[PATCH 6.7 195/346] net/mlx5e: Ignore IPsec replay window values on sender side

29 Jan 2024

6.7-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky leonro@nvidia.com
[ Upstream commit 315a597f9bcfe7fe9980985031413457bee95510 ]
XFRM stack doesn't prevent from users to configure replay window
in TX side and strongswan sets replay_window to be 1. It causes
to failures in validation logic when trying to offload the SA.
Replay window is not relevant in TX side and should be ignored.
Fixes: cded6d80129b ("net/mlx5e: Store replay window in XFRM attributes")
Signed-off-by: Aya Levin ayal@nvidia.com
Signed-off-by: Leon Romanovsky leonro@nvidia.com
Signed-off-by: Saeed Mahameed saeedm@nvidia.com
Signed-off-by: Sasha Levin sashal@kernel.org
---
 .../net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c   | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
index 161c5190c236..05612d9c6080 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
@@ -336,12 +336,17 @@ void mlx5e_ipsec_build_accel_xfrm_attrs(struct mlx5e_ipsec_sa_entry *sa_entry,
    /* iv len */
    aes_gcm->icv_len = x->aead->alg_icv_len;
+	attrs->dir = x->xso.dir;
+
    /* esn */
    if (x->props.flags & XFRM_STATE_ESN) {
    	attrs->replay_esn.trigger = true;
    	attrs->replay_esn.esn = sa_entry->esn_state.esn;
    	attrs->replay_esn.esn_msb = sa_entry->esn_state.esn_msb;
    	attrs->replay_esn.overlap = sa_entry->esn_state.overlap;
+		if (attrs->dir == XFRM_DEV_OFFLOAD_OUT)
+			goto skip_replay_window;
+
    	switch (x->replay_esn->replay_window) {
    	case 32:
    		attrs->replay_esn.replay_window =
@@ -365,7 +370,7 @@ void mlx5e_ipsec_build_accel_xfrm_attrs(struct mlx5e_ipsec_sa_entry *sa_entry,
    	}
    }
-	attrs->dir = x->xso.dir;
+skip_replay_window:
    /* spi */
    attrs->spi = be32_to_cpu(x->id.spi);
@@ -501,7 +506,8 @@ static int mlx5e_xfrm_validate_state(struct mlx5_core_dev *mdev,
    		return -EINVAL;
    	}
-		if (x->replay_esn && x->replay_esn->replay_window != 32 &&
+		if (x->replay_esn && x->xso.dir == XFRM_DEV_OFFLOAD_IN &&
+		    x->replay_esn->replay_window != 32 &&
    	    x->replay_esn->replay_window != 64 &&
    	    x->replay_esn->replay_window != 128 &&
    	    x->replay_esn->replay_window != 256) {
-- 
2.43.0





    

2024

2023

2022

2021

2020

2019

2018

2017

[PATCH 6.7 195/346] net/mlx5e: Ignore IPsec replay window values on sender side