Fixes: c134ecb87817 ("tcp: Make use of MSG_EOR in tcp_sendmsg")
Signed-off-by: Ilya Lesokhin
---
net/ipv4/tcp_output.c | 12
1 file changed, 12 insertions(+)
diff --git a/net/ipv4/tcp_output.c
Avoid SKB coalescing if eor bit is set in one of the relevant
SKBs.
Fixes: c134ecb87817 ("tcp: Make use of MSG_EOR in tcp_sendmsg")
Signed-off-by: Ilya Lesokhin
---
net/ipv4/tcp_output.c | 11 +++
1 file changed, 11 insertions(+)
diff --git a/net/ipv4/tcp_output.c
attached to it.
We restrict the TLS ulp to sockets in ESTABLISHED state
to prevent the scenario above.
Fixes: 3c4d7559159b ("tls: kernel TLS support")
Reported-by: syzbot+904e7cd6c5c741609...@syzkaller.appspotmail.com
Signed-off-by: Ilya Lesokhin
---
v2: Fix typos
net/tls/tls_main.c | 9 ++
I'm sorry, I've noticed that I have a typo in my comment.
It should read:
/*The TLS ulp is currently supported only for TCP sockets
* in ESTABLISHED state.
* Supporting sockets in LISTEN state will require us
* to modify the accept implementation to clone rather then
* share the ulp context.
attached to it.
We restrict the TLS ulp to sockets in ESTABLISHED state
to prevent the scenario above.
Fixes: 3c4d755 ('tls: kernel TLS support')
Reported-by: syzbot+904e7cd6c5c741609...@syzkaller.appspotmail.com
Signed-off-by: Ilya Lesokhin
---
net/tls/tls_main.c | 9 +
1 file
>
> > Dave, would you prefer to get the driver patches that use this infra
> > before the infra?
>
> The arguments you present are silly.
>
> In order to analyze any proposed API, the users of it must be presented for
> the
> reviewers to see as well.
>
> Logically, you must have tried to make
>
> TLS records should be attached to skbs ?
>
> It seems more reasonable to free TLS when skb are freed, and not in
> general tcp_ack() path.
We've considered it, but then we would have to touch all the places the TCP
stack splits or merges SKBs. Seems more intrusive.
>
> >
> > > 2) Since you
> 1) tcp_ack() is already very expensive.
>
I'm not sure how what we should do with that comment. We need
Some trigger to free TLS records. tcp_ack seemed like a reasonable
Trigger.
> 2) Since you do not pass any state here, this looks very suspicious to
> me.
>
The state we need is the acknowle
> > diff --git a/net/core/dev.c b/net/core/dev.c
> > index b0eee49a2489..6a78d9046674 100644
> > --- a/net/core/dev.c
> > +++ b/net/core/dev.c
> > @@ -3051,6 +3051,10 @@ static struct sk_buff *validate_xmit_skb(struct
> sk_buff *skb, struct net_device
> > if (unlikely(!skb))
> > got
Tuesday, December 19, 2017 5:12 PM, Marcelo Ricardo Leitner wrote:
> > I'm not quite sure what you mean by "no net_device's are registered"
> > Presumably you mean there is no device that implements the
> > NETIF_F_HW_TLS_TX capability yet.
>
> Not really. Let me try again. This patchset is using
On Monday, December 18, 2017 9:18 PM, Marcelo Ricardo Leitner wrote:
> > +
> > + if (sk && sk_fullsock(sk) && sk->sk_offload_check)
>
> Isn't this going to hurt the fast path, checking for sk fields here?
>
We do add code to the fast path but it seems unavoidable if you want to have SW
fallb
On Mon, Monday, December 18, 2017 9:54 PM, Marcelo Ricardo Leitner wrote:
> On Mon, Dec 18, 2017 at 01:10:33PM +0200, Ilya Lesokhin wrote:
> > This patch adds a generic infrastructure to offload TLS crypto to a
> > network devices. It enables the kernel TLS socket to skip enc
Add new netdev ops to add and delete tls context
Signed-off-by: Boris Pismenny
Signed-off-by: Ilya Lesokhin
Signed-off-by: Aviad Yehezkel
---
include/linux/netdevice.h | 23 +++
1 file changed, 23 insertions(+)
diff --git a/include/linux/netdevice.h b/include/linux
issuing the context reconstruction request.
