| Message ID | 20190912110144.GS2879@gauss3.secunet.de |
|---|---|
| State | Accepted |
| Delegated to: | David Miller |
| Headers | show |
| Series | ixgbe: Fix secpath usage for IPsec TX offload. | expand |
From: Steffen Klassert <steffen.klassert@secunet.com> Date: Thu, 12 Sep 2019 13:01:44 +0200 > The ixgbe driver currently does IPsec TX offloading > based on an existing secpath. However, the secpath > can also come from the RX side, in this case it is > misinterpreted for TX offload and the packets are > dropped with a "bad sa_idx" error. Fix this by using > the xfrm_offload() function to test for TX offload. > > Fixes: 592594704761 ("ixgbe: process the Tx ipsec offload") > Reported-by: Michael Marley <michael@michaelmarley.com> > Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> I'll apply this directly and queue it up for -stable, thanks.
On Thu, 2019-09-12 at 13:43 +0200, David Miller wrote: > From: Steffen Klassert <steffen.klassert@secunet.com> > Date: Thu, 12 Sep 2019 13:01:44 +0200 > > > The ixgbe driver currently does IPsec TX offloading > > based on an existing secpath. However, the secpath > > can also come from the RX side, in this case it is > > misinterpreted for TX offload and the packets are > > dropped with a "bad sa_idx" error. Fix this by using > > the xfrm_offload() function to test for TX offload. > > > > Fixes: 592594704761 ("ixgbe: process the Tx ipsec offload") > > Reported-by: Michael Marley <michael@michaelmarley.com> > > Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> > > I'll apply this directly and queue it up for -stable, thanks. Thanks Dave!
On 9/12/2019 6:01 AM, Steffen Klassert wrote: > The ixgbe driver currently does IPsec TX offloading > based on an existing secpath. However, the secpath > can also come from the RX side, in this case it is > misinterpreted for TX offload and the packets are > dropped with a "bad sa_idx" error. Fix this by using > the xfrm_offload() function to test for TX offload. > Does this patch also need to be ported to the ixgbevf driver? I can replicate the bad sa_idx error using a VM that's using a VF & the ixgebvf driver.
On 9/12/19 12:01 PM, Steffen Klassert wrote: > The ixgbe driver currently does IPsec TX offloading > based on an existing secpath. However, the secpath > can also come from the RX side, in this case it is > misinterpreted for TX offload and the packets are > dropped with a "bad sa_idx" error. Fix this by using > the xfrm_offload() function to test for TX offload. Acked-by: Shannon Nelson <snelson@pensando.io> > > Fixes: 592594704761 ("ixgbe: process the Tx ipsec offload") > Reported-by: Michael Marley <michael@michaelmarley.com> > Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> > --- > drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c > index 9bcae44e9883..ae31bd57127c 100644 > --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c > +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c > @@ -36,6 +36,7 @@ > #include <net/vxlan.h> > #include <net/mpls.h> > #include <net/xdp_sock.h> > +#include <net/xfrm.h> > > #include "ixgbe.h" > #include "ixgbe_common.h" > @@ -8696,7 +8697,7 @@ netdev_tx_t ixgbe_xmit_frame_ring(struct sk_buff *skb, > #endif /* IXGBE_FCOE */ > > #ifdef CONFIG_IXGBE_IPSEC > - if (secpath_exists(skb) && > + if (xfrm_offload(skb) && > !ixgbe_ipsec_tx(tx_ring, first, &ipsec_tx)) > goto out_drop; > #endif
On 2019-09-12 07:01, Steffen Klassert wrote: > The ixgbe driver currently does IPsec TX offloading > based on an existing secpath. However, the secpath > can also come from the RX side, in this case it is > misinterpreted for TX offload and the packets are > dropped with a "bad sa_idx" error. Fix this by using > the xfrm_offload() function to test for TX offload. > > Fixes: 592594704761 ("ixgbe: process the Tx ipsec offload") > Reported-by: Michael Marley <michael@michaelmarley.com> > Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Tested-by: Michael Marley <michael@michaelmarley.com> > --- > drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c > b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c > index 9bcae44e9883..ae31bd57127c 100644 > --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c > +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c > @@ -36,6 +36,7 @@ > #include <net/vxlan.h> > #include <net/mpls.h> > #include <net/xdp_sock.h> > +#include <net/xfrm.h> > > #include "ixgbe.h" > #include "ixgbe_common.h" > @@ -8696,7 +8697,7 @@ netdev_tx_t ixgbe_xmit_frame_ring(struct sk_buff > *skb, > #endif /* IXGBE_FCOE */ > > #ifdef CONFIG_IXGBE_IPSEC > - if (secpath_exists(skb) && > + if (xfrm_offload(skb) && > !ixgbe_ipsec_tx(tx_ring, first, &ipsec_tx)) > goto out_drop; > #endif
On 9/12/19 5:33 PM, Jonathan Tooker wrote: > On 9/12/2019 6:01 AM, Steffen Klassert wrote: >> The ixgbe driver currently does IPsec TX offloading >> based on an existing secpath. However, the secpath >> can also come from the RX side, in this case it is >> misinterpreted for TX offload and the packets are >> dropped with a "bad sa_idx" error. Fix this by using >> the xfrm_offload() function to test for TX offload. >> > Does this patch also need to be ported to the ixgbevf driver? I can > replicate the bad sa_idx error using a VM that's using a VF & the > ixgebvf driver. > Yes. sln
On Thu, 2019-09-12 at 11:33 -0500, Jonathan Tooker wrote: > On 9/12/2019 6:01 AM, Steffen Klassert wrote: > > The ixgbe driver currently does IPsec TX offloading > > based on an existing secpath. However, the secpath > > can also come from the RX side, in this case it is > > misinterpreted for TX offload and the packets are > > dropped with a "bad sa_idx" error. Fix this by using > > the xfrm_offload() function to test for TX offload. > > > Does this patch also need to be ported to the ixgbevf driver? I can > replicate the bad sa_idx error using a VM that's using a VF & the > ixgebvf driver. > I am putting together a patch for ixgbevf right now.
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c index 9bcae44e9883..ae31bd57127c 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c @@ -36,6 +36,7 @@ #include <net/vxlan.h> #include <net/mpls.h> #include <net/xdp_sock.h> +#include <net/xfrm.h> #include "ixgbe.h" #include "ixgbe_common.h" @@ -8696,7 +8697,7 @@ netdev_tx_t ixgbe_xmit_frame_ring(struct sk_buff *skb, #endif /* IXGBE_FCOE */ #ifdef CONFIG_IXGBE_IPSEC - if (secpath_exists(skb) && + if (xfrm_offload(skb) && !ixgbe_ipsec_tx(tx_ring, first, &ipsec_tx)) goto out_drop; #endif
The ixgbe driver currently does IPsec TX offloading based on an existing secpath. However, the secpath can also come from the RX side, in this case it is misinterpreted for TX offload and the packets are dropped with a "bad sa_idx" error. Fix this by using the xfrm_offload() function to test for TX offload. Fixes: 592594704761 ("ixgbe: process the Tx ipsec offload") Reported-by: Michael Marley <michael@michaelmarley.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> --- drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)