xfrm: Fix double ESP trailer insertion in IPsec crypto offload.
[ Upstream commit94579ac3f6
] During IPsec performance testing, we see bad ICMP checksum. The error packet has duplicated ESP trailer due to double validate_xmit_xfrm calls. The first call is from ip_output, but the packet cannot be sent because netif_xmit_frozen_or_stopped is true and the packet gets dev_requeue_skb. The second call is from NET_TX softirq. However after the first call, the packet already has the ESP trailer. Fix by marking the skb with XFRM_XMIT bit after the packet is handled by validate_xmit_xfrm to avoid duplicate ESP trailer insertion. Fixes:f6e27114a6
("net: Add a xfrm validate function to validate_xmit_skb") Signed-off-by: Huy Nguyen <huyn@mellanox.com> Reviewed-by: Boris Pismenny <borisp@mellanox.com> Reviewed-by: Raed Salem <raeds@mellanox.com> Reviewed-by: Saeed Mahameed <saeedm@mellanox.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
parent
475a7b09b4
commit
41b2debf35
|
@ -1012,6 +1012,7 @@ struct xfrm_offload {
|
||||||
#define XFRM_GRO 32
|
#define XFRM_GRO 32
|
||||||
#define XFRM_ESP_NO_TRAILER 64
|
#define XFRM_ESP_NO_TRAILER 64
|
||||||
#define XFRM_DEV_RESUME 128
|
#define XFRM_DEV_RESUME 128
|
||||||
|
#define XFRM_XMIT 256
|
||||||
|
|
||||||
__u32 status;
|
__u32 status;
|
||||||
#define CRYPTO_SUCCESS 1
|
#define CRYPTO_SUCCESS 1
|
||||||
|
|
|
@ -82,7 +82,7 @@ struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t featur
|
||||||
struct xfrm_offload *xo = xfrm_offload(skb);
|
struct xfrm_offload *xo = xfrm_offload(skb);
|
||||||
struct sec_path *sp;
|
struct sec_path *sp;
|
||||||
|
|
||||||
if (!xo)
|
if (!xo || (xo->flags & XFRM_XMIT))
|
||||||
return skb;
|
return skb;
|
||||||
|
|
||||||
if (!(features & NETIF_F_HW_ESP))
|
if (!(features & NETIF_F_HW_ESP))
|
||||||
|
@ -103,6 +103,8 @@ struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t featur
|
||||||
return skb;
|
return skb;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
xo->flags |= XFRM_XMIT;
|
||||||
|
|
||||||
if (skb_is_gso(skb)) {
|
if (skb_is_gso(skb)) {
|
||||||
struct net_device *dev = skb->dev;
|
struct net_device *dev = skb->dev;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue