From nobody Wed Dec 17 19:19:08 2025
Received: from CH4PR04CU002.outbound.protection.outlook.com
 (mail-northcentralusazon11013019.outbound.protection.outlook.com
 [40.107.201.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EDC401F3B87;
	Sun,  5 Oct 2025 08:30:53 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=fail smtp.client-ip=40.107.201.19
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1759653055; cv=fail;
 b=dehXJqUjsjqI0Ig/Kr0alJS4sy7VbQLaroE8hmlO/XnDNtAduDM3vjwZT7D+EipEw/GPXq03kyWrnn2aKNaBmzLwEEOi3Zbo2/LKADzqLOKuY7VjRpl9D/ReoKW+qxqEV5xYEZCyR87YqXX2SCstqg10cPtKU8FHM8GJxOK0rjA=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1759653055; c=relaxed/simple;
	bh=9v7LaNfs6a9of/UxptfhO1UxbKTgqHyGqiP8fgROFI0=;
	h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=LqdRc88edjz/5Z6TnS4YmHmu3Q8YlrKO+H5RFox+PNB0GJif+9yWRN2yXuIDPL3bRttE+F/QQWWNEFqDOJTwKctfODkNxwcq0XSAIyH7JHcJ37SYoSbyzbWynP5y6yKmHadP/STaORHBWqwjtpvXXAqP+XArZTrXHAJ6PcxzE0I=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=nvidia.com;
 spf=fail smtp.mailfrom=nvidia.com;
 dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com
 header.b=oqoMR1wy; arc=fail smtp.client-ip=40.107.201.19
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=nvidia.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=fail smtp.mailfrom=nvidia.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com
 header.b="oqoMR1wy"
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=VpQ/wuZkKpdtZGBGPNJsAhH6B0W8m8Bf7B/QN5vRZkm7KjPtkn+ZuCRfO7WS1YXDaMZ2NB0YfIOao/myNENwToVh0dO45jG27Wh77Ks2P4+9e7Vh8667bPKXYm/ilrg/7/FRBWKGJbzzBi6DLPTnODRa5y0QVxnvSMMa/gG0QKT0GPELSbBCId6V0mCeumd59Iejmp3Z9scq/HnTQ2CpgSzcI3VBa4Qptlkb4AuD3sxHBWCreh2zKCBmBn8rvH4GG31Ggin2pjgAfiUfC37IzfBUuHLQP1PHpE06oRe9vfUweIoDwjK/iBxFntjtk7jcyjRabblL7A718QmIgXRhyA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=EdsCja1zoNSq1Ynmd6kh5VPMHYuds48wi+m8vckpzMc=;
 b=E0eFJ2PnqoLaeMTHSPBMT6JC90d6/1Bi9kwPDjqWdxOXIMWlv7+oZCFQi8myADlNaVLArySOBYhflGoTWYX6vZ1GZRR+dFYMD5E7KyM+bt4BWgO8sjc02ZnuulVTg2ywzg7+NiLMk9PKiOoosNBOXnNyvlgm0m6DbGvpiHfgZ025zYZX+iKRhXIzTTTSaQgC0t4ZCqd1QUMQom8N1quJD97WN7TJIdncJhhnuCoXpB/omK5647A52AxnExswTjUcihFj4d9+CHobWbFgFtPhX7cX5d1o3GcETDE8IVIdahEgeZZDmIpdim+IBMnUcW9Qpc9my42fNUNbgRgpSogNvg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 216.228.117.161) smtp.rcpttodomain=google.com smtp.mailfrom=nvidia.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com;
 dkim=none (message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=EdsCja1zoNSq1Ynmd6kh5VPMHYuds48wi+m8vckpzMc=;
 b=oqoMR1wyfmc54UZ9Gi+cOOKJpbLt6l+jJGMxJVVBBtEEAmUCym7XSWC2XPrIUQWqLCl8FCAzeTFRc34CcS5yele95k9ow4EQ8Ntj5QazVkXPdoy8UV4tVeomW5zBtjBXTARG4P4dM8mktxfEZyBwcsDVtJtSr067ftwZyL03r82cHtGXqVBnfFOMGrp6H42iImqly827fMpBYpDil1vXZ61f4OajV3swi8/oRbEK9IszvkRE+kbLH/ERw46ZdcOFYKtE0EQ0tjaMfjsVoajIlju2CPiE1GcYA1zcWWRz1VqzDhV0P6qV3rJl+k2pe64Dk5PpDMW39ilY8H5XYVnQ/Q==
Received: from BN8PR15CA0069.namprd15.prod.outlook.com (2603:10b6:408:80::46)
 by IA1PR12MB7590.namprd12.prod.outlook.com (2603:10b6:208:42a::5) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9182.20; Sun, 5 Oct
 2025 08:30:45 +0000
Received: from BN1PEPF00004681.namprd03.prod.outlook.com
 (2603:10b6:408:80:cafe::d5) by BN8PR15CA0069.outlook.office365.com
 (2603:10b6:408:80::46) with Microsoft SMTP Server (version=TLS1_3,
 cipher=TLS_AES_256_GCM_SHA384) id 15.20.9182.20 via Frontend Transport; Sun,
 5 Oct 2025 08:30:45 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161)
 smtp.mailfrom=nvidia.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
 216.228.117.161 as permitted sender) receiver=protection.outlook.com;
 client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C
Received: from mail.nvidia.com (216.228.117.161) by
 BN1PEPF00004681.mail.protection.outlook.com (10.167.243.87) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.9203.9 via Frontend Transport; Sun, 5 Oct 2025 08:30:45 +0000
Received: from rnnvmail203.nvidia.com (10.129.68.9) by mail.nvidia.com
 (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14; Sun, 5 Oct
 2025 01:30:22 -0700
Received: from rnnvmail203.nvidia.com (10.129.68.9) by rnnvmail203.nvidia.com
 (10.129.68.9) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Sun, 5 Oct
 2025 01:30:21 -0700
Received: from vdi.nvidia.com (10.127.8.10) by mail.nvidia.com (10.129.68.9)
 with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Sun, 5 Oct
 2025 01:30:17 -0700
From: Tariq Toukan <tariqt@nvidia.com>
To: Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>, Andrew Lunn <andrew+netdev@lunn.ch>, "David
 S. Miller" <davem@davemloft.net>
CC: Saeed Mahameed <saeedm@nvidia.com>, Leon Romanovsky <leon@kernel.org>,
	Tariq Toukan <tariqt@nvidia.com>, Mark Bloch <mbloch@nvidia.com>,
	<netdev@vger.kernel.org>, <linux-rdma@vger.kernel.org>,
	<linux-kernel@vger.kernel.org>, Gal Pressman <gal@nvidia.com>, "Carolina
 Jubran" <cjubran@nvidia.com>
Subject: [PATCH net 1/3] net/mlx5: Prevent tunnel mode conflicts between FDB
 and NIC IPsec tables
Date: Sun, 5 Oct 2025 11:29:57 +0300
Message-ID: <1759652999-858513-2-git-send-email-tariqt@nvidia.com>
X-Mailer: git-send-email 2.8.0
In-Reply-To: <1759652999-858513-1-git-send-email-tariqt@nvidia.com>
References: <1759652999-858513-1-git-send-email-tariqt@nvidia.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-NV-OnPremToCloud: ExternallySecured
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BN1PEPF00004681:EE_|IA1PR12MB7590:EE_
X-MS-Office365-Filtering-Correlation-Id: 7186c8cc-49de-48af-bc46-08de03e97a9e
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|1800799024|36860700013|376014|82310400026;
X-Microsoft-Antispam-Message-Info: 
	=?utf-8?B?MEU1SU9qK3hjanltQnM5V1V5YUM2WXhzTFZ1RlNSMWo5cFl1VVNoV0N0M1hE?=
 =?utf-8?B?blpNalQrQXlWYTFjZ2xBbkpRcUpHS0VFK21mTWpVU3hZL3RQTjRuMVgwbk1y?=
 =?utf-8?B?RG5HUU5GWWp3S01UQlhuUi85b3dGU0txd2g1Tk1YL2dOajd5b2NzZlFJc3c3?=
 =?utf-8?B?NHhoL3RHQXE4ajF0UVZhaC9rYkVwTG04U09ON3VDamZ6VjJ2dlhTTHpBNjVV?=
 =?utf-8?B?VGVSek9UNzMwWWJwZnVCSjZkMkhpQmt6VzZWV21qUDY1SlVVUHp0bTVDT2Zs?=
