xfrm: Fix double ESP trailer insertion in IPsec crypto offload. (94579ac3) · Commits · Mirrors / git.kernel.org / pub_scm_linux_kernel_git_stable_linux · GitLab

Commit 94579ac3 authored Jun 01, 2020 by

Huy Nguyen Committed by Steffen Klassert Jun 04, 2020

xfrm: Fix double ESP trailer insertion in IPsec crypto offload.

During IPsec performance testing, we see bad ICMP checksum. The error packet
has duplicated ESP trailer due to double validate_xmit_xfrm calls. The first call
is from ip_output, but the packet cannot be sent because
netif_xmit_frozen_or_stopped is true and the packet gets dev_requeue_skb. The second
call is from NET_TX softirq. However after the first call, the packet already
has the ESP trailer.

Fix by marking the skb with XFRM_XMIT bit after the packet is handled by
validate_xmit_xfrm to avoid duplicate ESP trailer insertion.

Fixes: f6e27114

 ("net: Add a xfrm validate function to validate_xmit_skb")
Signed-off-by: Huy Nguyen <huyn@mellanox.com>
Reviewed-by: Boris Pismenny <borisp@mellanox.com>
Reviewed-by: Raed Salem <raeds@mellanox.com>
Reviewed-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

parent cb8e59cc

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit 855150a7
· Jul 02, 2020

mentioned in commit 855150a7

mentioned in commit 855150a762385644a8cf6535e5ec40a08207d8e7

Toggle commit list
mirror @mirror
mentioned in commit 58f8f107
· Apr 15, 2021

mentioned in commit 58f8f107

mentioned in commit 58f8f10740392dd25cac90470fb37308fb198f70

Toggle commit list
mirror @mirror
mentioned in commit 5ed41733
· Apr 15, 2021

mentioned in commit 5ed41733

mentioned in commit 5ed41733bd87e3733e42a5d0417087a59d26d4aa

Toggle commit list

Please register or to comment