From patchwork Mon Oct 16 09:15:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leon Romanovsky X-Patchwork-Id: 13422808 X-Patchwork-Delegate: kuba@kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AD5151C285 for ; Mon, 16 Oct 2023 09:15:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ApEbfj1d" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1BDDAC433C7; Mon, 16 Oct 2023 09:15:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1697447737; bh=NzeoFg/RlSPo87Mq500xuKg6O2P1KskYO7MbxT7cKUQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ApEbfj1dU9h19+8RKKL9wO1isE5D40lyjpfXMusH9/B+wcVZXslxYRJmqQmK3h+dn Ay3Xw0m6HfQQeY85Ncb//BU/2WPIsBUEGov/pGqel7iloht3bT4QROE+qQJPRkBSkk AdYA78m2cTJcwbYG1S8FOaEGC658AW89KVq/igtYLqEQ/aM2dh4WrD3RQJHhnWKoPs T51rzumsgrKE+S9j+rcnQgt1yIp1748QEJQLhXvyjUhHX882q5dZ/ZtSEYeRWcj68v t8zOnA4LpbHNOEES1ssqU3fOVw1P6nvTw3///N2cAYKZKfVr5V3gLVumLfrT+Q9BTp Kl1rLpouhqIUQ== From: Leon Romanovsky To: Steffen Klassert Cc: Leon Romanovsky , Herbert Xu , netdev@vger.kernel.org, Patrisious Haddad , Raed Salem , Saeed Mahameed Subject: [PATCH xfrm-next 4/9] net/mlx5e: Ensure that IPsec sequence packet number starts from 1 Date: Mon, 16 Oct 2023 12:15:12 +0300 Message-ID: <1f32944a06ab72d61d7b5d2471e99d4dc189b205.1697444728.git.leon@kernel.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Leon Romanovsky According to RFC4303, section "3.3.3. Sequence Number Generation", the first packet sent using a given SA will contain a sequence number of 1. However if user didn't set seq/oseq, the HW used zero as first sequence packet number. Such misconfiguration causes to drop of first packet if replay window protection was enabled in SA. To fix it, set sequence number to be at least 1. Fixes: 7db21ef4566e ("net/mlx5e: Set IPsec replay sequence numbers") Signed-off-by: Leon Romanovsky --- drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c index ddd2230f04aa..bf88232a2fc2 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c @@ -121,7 +121,14 @@ static bool mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry) if (x->xso.type == XFRM_DEV_OFFLOAD_CRYPTO) esn_msb = xfrm_replay_seqhi(x, htonl(seq_bottom)); - sa_entry->esn_state.esn = esn; + if (sa_entry->esn_state.esn_msb) + sa_entry->esn_state.esn = esn; + else + /* According to RFC4303, section "3.3.3. Sequence Number Generation", + * the first packet sent using a given SA will contain a sequence + * number of 1. + */ + sa_entry->esn_state.esn = max_t(u32, esn, 1); sa_entry->esn_state.esn_msb = esn_msb; if (unlikely(overlap && seq_bottom < MLX5E_IPSEC_ESN_SCOPE_MID)) {