]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7593439)
net/mlx5e: Prevent tunnel reformat when tunnel mode not allowed
authorCarolina Jubran <cjubran@nvidia.com>
Sun, 5 Oct 2025 08:29:58 +0000 (11:29 +0300)
committerPaolo Abeni <pabeni@redhat.com>
Tue, 7 Oct 2025 10:59:56 +0000 (12:59 +0200)
When configuring IPsec packet offload in tunnel mode, the driver tries
to create tunnel reformat objects unconditionally. This is incorrect,
because tunnel mode is only permitted under specific encapsulation
settings, and that decision is already made when the flow table is
created.

The offending commit attempted to block this case in the state add
path, but the check there happens too late and does not prevent the
reformat from being configured.

Fix by taking short reservations for both the eswitch mode and the
encap at the start of state setup. This preserves the block ordering
(mode --> encap) used later: the mode is blocked during RX/TX get, and
the encap is blocked during flow-table creation. This lets us fail
early if either reservation cannot be obtained, it means a mode
transition is underway or a conflicting configuration already owns
encap. If both succeed, the flow-table path later takes the ownership
and the reservations are released on exit.

Fixes: 146c196b60e4 ("net/mlx5e: Create IPsec table with tunnel support only when encap is disabled")
Signed-off-by: Carolina Jubran <cjubran@nvidia.com>
Reviewed-by: Jianbo Liu <jianbol@nvidia.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1759652999-858513-3-git-send-email-tariqt@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c patch | blob | blame | history
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h patch | blob | blame | history
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c patch | blob | blame | history

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
index 00e77c71e201f8270aab906bc0696b06c16b8453..0a4fb8c922684d1e216c5ccb26dd1cdb65eef266 100644 (file)
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
@@ -772,6 +772,7 @@ static int mlx5e_xfrm_add_state(struct net_device *dev,
                                struct netlink_ext_ack *extack)
 {
        struct mlx5e_ipsec_sa_entry *sa_entry = NULL;
+       bool allow_tunnel_mode = false;
        struct mlx5e_ipsec *ipsec;
        struct mlx5e_priv *priv;
        gfp_t gfp;
@@ -803,6 +804,20 @@ static int mlx5e_xfrm_add_state(struct net_device *dev,
                goto err_xfrm;
        }
 
+       if (mlx5_eswitch_block_mode(priv->mdev))
+               goto unblock_ipsec;
+
+       if (x->props.mode == XFRM_MODE_TUNNEL &&
+           x->xso.type == XFRM_DEV_OFFLOAD_PACKET) {
+               allow_tunnel_mode = mlx5e_ipsec_fs_tunnel_allowed(sa_entry);
+               if (!allow_tunnel_mode) {
+                       NL_SET_ERR_MSG_MOD(extack,
+                                          "Packet offload tunnel mode is disabled due to encap settings");
+                       err = -EINVAL;
+                       goto unblock_mode;
+               }
+       }
+
        /* check esn */
        if (x->props.flags & XFRM_STATE_ESN)
                mlx5e_ipsec_update_esn_state(sa_entry);
@@ -817,7 +832,7 @@ static int mlx5e_xfrm_add_state(struct net_device *dev,
 
        err = mlx5_ipsec_create_work(sa_entry);
        if (err)
-               goto unblock_ipsec;
+               goto unblock_encap;
 
        err = mlx5e_ipsec_create_dwork(sa_entry);
        if (err)
@@ -832,14 +847,6 @@ static int mlx5e_xfrm_add_state(struct net_device *dev,
        if (err)
                goto err_hw_ctx;
 
-       if (x->props.mode == XFRM_MODE_TUNNEL &&
-           x->xso.type == XFRM_DEV_OFFLOAD_PACKET &&
-           !mlx5e_ipsec_fs_tunnel_enabled(sa_entry)) {
-               NL_SET_ERR_MSG_MOD(extack, "Packet offload tunnel mode is disabled due to encap settings");
-               err = -EINVAL;
-               goto err_add_rule;
-       }
-
        /* We use *_bh() variant because xfrm_timer_handler(), which runs
         * in softirq context, can reach our state delete logic and we need
         * xa_erase_bh() there.
@@ -855,8 +862,7 @@ static int mlx5e_xfrm_add_state(struct net_device *dev,
                queue_delayed_work(ipsec->wq, &sa_entry->dwork->dwork,
                                   MLX5_IPSEC_RESCHED);
 
