summaryrefslogtreecommitdiffstats
path: root/include/net/xfrm.h
diff options
context:
space:
mode:
authorHuy Nguyen <huyn@mellanox.com>2020-06-01 23:39:37 +0200
committerSteffen Klassert <steffen.klassert@secunet.com>2020-06-04 10:45:14 +0200
commit94579ac3f6d0820adc83b5dc5358ead0158101e9 (patch)
tree993e23a70e70df318f25b6b7d8e80509e623fa21 /include/net/xfrm.h
parentMerge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next (diff)
downloadlinux-94579ac3f6d0820adc83b5dc5358ead0158101e9.tar.xz
linux-94579ac3f6d0820adc83b5dc5358ead0158101e9.zip
xfrm: Fix double ESP trailer insertion in IPsec crypto offload.
During IPsec performance testing, we see bad ICMP checksum. The error packet has duplicated ESP trailer due to double validate_xmit_xfrm calls. The first call is from ip_output, but the packet cannot be sent because netif_xmit_frozen_or_stopped is true and the packet gets dev_requeue_skb. The second call is from NET_TX softirq. However after the first call, the packet already has the ESP trailer. Fix by marking the skb with XFRM_XMIT bit after the packet is handled by validate_xmit_xfrm to avoid duplicate ESP trailer insertion. Fixes: f6e27114a60a ("net: Add a xfrm validate function to validate_xmit_skb") Signed-off-by: Huy Nguyen <huyn@mellanox.com> Reviewed-by: Boris Pismenny <borisp@mellanox.com> Reviewed-by: Raed Salem <raeds@mellanox.com> Reviewed-by: Saeed Mahameed <saeedm@mellanox.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'include/net/xfrm.h')
-rw-r--r--include/net/xfrm.h1
1 files changed, 1 insertions, 0 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 094fe682f5d7..c7d213c9f9d8 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -1008,6 +1008,7 @@ struct xfrm_offload {
#define XFRM_GRO 32
#define XFRM_ESP_NO_TRAILER 64
#define XFRM_DEV_RESUME 128
+#define XFRM_XMIT 256
__u32 status;
#define CRYPTO_SUCCESS 1