* [PATCH] ixgbe: Fix secpath usage for IPsec TX offload.
@ 2019-09-12 11:01 Steffen Klassert
2019-09-12 11:43 ` David Miller
` (3 more replies)
0 siblings, 4 replies; 8+ messages in thread
From: Steffen Klassert @ 2019-09-12 11:01 UTC (permalink / raw)
To: Jeff Kirsher, intel-wired-lan; +Cc: Michael Marley, Shannon Nelson, netdev
The ixgbe driver currently does IPsec TX offloading
based on an existing secpath. However, the secpath
can also come from the RX side, in this case it is
misinterpreted for TX offload and the packets are
dropped with a "bad sa_idx" error. Fix this by using
the xfrm_offload() function to test for TX offload.
Fixes: 592594704761 ("ixgbe: process the Tx ipsec offload")
Reported-by: Michael Marley <michael@michaelmarley.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
index 9bcae44e9883..ae31bd57127c 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
@@ -36,6 +36,7 @@
#include <net/vxlan.h>
#include <net/mpls.h>
#include <net/xdp_sock.h>
+#include <net/xfrm.h>
#include "ixgbe.h"
#include "ixgbe_common.h"
@@ -8696,7 +8697,7 @@ netdev_tx_t ixgbe_xmit_frame_ring(struct sk_buff *skb,
#endif /* IXGBE_FCOE */
#ifdef CONFIG_IXGBE_IPSEC
- if (secpath_exists(skb) &&
+ if (xfrm_offload(skb) &&
!ixgbe_ipsec_tx(tx_ring, first, &ipsec_tx))
goto out_drop;
#endif
--
2.17.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] ixgbe: Fix secpath usage for IPsec TX offload.
2019-09-12 11:01 [PATCH] ixgbe: Fix secpath usage for IPsec TX offload Steffen Klassert
@ 2019-09-12 11:43 ` David Miller
2019-09-12 15:57 ` Jeff Kirsher
2019-09-12 16:33 ` Jonathan Tooker
` (2 subsequent siblings)
3 siblings, 1 reply; 8+ messages in thread
From: David Miller @ 2019-09-12 11:43 UTC (permalink / raw)
To: steffen.klassert
Cc: jeffrey.t.kirsher, intel-wired-lan, michael, snelson, netdev
From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Thu, 12 Sep 2019 13:01:44 +0200
> The ixgbe driver currently does IPsec TX offloading
> based on an existing secpath. However, the secpath
> can also come from the RX side, in this case it is
> misinterpreted for TX offload and the packets are
> dropped with a "bad sa_idx" error. Fix this by using
> the xfrm_offload() function to test for TX offload.
>
> Fixes: 592594704761 ("ixgbe: process the Tx ipsec offload")
> Reported-by: Michael Marley <michael@michaelmarley.com>
> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
I'll apply this directly and queue it up for -stable, thanks.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ixgbe: Fix secpath usage for IPsec TX offload.
2019-09-12 11:43 ` David Miller
@ 2019-09-12 15:57 ` Jeff Kirsher
0 siblings, 0 replies; 8+ messages in thread
From: Jeff Kirsher @ 2019-09-12 15:57 UTC (permalink / raw)
To: David Miller, steffen.klassert; +Cc: intel-wired-lan, michael, snelson, netdev
[-- Attachment #1: Type: text/plain, Size: 782 bytes --]
On Thu, 2019-09-12 at 13:43 +0200, David Miller wrote:
> From: Steffen Klassert <steffen.klassert@secunet.com>
> Date: Thu, 12 Sep 2019 13:01:44 +0200
>
> > The ixgbe driver currently does IPsec TX offloading
> > based on an existing secpath. However, the secpath
> > can also come from the RX side, in this case it is
> > misinterpreted for TX offload and the packets are
> > dropped with a "bad sa_idx" error. Fix this by using
> > the xfrm_offload() function to test for TX offload.
> >
> > Fixes: 592594704761 ("ixgbe: process the Tx ipsec offload")
> > Reported-by: Michael Marley <michael@michaelmarley.com>
> > Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
>
> I'll apply this directly and queue it up for -stable, thanks.
Thanks Dave!
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ixgbe: Fix secpath usage for IPsec TX offload.