Signed-off-by: Boris Pismenny
Signed-off-by: Ilya Lesokhin
Signed-off-by: Aviad Yehezkel
---
include/net/tls.h | 62 +++-
net/tls/Kconfig | 9 +
net/tls/Makefile | 3 +
net/tls/tls_dev
Offloaded sockets rely on the netdev to transform the transmitted
packets before sending them over the network.
When a packet from an offloaded socket is looped back or
rerouted to a different device we need to detect it and
do the transformation in software
Signed-off-by: Ilya Lesokhin
Signed
This patch adds a netdev feature to configure TLS TX offloads.
Signed-off-by: Boris Pismenny
Signed-off-by: Ilya Lesokhin
Signed-off-by: Aviad Yehezkel
---
include/linux/netdev_features.h | 2 ++
net/core/ethtool.c | 1 +
2 files changed, 3 insertions(+)
diff --git a/include
Called when a TCP segment is acknowledged.
Could be used by application protocols who hold additional
metadata associated with the stream data
This is required by TLS device offload to release
metadata associated with acknowledged TLS records.
Signed-off-by: Boris Pismenny
Signed-off-by: Ilya
copy_skb_header is renamed to skb_copy_header and
exported. Exposing this function give more flexibility
in copying SKBs.
skb_copy and skb_copy_expand do not give enough control
over which parts are copied.
Signed-off-by: Ilya Lesokhin
Signed-off-by: Boris Pismenny
---
include/linux/skbuff.h
papers/netdevconf-TLS.pdf
Ilya Lesokhin (6):
tcp: Add clean acked data hook
net: Rename and export copy_skb_header
net: Add SW fallback infrastructure for offloaded sockets
net: Add TLS offload netdev ops
net: Add TLS TX offload features
tls: Add generic NIC offload infrastructure.
include
The tx configuration is now stored in ctx->tx_conf.
And sk->sk_prot is updated trough a function
This will simplify things when we add rx
and support for different possible
tx and rx cross configurations.
Signed-off-by: Ilya Lesokhin
---
include/net/tls.h | 2 ++
net/tls/tls_main.
If we fail to enable tls in the kernel we shouldn't override
the sk_write_space callback
Fixes: 3c4d7559159b ('tls: kernel TLS support')
Signed-off-by: Ilya Lesokhin
---
net/tls/tls_main.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/net/tls/tls_m
onf == TLS_BASE_TX.
This patch also removes ctx->free_resources as we can use ctx->tx_conf
to obtain the relevant information.
Fixes: 3c4d7559159b ('tls: kernel TLS support')
Signed-off-by: Ilya Lesokhin
---
include/net/tls.h | 2 +-
net/tls/tls_main.c | 22 ++---
move tls_make_aad as it is going to be reused
by the device offload code and rx path.
Remove unused recv parameter.
Signed-off-by: Ilya Lesokhin
---
include/net/tls.h | 15 +++
net/tls/tls_sw.c | 18 +-
2 files changed, 16 insertions(+), 17 deletions(-)
diff --git
Use kzalloc for aead_request allocation as
we don't set all the bits in the request.
Fixes: 3c4d7559159b ('tls: kernel TLS support')
Signed-off-by: Ilya Lesokhin
---
net/tls/tls_sw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/tls/tls_sw.c b/net/tls
Avoid copying crypto_info again after cipher_type check
to avoid a TOCTOU exploits.
The temporary array on the stack is removed as we don't really need it
Fixes: 3c4d7559159b ('tls: kernel TLS support')
Signed-off-by: Ilya Lesokhin
---
net/tls/tls_main.c | 29 -
sts/kernel/msg2608603.html
Patch 6 Avoids callback overriding when tls_set_sw_offload fails.
Ilya Lesokhin (6):
tls: Use kzalloc for aead_request allocation
tls: Add function to update the TLS socket configuration
tls: Fix TLS ulp context leak, when TLS_TX setsockopt is not used.
tls: Move tls_m
onf == TLS_BASE_TX.
This patch also removes ctx->free_resources as we can use ctx->tx_conf
to obtain the relevant information.
Fixes: 3c4d7559159b ('tls: kernel TLS support')
Signed-off-by: Ilya Lesokhin
---
include/net/tls.h | 2 +-
net/tls/tls_main.c | 22 ++---
for offloaded socket fallback
patches 10-11 add new NDOs and capabilities.
patch 12 adds the TLS NIC offload infrastructure.
Github with mlx5e TLS offload support:
https://github.com/Mellanox/tls-offload/tree/tls_device_v2
Paper: https://www.netdevconf.org/1.2/papers/netdevconf-TLS.pdf
Ilya Lesok
move tls_make_aad as it is going to be reused
by the device offload code
Signed-off-by: Ilya Lesokhin
---
include/net/tls.h | 15 +++
net/tls/tls_sw.c | 18 +-
2 files changed, 16 insertions(+), 17 deletions(-)
diff --git a/include/net/tls.h b/include/net/tls.h
The tx configuration is now stored in ctx->tx_conf.
And sk->sk_prot is updated trough a function
This will simplify things when we add rx
and support for different possible
tx and rx cross configurations.
Signed-off-by: Ilya Lesokhin
---
include/net/tls.h | 2 ++
net/tls/tls_main.
copy_skb_header is renamed to skb_copy_header and
exported. Exposing this function give more flexibility
in copying SKBs.
skb_copy and skb_copy_expand do not give enough control
over which parts are copied.
Signed-off-by: Ilya Lesokhin
---
include/linux/skbuff.h | 1 +
net/core/skbuff.c
Avoid copying crypto_info again after cipher_type check
to avoid a TOCTOU exploits.
The temporary array on the stack is removed as we don't really need it
Fixes: 3c4d7559159b ('tls: kernel TLS support')
Signed-off-by: Ilya Lesokhin
---
net/tls/tls_main.c | 29 -
If we fail to enable tls in the kernel we shouldn't override
the sk_write_space callback
Fixes: 3c4d7559159b ('tls: kernel TLS support')
Signed-off-by: Ilya Lesokhin
---
net/tls/tls_main.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/net/tls/tls_m
Offloaded sockets rely on the netdev to transform the transmitted
packets before sending them over the network.
When a packet from an offloaded socket is looped back or
rerouted to a different device we need to detect it and
do the transformation in software
Signed-off-by: Ilya Lesokhin
issuing the context reconstruction request.
Signed-off-by: Boris Pismenny
Signed-off-by: Ilya Lesokhin
Signed-off-by: Aviad Yehezkel
---
include/net/tls.h | 55 +++-
net/tls/Kconfig | 9 +
net/tls/Makefile | 3 +
net/tls/tls_dev
This patch adds a netdev feature to configure TLS TX offloads.
Signed-off-by: Boris Pismenny
Signed-off-by: Ilya Lesokhin
Signed-off-by: Aviad Yehezkel
---
include/linux/netdev_features.h | 2 ++
net/core/ethtool.c | 1 +
2 files changed, 3 insertions(+)
diff --git a/include
Add new netdev ops to add and delete tls context
Signed-off-by: Boris Pismenny
Signed-off-by: Ilya Lesokhin
Signed-off-by: Aviad Yehezkel
---
include/linux/netdevice.h | 21 +
1 file changed, 21 insertions(+)
diff --git a/include/linux/netdevice.h b/include/linux
Use kzalloc for aead_request allocation as
we don't set all the bits in the request.
Fixes: 3c4d7559159b ('tls: kernel TLS support')
Signed-off-by: Ilya Lesokhin
---
net/tls/tls_sw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/tls/tls_sw.c b/net/tls
Called when a TCP segment is acknowledged.
Could be used by application protocols who hold additional
metadata associated with the stream data
This is required by TLS device offload to release
metadata associated with acknowledged TLS records.
Signed-off-by: Boris Pismenny
Signed-off-by: Ilya
On Tuesday, October 31, 2017 11:14 AM Steffen Klassert wrote:
> I think Ilya talks about the case where the TLS crypto is intended to be
> offloaded
> to a NIC. In this case we need a software crypto fallback e.g. if a packet got
> rerouted to a device that does not support crypto offloading.
Yo
On Tuesday, October 31, 2017 9:45 AM, Herbert Xu wrote:
>
> For your intended use case I think async processing should work just fine as
> it
> does for IPsec.
>
I haven't dived into the async IPSEC fallback code yet, but it seems
complicated.
I'm not sure it make the correct performance/compl
On Tuesday, October 31, 2017 9:33 AM, Herbert Xu wrote:
> You are right. generic-gcm-aesni is completely broken.