 =?utf-8?B?Vi9FMW9VbWRlcnAyZ3VSRVorSnM2TG8rMUxidUdlMC8yVjRQdTFseENudU5R?=
 =?utf-8?B?Uk9lTzVYNG4vdkxsZktVM2NRbjZmSGVBODM0V24vZzlvS1JFdGNzSDU1SEox?=
 =?utf-8?B?RE1OUThpNEhTT2ZXaDd3ZXhhRlNpSVhZeHJtYTAyeU1tYlFBZEZ0TGxaTzc4?=
 =?utf-8?B?V0luRnhVd0VCUWh2UmY5NU1ZalpCc3M4QjhITXlsTERKazI1VGc4SnhidHcw?=
 =?utf-8?B?Q2hPcWh6Nk9xV0Zzb1hYZHU3ZmF4dDQyMENhMGtjdmFXd3NWdG8yNGFyU2pj?=
 =?utf-8?B?ZDRKc2tDQ3IvNGE4NHNXRVJESmpvWGF0TC9FUmpITCtNNzdxajh3cC9BeWVB?=
 =?utf-8?B?NmVjdnpxODJOMDhyZjI0MEcyVkF0aWhOS3dLR3J0Z1lVN1ZYSWtqS2lRS0tv?=
 =?utf-8?B?SkFxNndJZ0IvdEp0MWF3MlNuOWE5TEltbWNoRGhRQXVuWFRsd00wTDJRcEFv?=
 =?utf-8?B?NVlxK2p0OHpQVkpNK0tUV0FtMGFRam9sYTJDdmNuMHkyK0xyeVVING9EaW1z?=
 =?utf-8?B?bE9FUlZaTXFYYlFJbEQwa2RvUE42MHVnanZRT2MzNklsQkdReWFtZmRmbnJ4?=
 =?utf-8?B?YndURGRrV2RXU0hBZ0ZlRUFKK2ZsTTIxT3BYQzh1M0xkYW9kMGxNVDhkbHFK?=
 =?utf-8?B?cGx2azUxS1hHWW85bHVhTlhCT0lNSlU0K29URWZaRWtHYTBnMEJKUEM5cnV4?=
 =?utf-8?B?UXBLbGh2clAyRlQrMXFIcEpLbWpwQ21rTFBiS3R2YlBSQzJsRGlvZk1qcDNB?=
 =?utf-8?B?M0E5OU9KcDM2bHIzTEpMNWw0U2QzVWIzR1ByZ09WRHFmbFZjM0ZaOXBIbnZB?=
 =?utf-8?B?bDRicEdtVjk4dk5NREN0MFlsV0Z0bFAvMm9mVFpUekNuZHMyTFA5MzExK0JN?=
 =?utf-8?B?VStmTjlEZ2YycUU5d0hFYzV4RElkekU1Nm52em1FTFBBakFuQ05QN2RPMndY?=
 =?utf-8?B?Z1B2c3BMSUxreS96b0hxN1crOTlkVWVRa0JKOCt1bllVUGpkZXRuK3F3OXMr?=
 =?utf-8?B?OFNOaGxPWk5FWG9rMEJRMFNONHZsN1VIRTNITUdVZ04rSmRFV09QRVRCZmRh?=
 =?utf-8?B?T2UzZWFmc1cyV29RQUVBTHJFam9PWXpvK2x1UjB0V3loaGxkVUs1eWxLV3V0?=
 =?utf-8?B?WmR6SFpWRjZucnRXdjdGWjRVS0Z3NlJpbWVxUjFFYUIyQkJtYW84cEVKNkNo?=
 =?utf-8?B?ZjJTTDlrZWhONmhwblZyM0Fyd2Vab3B1SytPbTIvYnZCcTg5aHh1UUIrU0lo?=
 =?utf-8?B?eU1FR1pZZDg0ODRXTE9waFgxdHU1MXNJTFdHUXV3cVd6b05uZVE4cjB0Vml3?=
 =?utf-8?B?ZzYvbHBpYVlkZFg0ck5YV2wvRFE1L2JEMVVIdGo4UHZsTlBrTlFXbHI1MjVx?=
 =?utf-8?B?OWYyNUg1OW1NSm1sWFduVllwZHI1aWpvMWZwS1FOMVpDNUJraUhKbzVSNG5N?=
 =?utf-8?B?NHE1UUJyemxMV1VndGxxRlQxcnppNEgvTlJFVS9IQkZTZEY5NmZ5QzgzbVNx?=
 =?utf-8?B?VWRQSjJMK1pOZDFpRi9nQmVTYkJZLzNHR2tydTc2UzdHM1BzVE9QdGRndG1r?=
 =?utf-8?B?Q1BGUTFCek1EaUpDejFqd2d3cXlpaW8yMDZ3L3FLT3lrYTJWVUhiUjVYRjdZ?=
 =?utf-8?B?QXlyazZxR3lLUjQ5dUEweDFqVmoyMDFnK2RlREFyZCtJaUU3YWtyMUZqRFpm?=
 =?utf-8?B?RzhPa1FJTk5lNVBGVmYxWEV1aEZJcDRrTW1SOTlmbUlwUFhwVGxSZDFNWDhD?=
 =?utf-8?B?VEwzcVVnZDJUeG8vVGlmWlR2c3Y2NHVkZlV2UVpZL3ZHYWFzZjJEUUFEVDVW?=
 =?utf-8?Q?uCTo=3D?=
X-Forefront-Antispam-Report: 
	CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230040)(1800799024)(36860700013)(376014)(82310400026);DIR:OUT;SFP:1101;
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Oct 2025 08:30:45.0817
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 7186c8cc-49de-48af-bc46-08de03e97a9e
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	BN1PEPF00004681.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR12MB7590

From: Carolina Jubran <cjubran@nvidia.com>

When creating IPsec flow tables with tunnel mode enabled, the driver
uses mlx5_eswitch_block_encap() to prevent tunnel encapsulation
conflicts across different domains (NIC_RX/NIC_TX and FDB), since the
firmware doesn=E2=80=99t allow both at the same time.