2019-09-12 11:01 [PATCH] ixgbe: Fix secpath usage for IPsec TX offload Steffen Klassert
2019-09-12 11:43 ` David Miller
@ 2019-09-12 16:33 ` Jonathan Tooker
2019-09-12 17:54 ` Shannon Nelson
2019-09-12 18:47 ` Jeff Kirsher
2019-09-12 17:48 ` Shannon Nelson
2019-09-12 17:50 ` Michael Marley
3 siblings, 2 replies; 8+ messages in thread
From: Jonathan Tooker @ 2019-09-12 16:33 UTC (permalink / raw)
To: Steffen Klassert, Jeff Kirsher, intel-wired-lan
Cc: Michael Marley, Shannon Nelson, netdev
On 9/12/2019 6:01 AM, Steffen Klassert wrote:
> The ixgbe driver currently does IPsec TX offloading
> based on an existing secpath. However, the secpath
> can also come from the RX side, in this case it is
> misinterpreted for TX offload and the packets are
> dropped with a "bad sa_idx" error. Fix this by using
> the xfrm_offload() function to test for TX offload.
>
Does this patch also need to be ported to the ixgbevf driver? I can
replicate the bad sa_idx error using a VM that's using a VF & the
ixgebvf driver.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ixgbe: Fix secpath usage for IPsec TX offload.
2019-09-12 11:01 [PATCH] ixgbe: Fix secpath usage for IPsec TX offload Steffen Klassert
2019-09-12 11:43 ` David Miller
2019-09-12 16:33 ` Jonathan Tooker
@ 2019-09-12 17:48 ` Shannon Nelson
2019-09-12 17:50 ` Michael Marley
3 siblings, 0 replies; 8+ messages in thread
From: Shannon Nelson @ 2019-09-12 17:48 UTC (permalink / raw)
To: Steffen Klassert, Jeff Kirsher, intel-wired-lan; +Cc: Michael Marley, netdev
On 9/12/19 12:01 PM, Steffen Klassert wrote:
> The ixgbe driver currently does IPsec TX offloading
> based on an existing secpath. However, the secpath
> can also come from the RX side, in this case it is
> misinterpreted for TX offload and the packets are
> dropped with a "bad sa_idx" error. Fix this by using
> the xfrm_offload() function to test for TX offload.
Acked-by: Shannon Nelson <snelson@pensando.io>
>
> Fixes: 592594704761 ("ixgbe: process the Tx ipsec offload")
> Reported-by: Michael Marley <michael@michaelmarley.com>
> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
> ---
> drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
> index 9bcae44e9883..ae31bd57127c 100644
> --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
> +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
> @@ -36,6 +36,7 @@
> #include <net/vxlan.h>
> #include <net/mpls.h>
> #include <net/xdp_sock.h>
> +#include <net/xfrm.h>
>
> #include "ixgbe.h"
> #include "ixgbe_common.h"
> @@ -8696,7 +8697,7 @@ netdev_tx_t ixgbe_xmit_frame_ring(struct sk_buff *skb,
> #endif /* IXGBE_FCOE */
>
> #ifdef CONFIG_IXGBE_IPSEC
> - if (secpath_exists(skb) &&
> + if (xfrm_offload(skb) &&
> !ixgbe_ipsec_tx(tx_ring, first, &ipsec_tx))
> goto out_drop;
> #endif
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ixgbe: Fix secpath usage for IPsec TX offload.
2019-09-12 11:01 [PATCH] ixgbe: Fix secpath usage for IPsec TX offload Steffen Klassert
` (2 preceding siblings ...)
2019-09-12 17:48 ` Shannon Nelson
@ 2019-09-12 17:50 ` Michael Marley
3 siblings, 0 replies; 8+ messages in thread
From: Michael Marley @ 2019-09-12 17:50 UTC (permalink / raw)
To: Steffen Klassert; +Cc: Jeff Kirsher, intel-wired-lan, Shannon Nelson, netdev
On 2019-09-12 07:01, Steffen Klassert wrote:
> The ixgbe driver currently does IPsec TX offloading
> based on an existing secpath. However, the secpath
> can also come from the RX side, in this case it is
> misinterpreted for TX offload and the packets are
> dropped with a "bad sa_idx" error. Fix this by using
> the xfrm_offload() function to test for TX offload.