-       if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET &&
-           x->props.mode == XFRM_MODE_TUNNEL) {
+       if (allow_tunnel_mode) {
                xa_lock_bh(&ipsec->sadb);
                __xa_set_mark(&ipsec->sadb, sa_entry->ipsec_obj_id,
                              MLX5E_IPSEC_TUNNEL_SA);
@@ -865,6 +871,11 @@ static int mlx5e_xfrm_add_state(struct net_device *dev,
 
 out:
        x->xso.offload_handle = (unsigned long)sa_entry;
+       if (allow_tunnel_mode)
+               mlx5_eswitch_unblock_encap(priv->mdev);
+
+       mlx5_eswitch_unblock_mode(priv->mdev);
+
        return 0;
 
 err_add_rule:
@@ -877,6 +888,11 @@ release_work:
        if (sa_entry->work)
                kfree(sa_entry->work->data);
        kfree(sa_entry->work);
+unblock_encap:
+       if (allow_tunnel_mode)
+               mlx5_eswitch_unblock_encap(priv->mdev);
+unblock_mode:
+       mlx5_eswitch_unblock_mode(priv->mdev);
 unblock_ipsec:
        mlx5_eswitch_unblock_ipsec(priv->mdev);
 err_xfrm:
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
index 23703f28386ad91ca9bc98ef6f0941d9a7d6b22b..5d7c15abfcaf6c98a175326ff79ba1f41773041f 100644 (file)
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
@@ -319,7 +319,7 @@ void mlx5e_accel_ipsec_fs_del_rule(struct mlx5e_ipsec_sa_entry *sa_entry);
 int mlx5e_accel_ipsec_fs_add_pol(struct mlx5e_ipsec_pol_entry *pol_entry);
 void mlx5e_accel_ipsec_fs_del_pol(struct mlx5e_ipsec_pol_entry *pol_entry);
 void mlx5e_accel_ipsec_fs_modify(struct mlx5e_ipsec_sa_entry *sa_entry);
-bool mlx5e_ipsec_fs_tunnel_enabled(struct mlx5e_ipsec_sa_entry *sa_entry);
+bool mlx5e_ipsec_fs_tunnel_allowed(struct mlx5e_ipsec_sa_entry *sa_entry);
 
 int mlx5_ipsec_create_sa_ctx(struct mlx5e_ipsec_sa_entry *sa_entry);
 void mlx5_ipsec_free_sa_ctx(struct mlx5e_ipsec_sa_entry *sa_entry);
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
index 0bc08027458423c0b36b96001d18b76bcd837791..bf1d2769d4f139f4c26cb752524246a1d80a9f83 100644 (file)
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
@@ -2850,18 +2850,24 @@ void mlx5e_accel_ipsec_fs_modify(struct mlx5e_ipsec_sa_entry *sa_entry)
        memcpy(sa_entry, &sa_entry_shadow, sizeof(*sa_entry));
 }
 
-bool mlx5e_ipsec_fs_tunnel_enabled(struct mlx5e_ipsec_sa_entry *sa_entry)
+bool mlx5e_ipsec_fs_tunnel_allowed(struct mlx5e_ipsec_sa_entry *sa_entry)
 {
-       struct mlx5_accel_esp_xfrm_attrs *attrs = &sa_entry->attrs;
-       struct mlx5e_ipsec_rx *rx;
-       struct mlx5e_ipsec_tx *tx;
+       struct mlx5e_ipsec *ipsec = sa_entry->ipsec;
+       struct xfrm_state *x = sa_entry->x;
+       bool from_fdb;
 
-       rx = ipsec_rx(sa_entry->ipsec, attrs->addrs.family, attrs->type);
-       tx = ipsec_tx(sa_entry->ipsec, attrs->type);
-       if (sa_entry->attrs.dir == XFRM_DEV_OFFLOAD_OUT)
-               return tx->allow_tunnel_mode;
+       if (x->xso.dir == XFRM_DEV_OFFLOAD_OUT) {
+               struct mlx5e_ipsec_tx *tx = ipsec_tx(ipsec, x->xso.type);
+
+               from_fdb = (tx == ipsec->tx_esw);
+       } else {
+               struct mlx5e_ipsec_rx *rx = ipsec_rx(ipsec, x->props.family,
+                                                    x->xso.type);
+
+               from_fdb = (rx == ipsec->rx_esw);
+       }
 
-       return rx->allow_tunnel_mode;
+       return mlx5_eswitch_block_encap(ipsec->mdev, from_fdb);
 }
 
 void mlx5e_ipsec_handle_mpv_event(int event, struct mlx5e_priv *slave_priv,
A mirror of Linus' kernel repository