diff options
| author | Huy Nguyen <huyn@mellanox.com> | 2020-06-02 00:39:37 +0300 |
|---|---|---|
| committer | Sasha Levin <sashal@kernel.org> | 2020-06-30 22:36:53 +0300 |
| commit | 41b2debf35ef5bc5719971d2470b1b7ed876a3c2 (patch) | |
| tree | d1818fe62478627df1bc5156fcc57bbf005ac892 | |
| parent | 475a7b09b4bbc9a3801c60c3ac8375d142ed3def (diff) | |
| download | linux-41b2debf35ef5bc5719971d2470b1b7ed876a3c2.tar.xz | |
xfrm: Fix double ESP trailer insertion in IPsec crypto offload.
[ Upstream commit 94579ac3f6d0820adc83b5dc5358ead0158101e9 ]
During IPsec performance testing, we see bad ICMP checksum. The error packet
has duplicated ESP trailer due to double validate_xmit_xfrm calls. The first call
is from ip_output, but the packet cannot be sent because
netif_xmit_frozen_or_stopped is true and the packet gets dev_requeue_skb. The second
call is from NET_TX softirq. However after the first call, the packet already
has the ESP trailer.
Fix by marking the skb with XFRM_XMIT bit after the packet is handled by
validate_xmit_xfrm to avoid duplicate ESP trailer insertion.
Fixes: f6e27114a60a ("net: Add a xfrm validate function to validate_xmit_skb")
Signed-off-by: Huy Nguyen <huyn@mellanox.com>
Reviewed-by: Boris Pismenny <borisp@mellanox.com>
Reviewed-by: Raed Salem <raeds@mellanox.com>
Reviewed-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
| -rw-r--r-- | include/net/xfrm.h | 1 | ||||
| -rw-r--r-- | net/xfrm/xfrm_device.c | 4 |
2 files changed, 4 insertions, 1 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h index aa08a7a5f6ac..fb391c00c19a 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1012,6 +1012,7 @@ struct xfrm_offload { #define XFRM_GRO 32 #define XFRM_ESP_NO_TRAILER 64 #define XFRM_DEV_RESUME 128 +#define XFRM_XMIT 256 __u32 status; #define CRYPTO_SUCCESS 1 diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c index c365b918be35..bb2292b5260c 100644 --- a/net/xfrm/xfrm_device.c +++ b/net/xfrm/xfrm_device.c @@ -82,7 +82,7 @@ struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t featur struct xfrm_offload *xo = xfrm_offload(skb); struct sec_path *sp; - if (!xo) + if (!xo || (xo->flags & XFRM_XMIT)) return skb; if (!(features & NETIF_F_HW_ESP)) @@ -103,6 +103,8 @@ struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t featur return skb; } + xo->flags |= XFRM_XMIT; + if (skb_is_gso(skb)) { struct net_device *dev = skb->dev; |