git.proxmox.com Git - mirror_ubuntu-focal-kernel.git/commit

author	Huy Nguyen <huyn@mellanox.com>
	Mon, 1 Jun 2020 21:39:37 +0000 (16:39 -0500)
committer	Khalid Elmously <khalid.elmously@canonical.com>
	Sat, 8 Aug 2020 05:53:12 +0000 (01:53 -0400)
commit	9fbd4d1fc879fa95ba933564435d3d95718f0108
tree	b6a60fd71ea366932eaf6e37e3dd40c850217af2	tree
parent	78295e530289c368b1eae5b404ac859ff6a37772	commit \| diff

xfrm: Fix double ESP trailer insertion in IPsec crypto offload.

BugLink: https://bugs.launchpad.net/bugs/1885942
[ Upstream commit 94579ac3f6d0820adc83b5dc5358ead0158101e9 ]

During IPsec performance testing, we see bad ICMP checksum. The error packet
has duplicated ESP trailer due to double validate_xmit_xfrm calls. The first call
is from ip_output, but the packet cannot be sent because
netif_xmit_frozen_or_stopped is true and the packet gets dev_requeue_skb. The second
call is from NET_TX softirq. However after the first call, the packet already
has the ESP trailer.

Fix by marking the skb with XFRM_XMIT bit after the packet is handled by
validate_xmit_xfrm to avoid duplicate ESP trailer insertion.

Fixes: f6e27114a60a ("net: Add a xfrm validate function to validate_xmit_skb")
Signed-off-by: Huy Nguyen <huyn@mellanox.com>
Reviewed-by: Boris Pismenny <borisp@mellanox.com>
Reviewed-by: Raed Salem <raeds@mellanox.com>
Reviewed-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Kelsey Skunberg <kelsey.skunberg@canonical.com>

include/net/xfrm.h		diff \| blob \| blame \| history
net/xfrm/xfrm_device.c		diff \| blob \| blame \| history