net/mlx5e: kTLS, Do not send decrypted-marked SKBs via non-accel path
commit5.4-rM2-2.2.x-imx-squashed342508c1c7
upstream. When TCP out-of-order is identified (unexpected tcp seq mismatch), driver analyzes the packet and decides what handling should it get: 1. go to accelerated path (to be encrypted in HW), 2. go to regular xmit path (send w/o encryption), 3. drop. Packets marked with skb->decrypted by the TLS stack in the TX flow skips SW encryption, and rely on the HW offload. Verify that such packets are never sent un-encrypted on the wire. Add a WARN to catch such bugs, and prefer dropping the packet in these cases. Fixes:46a3ea9807
("net/mlx5e: kTLS, Enhance TX resync flow") Signed-off-by: Tariq Toukan <tariqt@mellanox.com> Signed-off-by: Boris Pismenny <borisp@mellanox.com> Reviewed-by: Boris Pismenny <borisp@mellanox.com> Signed-off-by: Saeed Mahameed <saeedm@mellanox.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
parent
43eda24c6f
commit
9bd7ae7eab
|
@ -458,12 +458,18 @@ struct sk_buff *mlx5e_ktls_handle_tx_skb(struct net_device *netdev,
|
|||
enum mlx5e_ktls_sync_retval ret =
|
||||
mlx5e_ktls_tx_handle_ooo(priv_tx, sq, datalen, seq);
|
||||
|
||||
if (likely(ret == MLX5E_KTLS_SYNC_DONE))
|
||||
switch (ret) {
|
||||
case MLX5E_KTLS_SYNC_DONE:
|
||||
*wqe = mlx5e_sq_fetch_wqe(sq, sizeof(**wqe), pi);
|
||||
else if (ret == MLX5E_KTLS_SYNC_FAIL)
|
||||
break;
|
||||
case MLX5E_KTLS_SYNC_SKIP_NO_DATA:
|
||||
if (likely(!skb->decrypted))
|
||||
goto out;
|
||||
WARN_ON_ONCE(1);
|
||||
/* fall-through */
|
||||
default: /* MLX5E_KTLS_SYNC_FAIL */
|
||||
goto err_out;
|
||||
else /* ret == MLX5E_KTLS_SYNC_SKIP_NO_DATA */
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
|
||||
priv_tx->expected_seq = seq + datalen;
|
||||
|
|
Loading…
Reference in New Issue