>
> Fixes: 592594704761 ("ixgbe: process the Tx ipsec offload")
> Reported-by: Michael Marley <michael@michaelmarley.com>
> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Tested-by: Michael Marley <michael@michaelmarley.com>
> ---
> drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
> b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
> index 9bcae44e9883..ae31bd57127c 100644
> --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
> +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
> @@ -36,6 +36,7 @@
> #include <net/vxlan.h>
> #include <net/mpls.h>
> #include <net/xdp_sock.h>
> +#include <net/xfrm.h>
>
> #include "ixgbe.h"
> #include "ixgbe_common.h"
> @@ -8696,7 +8697,7 @@ netdev_tx_t ixgbe_xmit_frame_ring(struct sk_buff
> *skb,
> #endif /* IXGBE_FCOE */
>
> #ifdef CONFIG_IXGBE_IPSEC
> - if (secpath_exists(skb) &&
> + if (xfrm_offload(skb) &&
> !ixgbe_ipsec_tx(tx_ring, first, &ipsec_tx))
> goto out_drop;
> #endif
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ixgbe: Fix secpath usage for IPsec TX offload.
2019-09-12 16:33 ` Jonathan Tooker
@ 2019-09-12 17:54 ` Shannon Nelson
2019-09-12 18:47 ` Jeff Kirsher
1 sibling, 0 replies; 8+ messages in thread
From: Shannon Nelson @ 2019-09-12 17:54 UTC (permalink / raw)
To: Jonathan Tooker, Steffen Klassert, Jeff Kirsher, intel-wired-lan
Cc: Michael Marley, netdev
On 9/12/19 5:33 PM, Jonathan Tooker wrote:
> On 9/12/2019 6:01 AM, Steffen Klassert wrote:
>> The ixgbe driver currently does IPsec TX offloading
>> based on an existing secpath. However, the secpath
>> can also come from the RX side, in this case it is
>> misinterpreted for TX offload and the packets are
>> dropped with a "bad sa_idx" error. Fix this by using
>> the xfrm_offload() function to test for TX offload.
>>
> Does this patch also need to be ported to the ixgbevf driver? I can
> replicate the bad sa_idx error using a VM that's using a VF & the
> ixgebvf driver.
>
Yes.
sln
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ixgbe: Fix secpath usage for IPsec TX offload.
2019-09-12 16:33 ` Jonathan Tooker
2019-09-12 17:54 ` Shannon Nelson
@ 2019-09-12 18:47 ` Jeff Kirsher
1 sibling, 0 replies; 8+ messages in thread
From: Jeff Kirsher @ 2019-09-12 18:47 UTC (permalink / raw)
To: Jonathan Tooker, Steffen Klassert, intel-wired-lan
Cc: Michael Marley, Shannon Nelson, netdev
[-- Attachment #1: Type: text/plain, Size: 675 bytes --]
On Thu, 2019-09-12 at 11:33 -0500, Jonathan Tooker wrote:
> On 9/12/2019 6:01 AM, Steffen Klassert wrote:
> > The ixgbe driver currently does IPsec TX offloading
> > based on an existing secpath. However, the secpath
> > can also come from the RX side, in this case it is
> > misinterpreted for TX offload and the packets are
> > dropped with a "bad sa_idx" error. Fix this by using
> > the xfrm_offload() function to test for TX offload.
> >
> Does this patch also need to be ported to the ixgbevf driver? I can
> replicate the bad sa_idx error using a VM that's using a VF & the
> ixgebvf driver.
>
I am putting together a patch for ixgbevf right now.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2019-09-12 18:49 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-12 11:01 [PATCH] ixgbe: Fix secpath usage for IPsec TX offload Steffen Klassert
2019-09-12 11:43 ` David Miller
2019-09-12 15:57 ` Jeff Kirsher
2019-09-12 16:33 ` Jonathan Tooker
2019-09-12 17:54 ` Shannon Nelson
2019-09-12 18:47 ` Jeff Kirsher
2019-09-12 17:48 ` Shannon Nelson
2019-09-12 17:50 ` Michael Marley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).