Commit 855150a7 authored Jun 01, 2020 by Huy Nguyen Committed by Sasha Levin Jun 30, 2020

xfrm: Fix double ESP trailer insertion in IPsec crypto offload.



[ Upstream commit 94579ac3f6d0820adc83b5dc5358ead0158101e9 ]

During IPsec performance testing, we see bad ICMP checksum. The error packet
has duplicated ESP trailer due to double validate_xmit_xfrm calls. The first call
is from ip_output, but the packet cannot be sent because
netif_xmit_frozen_or_stopped is true and the packet gets dev_requeue_skb. The second
call is from NET_TX softirq. However after the first call, the packet already
has the ESP trailer.

Fix by marking the skb with XFRM_XMIT bit after the packet is handled by
validate_xmit_xfrm to avoid duplicate ESP trailer insertion.

Fixes: f6e27114 ("net: Add a xfrm validate function to validate_xmit_skb")
Signed-off-by: Huy Nguyen <huyn@mellanox.com>
Reviewed-by: Boris Pismenny <borisp@mellanox.com>
Reviewed-by: Raed Salem <raeds@mellanox.com>
Reviewed-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent 39dad730

include/net/xfrm.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -1083,6 +1083,7 @@ struct xfrm_offload {
		#define XFRM_GRO 32
		#define XFRM_ESP_NO_TRAILER 64
		#define XFRM_DEV_RESUME 128
		#define XFRM_XMIT 256

		__u32 status;
		#define CRYPTO_SUCCESS 1

net/xfrm/xfrm_device.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -33,7 +33,7 @@ struct sk_buff validate_xmit_xfrm(struct sk_buff skb, netdev_features_t featur
		netdev_features_t esp_features = features;
		struct xfrm_offload *xo = xfrm_offload(skb);

		if (!xo)
		if (!xo \|\| (xo->flags & XFRM_XMIT))
		return skb;

		if (!(features & NETIF_F_HW_ESP))
		@@ -53,6 +53,8 @@ struct sk_buff validate_xmit_xfrm(struct sk_buff skb, netdev_features_t featur
		return skb;
		}

		xo->flags \|= XFRM_XMIT;

		if (skb_is_gso(skb)) {
		struct net_device *dev = skb->dev;