Re: [devel-ipsec] Re: [PATCH ipsec-next v5 7/8] xfrm: add error messages to state migration

[Antony Antony]

On Fri, Jan 30, 2026 at 01:14:39PM +0100, Sabrina Dubroca via Devel wrote:
> 2026-01-27, 11:43:42 +0100, Antony Antony wrote:
> > Add descriptive(extack) error messages for all error paths
> > in state migration. This improves diagnostics by
> > providing clear feedback when migration fails.
> > 
> > Signed-off-by: Antony Antony <antony.antony@xxxxxxxxxxx>
> > ---
> > v4->v5: - added this patch
> > ---
> >  net/xfrm/xfrm_state.c | 13 ++++++++++---
> >  1 file changed, 10 insertions(+), 3 deletions(-)
> > 
> > diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
> > index 88a362e46972..2e03871ae872 100644
> > --- a/net/xfrm/xfrm_state.c
> > +++ b/net/xfrm/xfrm_state.c
> > @@ -2129,15 +2129,21 @@ struct xfrm_state *xfrm_state_migrate_create(struct xfrm_state *x,
> >  	struct xfrm_state *xc;
> > 
> >  	xc = xfrm_state_clone_and_setup(x, encap, m);
> > -	if (!xc)
> > +	if (!xc) {
> > +		NL_SET_ERR_MSG(extack, "Failed to clone and setup state");
> 
> When xfrm_state_clone_and_setup fails it's because some allocation
> failed and the user won't be able to do much about this, right? I
> don't feel extack in those situations is super helpful.

I felt it was usefaul to know, and to log this happened. May not a great 
idea.

> 
> >  		return NULL;
> > +	}
> > 
> > -	if (xfrm_init_state(xc) < 0)
> > +	if (xfrm_init_state(xc) < 0) {
> > +		NL_SET_ERR_MSG(extack, "Failed to initialize migrated state");
> 
> xfrm_init_state itself doesn't handle extack, but it's just a wrapper
> around functions that do. Maybe better to make xfrm_init_state
> propagate extack?

That is a great idea. May be in a future patch set. For now, I will drop 
this patch from this series. To move forward quickly.

> 
> >  		goto error;
> > +	}
> > 
> >  	/* configure the hardware if offload is requested */
> > -	if (xuo && xfrm_dev_state_add(net, xc, xuo, extack))
> > +	if (xuo && xfrm_dev_state_add(net, xc, xuo, extack)) {
> > +		NL_SET_ERR_MSG(extack, "Failed to initialize state offload");
> 
> We already set an extack in xfrm_dev_state_add, this chunk should be
> dropped to avoid overwriting the more specific info we got.
> 
> >  		goto error;
> > +	}
> > 
> >  	return xc;
> >  error:
> > @@ -2161,6 +2167,7 @@ int xfrm_state_migrate_install(const struct xfrm_state *x,
> >  		xfrm_state_insert(xc);
> >  	} else {
> >  		if (xfrm_state_add(xc) < 0) {
> > +			NL_SET_ERR_MSG(extack, "Failed to add migrated state");
> 
> Not a strong objection, but this case would be the EEXIST situation
> from xfrm_state_add, and there's not much the user can do about this?

Fair point, but logging it still has value too, userspace can track these
over time and adapt. Let's revisit when we add extack to xfrm_init_state.

> 
> >  			if (xuo)
> >  				xfrm_dev_state_delete(xc);
> >  			xc->km.state = XFRM_STATE_DEAD;
>