>
> It needs to be rewritten to use a wrapper as is done with rfc4106.
I think we should consider having a synchronous implementation that falls back
to integer implementation when th
On Tuesday, October 31, 2017 9:17 AM, Herbert Xu wrote:
>
> Users of the crypto API shouldn't need to check irq_fpu_usable().
> The crypto API should work regardless of what context you're in.
>
I agree, I'm just saying that as far as I can tell that's not true
for the aesni generic gcm(aes) aea
On Mon Tuesday, October 31, 2017 6:10 AM, Herbert Xu wrote:
>
> Are you allocating the tfm from atomic context? That is not allowed.
>
> Normally you would allocate the tfm in process context, e.g., when the
> connection is setup.
>
I call crypto_alloc_aead("gcm(aes)", 0, flags) in process cont
Hi,
I've tried using the aesni generic gcm(aes) aead to implement TLS SW fallback
and
I'm getting
[ 3356.839506] BUG: sleeping function called from invalid context at
./include/crypto/algapi.h:417
The warning is coming from a ___might_sleep() macro that is called if
CRYPTO_TFM_REQ_MAY_SLEEP is
Hannes Frederic Sowa writes:
> The user should be aware of that they can't migrate the socket to another
> interface if they got hw offloaded. This is not the case for software offload.
> Thus I think the user has to opt in and it shouldn't be a heuristic until we
> can
> switch back to sw offlo
This patch adds a netdev feature to configure TLS TX offloads.
Signed-off-by: Boris Pismenny
Signed-off-by: Ilya Lesokhin
Signed-off-by: Aviad Yehezkel
---
include/linux/netdev_features.h | 2 ++
net/core/ethtool.c | 1 +
2 files changed, 3 insertions(+)
diff --git a/include
//github.com/Mellanox/tls-offload/tree/tls_device_v1
Paper: https://www.netdevconf.org/1.2/papers/netdevconf-TLS.pdf
Ilya Lesokhin (5):
tls: Move release of tls_ctx into tls_sw_free_resources
tcp: Add clean acked data hook
net: Add TLS offload netdev ops
net: Add TLS TX offload featur
issuing the context reconstruction request.
Signed-off-by: Boris Pismenny
Signed-off-by: Ilya Lesokhin
Signed-off-by: Aviad Yehezkel
---
include/net/tls.h| 41 +++-
net/tls/Kconfig | 9 +
net/tls/Makefile | 3 +
net/tls/tls_device.c | 673
Add new netdev ops to add and delete tls context
Signed-off-by: Boris Pismenny
Signed-off-by: Ilya Lesokhin
Signed-off-by: Aviad Yehezkel
---
include/linux/netdevice.h | 21 +
1 file changed, 21 insertions(+)
diff --git a/include/linux/netdevice.h b/include/linux
Called when a TCP segment is acknowledged.
Could be used by application protocols who hold additional
metadata associated with the stream data
This is required by TLS device offload to release
metadata associated with acknowledged TLS records.
Signed-off-by: Boris Pismenny
Signed-off-by: Ilya
Move release of tls_ctx into sw specific code.
This is required because the device offload implementation
requires this context to remain alive until there are
no more in-flight SKBs.
Signed-off-by: Boris Pismenny
Signed-off-by: Ilya Lesokhin
Signed-off-by: Aviad Yehezkel
---
net/tls
Want to be able to use these in TLS.
Signed-off-by: Boris Pismenny
---
net/ipv6/tcp_ipv6.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 38f76d8..60d0629 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1948,6 +1948,7 @@ struct
oto structs and uses them when
attached to ipv6 sockets.
Fixes: 3c4d7559159b ('tls: kernel TLS support')
Signed-off-by: Boris Pismenny
Signed-off-by: Ilya Lesokhin
---
net/tls/Kconfig| 1 +
net/tls/tls_main.c | 50 ++
2 file
r kernel.
