From 7bdb3136d262ec2afca5f131fe787ec5b7d23f4f Mon Sep 17 00:00:00 2001 From: Alaa Hleihel Date: Sun, 10 May 2020 15:04:52 -0400 Subject: [PATCH 127/312] [netdrv] net/mlx5e: kTLS, Do not send decrypted-marked SKBs via non-accel path Message-id: <20200510150452.10307-88-ahleihel@redhat.com> Patchwork-id: 306711 Patchwork-instance: patchwork O-Subject: [RHEL8.3 BZ 1789380 v2 87/87] net/mlx5e: kTLS, Do not send decrypted-marked SKBs via non-accel path Bugzilla: 1789380 RH-Acked-by: Kamal Heib RH-Acked-by: Jarod Wilson RH-Acked-by: Tony Camuso RH-Acked-by: Jonathan Toppins Bugzilla: http://bugzilla.redhat.com/1789380 Upstream: v5.5 commit 342508c1c7540e281fd36151c175ba5ff954a99f Author: Tariq Toukan Date: Mon Jan 20 13:42:00 2020 +0200 net/mlx5e: kTLS, Do not send decrypted-marked SKBs via non-accel path When TCP out-of-order is identified (unexpected tcp seq mismatch), driver analyzes the packet and decides what handling should it get: 1. go to accelerated path (to be encrypted in HW), 2. go to regular xmit path (send w/o encryption), 3. drop. Packets marked with skb->decrypted by the TLS stack in the TX flow skips SW encryption, and rely on the HW offload. Verify that such packets are never sent un-encrypted on the wire. Add a WARN to catch such bugs, and prefer dropping the packet in these cases. Fixes: 46a3ea98074e ("net/mlx5e: kTLS, Enhance TX resync flow") Signed-off-by: Tariq Toukan Signed-off-by: Boris Pismenny Reviewed-by: Boris Pismenny Signed-off-by: Saeed Mahameed Signed-off-by: Alaa Hleihel Signed-off-by: Frantisek Hrbata --- drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c index 592e921aa167..f260dd96873b 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c @@ -458,12 +458,18 @@ struct sk_buff *mlx5e_ktls_handle_tx_skb(struct net_device *netdev, enum mlx5e_ktls_sync_retval ret = mlx5e_ktls_tx_handle_ooo(priv_tx, sq, datalen, seq); - if (likely(ret == MLX5E_KTLS_SYNC_DONE)) + switch (ret) { + case MLX5E_KTLS_SYNC_DONE: *wqe = mlx5e_sq_fetch_wqe(sq, sizeof(**wqe), pi); - else if (ret == MLX5E_KTLS_SYNC_FAIL) + break; + case MLX5E_KTLS_SYNC_SKIP_NO_DATA: + if (likely(!skb->decrypted)) + goto out; + WARN_ON_ONCE(1); + /* fall-through */ + default: /* MLX5E_KTLS_SYNC_FAIL */ goto err_out; - else /* ret == MLX5E_KTLS_SYNC_SKIP_NO_DATA */ - goto out; + } } priv_tx->expected_seq = seq + datalen; -- 2.13.6