From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Hyong Youb Kim <hyonkim@cisco.com>,
Leon Romanovsky <leonro@nvidia.com>,
Saeed Mahameed <saeedm@nvidia.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 61/64] net/mlx5e: Do not increment ESN when updating IPsec ESN state
Date: Wed, 2 Nov 2022 03:34:27 +0100 [thread overview]
Message-ID: <20221102022053.787487124@linuxfoundation.org> (raw)
In-Reply-To: <20221102022051.821538553@linuxfoundation.org>
From: Hyong Youb Kim <hyonkim@cisco.com>
[ Upstream commit 888be6b279b7257b5f6e4c9527675bff0a335596 ]
An offloaded SA stops receiving after about 2^32 + replay_window
packets. For example, when SA reaches <seq-hi 0x1, seq 0x2c>, all
subsequent packets get dropped with SA-icv-failure (integrity_failed).
To reproduce the bug:
- ConnectX-6 Dx with crypto enabled (FW 22.30.1004)
- ipsec.conf:
nic-offload = yes
replay-window = 32
esn = yes
salifetime=24h
- Run netperf for a long time to send more than 2^32 packets
netperf -H <device-under-test> -t TCP_STREAM -l 20000
When 2^32 + replay_window packets are received, the replay window
moves from the 2nd half of subspace (overlap=1) to the 1st half
(overlap=0). The driver then updates the 'esn' value in NIC
(i.e. seq_hi) as follows.
seq_hi = xfrm_replay_seqhi(seq_bottom)
new esn in NIC = seq_hi + 1
The +1 increment is wrong, as seq_hi already contains the correct
seq_hi. For example, when seq_hi=1, the driver actually tells NIC to
use seq_hi=2 (esn). This incorrect esn value causes all subsequent
packets to fail integrity checks (SA-icv-failure). So, do not
increment.
Fixes: cb01008390bb ("net/mlx5: IPSec, Add support for ESN")
Signed-off-by: Hyong Youb Kim <hyonkim@cisco.com>
Acked-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Link: https://lore.kernel.org/r/20221026135153.154807-2-saeed@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
index c467f5e981f6..70087f2542b2 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
@@ -117,7 +117,6 @@ static bool mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry)
struct xfrm_replay_state_esn *replay_esn;
u32 seq_bottom;
u8 overlap;
- u32 *esn;
if (!(sa_entry->x->props.flags & XFRM_STATE_ESN)) {
sa_entry->esn_state.trigger = 0;
@@ -130,11 +129,9 @@ static bool mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry)
sa_entry->esn_state.esn = xfrm_replay_seqhi(sa_entry->x,
htonl(seq_bottom));
- esn = &sa_entry->esn_state.esn;
sa_entry->esn_state.trigger = 1;
if (unlikely(overlap && seq_bottom < MLX5E_IPSEC_ESN_SCOPE_MID)) {
- ++(*esn);
sa_entry->esn_state.overlap = 0;
return true;
} else if (unlikely(!overlap &&
--
2.35.1
next prev parent reply other threads:[~2022-11-02 3:26 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-02 2:33 [PATCH 5.4 00/64] 5.4.223-rc1 review Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 01/64] can: j1939: transport: j1939_session_skb_drop_old(): spin_unlock_irqrestore() before kfree_skb() Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 02/64] can: kvaser_usb: Fix possible completions during init_completion Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 03/64] ALSA: Use del_timer_sync() before freeing timer Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 04/64] ALSA: au88x0: use explicitly signed char Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 05/64] USB: add RESET_RESUME quirk for NVIDIA Jetson devices in RCM Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 06/64] usb: dwc3: gadget: Stop processing more requests on IMI Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 07/64] usb: dwc3: gadget: Dont set IMI for no_interrupt Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 08/64] usb: bdc: change state when port disconnected Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 09/64] usb: xhci: add XHCI_SPURIOUS_SUCCESS to ASM1042 despite being a V0.96 controller Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 10/64] mtd: rawnand: marvell: Use correct logic for nand-keep-config Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 11/64] xhci: Remove device endpoints from bandwidth list when freeing the device Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 12/64] tools: iio: iio_utils: fix digit calculation Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 13/64] iio: light: tsl2583: Fix module unloading Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 14/64] fbdev: smscufx: Fix several use-after-free bugs Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 15/64] mac802154: Fix LQI recording Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 16/64] drm/msm/dsi: fix memory corruption with too many bridges Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 17/64] drm/msm/hdmi: " Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 18/64] mmc: core: Fix kernel panic when remove non-standard SDIO card Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 19/64] kernfs: fix use-after-free in __kernfs_remove Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 20/64] perf auxtrace: Fix address filter symbol name match for modules Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 21/64] s390/futex: add missing EX_TABLE entry to __futex_atomic_op() Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 22/64] s390/pci: add missing EX_TABLE entries to __pcistg_mio_inuser()/__pcilg_mio_inuser() Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 23/64] xfs: finish dfops on every insert range shift iteration Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 24/64] xfs: clear XFS_DQ_FREEING if we cant lock the dquot buffer to flush Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 25/64] xfs: force the log after remapping a synchronous-writes file Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 26/64] Xen/gntdev: dont ignore kernel unmapping error Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 27/64] xen/gntdev: Prevent leaking grants Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 28/64] cgroup-v1: add disabled controller check in cgroup1_parse_param() Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 29/64] mm,hugetlb: take hugetlb_lock before decrementing h->resv_huge_pages Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 30/64] net: ieee802154: fix error return code in dgram_bind() Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 31/64] media: v4l2: Fix v4l2_i2c_subdev_set_name function documentation Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 32/64] drm/msm: Fix return type of mdp4_lvds_connector_mode_valid Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 5.4 33/64] arc: iounmap() arg is volatile Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 34/64] ALSA: ac97: fix possible memory leak in snd_ac97_dev_register() Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 35/64] tipc: fix a null-ptr-deref in tipc_topsrv_accept Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 36/64] net: netsec: fix error handling in netsec_register_mdio() Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 37/64] x86/unwind/orc: Fix unreliable stack dump with gcov Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 38/64] amd-xgbe: fix the SFP compliance codes check for DAC cables Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 39/64] amd-xgbe: add the bit rate quirk for Molex cables Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 40/64] kcm: annotate data-races around kcm->rx_psock Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 41/64] kcm: annotate data-races around kcm->rx_wait Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 42/64] net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 43/64] net: lantiq_etop: dont free skb when returning NETDEV_TX_BUSY Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 44/64] tcp: fix indefinite deferral of RTO with SACK reneging Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 45/64] can: mscan: mpc5xxx: mpc5xxx_can_probe(): add missing put_clock() in error path Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 46/64] PM: hibernate: Allow hybrid sleep to work with s2idle Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 47/64] media: vivid: s_fbuf: add more sanity checks Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 48/64] media: vivid: dev->bitmap_cap wasnt freed in all cases Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 49/64] media: v4l2-dv-timings: add sanity checks for blanking values Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 50/64] media: videodev2.h: V4L2_DV_BT_BLANKING_HEIGHT should check interlaced Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 51/64] i40e: Fix ethtool rx-flow-hash setting for X722 Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 52/64] i40e: Fix VF hang when reset is triggered on another VF Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 53/64] i40e: Fix flow-type by setting GL_HASH_INSET registers Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 54/64] net: ksz884x: fix missing pci_disable_device() on error in pcidev_init() Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 55/64] PM: domains: Fix handling of unavailable/disabled idle states Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 56/64] ALSA: aoa: i2sbus: fix possible memory leak in i2sbus_add_dev() Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 57/64] ALSA: aoa: Fix I2S device accounting Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 58/64] openvswitch: switch from WARN to pr_warn Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 59/64] net: ehea: fix possible memory leak in ehea_register_port() Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 60/64] nh: fix scope used to find saddr when adding non gw nh Greg Kroah-Hartman
2022-11-02 2:34 ` Greg Kroah-Hartman [this message]
2022-11-02 2:34 ` [PATCH 5.4 62/64] net/mlx5: Fix possible use-after-free in async command interface Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 63/64] net: enetc: survive memory pressure without crashing Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 5.4 64/64] can: rcar_canfd: rcar_canfd_handle_global_receive(): fix IRQ storm on global FIFO receive Greg Kroah-Hartman
2022-11-02 17:50 ` [PATCH 5.4 00/64] 5.4.223-rc1 review Florian Fainelli
2022-11-02 20:46 ` Guenter Roeck
2022-11-03 9:18 ` Naresh Kamboju
2022-11-03 12:21 ` Sudip Mukherjee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221102022053.787487124@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=hyonkim@cisco.com \
--cc=kuba@kernel.org \
--cc=leonro@nvidia.com \
--cc=patches@lists.linux.dev \
--cc=saeedm@nvidia.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).