- tls_init now checks sk->sk_prot directly
This is somewhat safer then checking indirectly through sk->sk_family
Ilya Lesokhin (2):
net: Export tcpv6_prot
tls: Use correct sk->sk_prot for IPV6
net/ipv6/tcp_ipv6.c | 1 +
net/tls
> -Original Message-
> From: Eric Dumazet [mailto:eric.duma...@gmail.com]
> Sent: Tuesday, August 15, 2017 5:46 PM
> To: Boris Pismenny
> Cc: Ilya Lesokhin ; netdev@vger.kernel.org;
> da...@davemloft.net; davejwat...@fb.com; Aviad Yehezkel
>
> Subject: Re: [PAT
With this patch IPV6 code ensure that only sockets with the
expected sk->sk_prot are converted to IPV4.
Signed-off-by: Boris Pismenny
---
net/ipv6/ipv6_sockglue.c | 12
1 file changed, 12 insertions(+)
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 02d795f..
Want to be able to use these in TLS.
Signed-off-by: Boris Pismenny
---
net/ipv6/tcp_ipv6.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 2521690..ef8d5b4 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1944,6 +1944,7 @@ struct
oto structs and uses them when
attached to ipv6 sockets.
Signed-off-by: Boris Pismenny
Signed-off-by: Ilya Lesokhin
---
net/tls/Kconfig| 1 +
net/tls/tls_main.c | 50 ++
2 files changed, 39 insertions(+), 12 deletions(-)
diff --git a/net/
in thier kernel.
- tls_init now checks sk->sk_prot directly
This is somewhat safer then checking indirectly through sk->sk_family
Ilya Lesokhin (3):
ipv6: Prevent unexpected sk->sk_prot changes
net: Export tcpv6_prot
tls: Use correct sk->sk_prot for IPV6
net/ipv6/ipv6_sockglue.c |
With this patch IPV6 code ensure that only sockets with the
expected sk->sk_prot are converted to IPV4.
Signed-off-by: Boris Pismenny
---
net/ipv6/ipv6_sockglue.c | 12
1 file changed, 12 insertions(+)
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 02d795f..
Fix tls code to use the correct sk->sk_prot for IPV6.
Previously it was tcp_prot of IPV4 was used.
Boris Pismenny (1):
net: Export tcpv6_prot
Ilya Lesokhin (2):
ipv6: Prevent unexpected sk->sk_prot changes
tls: Use correct sk->sk_prot for IPV6
net/ipv6/ipv6_sockgl
From: Boris Pismenny
Want to be able to use these in TLS.
Signed-off-by: Boris Pismenny
---
net/ipv6/tcp_ipv6.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 2521690..e3a44a5 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -19
The code assumed that only IP version 4 TCP sk->sk_prot was
being used. Now it checks for IPV6 and sets sk->sk_prot
accordingly.
Signed-off-by: Boris Pismenny
Signed-off-by: Ilya Lesokhin
---
net/tls/tls_main.c | 61 +++---
1 file chang
t; From: Eric Dumazet [mailto:eric.duma...@gmail.com]
> Sent: Thursday, May 4, 2017 9:33 PM
> To: Ilya Lesokhin
> Cc: netdev@vger.kernel.org; tls-fpga-sw-dev d...@mellanox.com>; Dave Watson
> Subject: Re: Why do we need MSG_SENDPAGE_NOTLAST?
>
> On Thu, 2017-05-04 at 17:
I don't understand the need for MSG_SENDPAGE_NOTLAST and I'm hoping someone can
enlighten me.
According to commit 35f9c09 ('tcp: tcp_sendpages() should call tcp_push()
once'):
"We need to call tcp_flush() at the end of the last page processed in
tcp_sendpages(), or else transmits can be deferred
Hi,
I've notice that tcp_can_collapse() returns false if skb_shinfo(skb)->nr_frags
!= 0.
Is there a reason why we want to base the collapse decision in retransmission
on whether
the data is located in a frag or the linear part?
The relevant commit is
tcp: collapse more than two on retra
ric Dumazet [mailto:eric.duma...@gmail.com]
> Sent: Thursday, August 04, 2016 4:25 PM
> To: Ilya Lesokhin
> Cc: netdev@vger.kernel.org; eduma...@google.com
> Subject: Re: [PATCH] net: use non-compound pages in frag allocator
>
> On Thu, 2016-08-04 at 15:47 +0300, Ilya Lesokhin wrote:
The code currently always references the first page in the
frag therefore there is no need to pay the extra overhead
of making the frag page compound
Signed-off-by: Ilya Lesokhin
---
net/core/sock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/sock.c b/net/core
72 matches
Mail list logo