Currently, the driver attempts to reserve tunnel mode unconditionally
for both NIC and FDB IPsec tables. This can lead to conflicting tunnel
mode setups, for example, if a flow table was created in the FDB
domain with tunnel offload enabled, and we later try to create another
one in the NIC, or vice versa.

To resolve this, adjust the blocking logic so that tunnel mode is only
reserved by NIC flows. This ensures that tunnel offload is exclusively
used in either the NIC or the FDB, and avoids unintended offload
conflicts.

Fixes: 1762f132d542 ("net/mlx5e: Support IPsec packet offload for RX in swi=
tchdev mode")
Fixes: c6c2bf5db4ea ("net/mlx5e: Support IPsec packet offload for TX in swi=
tchdev mode")
Signed-off-by: Carolina Jubran <cjubran@nvidia.com>
Reviewed-by: Jianbo Liu <jianbol@nvidia.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
---
 .../mellanox/mlx5/core/en_accel/ipsec_fs.c     |  8 ++++++--
 .../net/ethernet/mellanox/mlx5/core/eswitch.h  |  5 +++--
 .../mellanox/mlx5/core/eswitch_offloads.c      | 18 ++++++++++--------
 3 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/=
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
index 6ccfc2af07b7..0bc080274584 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
@@ -1069,7 +1069,9 @@ static int rx_create(struct mlx5_core_dev *mdev, stru=
ct mlx5e_ipsec *ipsec,
=20
 	/* Create FT */
 	if (mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_TUNNEL)
-		rx->allow_tunnel_mode =3D mlx5_eswitch_block_encap(mdev);
+		rx->allow_tunnel_mode =3D
+			mlx5_eswitch_block_encap(mdev, rx =3D=3D ipsec->rx_esw);
+
 	if (rx->allow_tunnel_mode)
 		flags =3D MLX5_FLOW_TABLE_TUNNEL_EN_REFORMAT;
 	ft =3D ipsec_ft_create(attr.ns, attr.sa_level, attr.prio, 1, 2, flags);
@@ -1310,7 +1312,9 @@ static int tx_create(struct mlx5e_ipsec *ipsec, struc=
t mlx5e_ipsec_tx *tx,
 		goto err_status_rule;
=20
 	if (mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_TUNNEL)
-		tx->allow_tunnel_mode =3D mlx5_eswitch_block_encap(mdev);
+		tx->allow_tunnel_mode =3D
+			mlx5_eswitch_block_encap(mdev, tx =3D=3D ipsec->tx_esw);
+
 	if (tx->allow_tunnel_mode)
 		flags =3D MLX5_FLOW_TABLE_TUNNEL_EN_REFORMAT;
 	ft =3D ipsec_ft_create(tx->ns, attr.sa_level, attr.prio, 1, 4, flags);
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/ne=
t/ethernet/mellanox/mlx5/core/eswitch.h
index df3756d7e52e..16eb99aba2a7 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
@@ -879,7 +879,7 @@ void mlx5_eswitch_offloads_single_fdb_del_one(struct ml=
x5_eswitch *master_esw,
 					      struct mlx5_eswitch *slave_esw);
 int mlx5_eswitch_reload_ib_reps(struct mlx5_eswitch *esw);
=20
-bool mlx5_eswitch_block_encap(struct mlx5_core_dev *dev);
+bool mlx5_eswitch_block_encap(struct mlx5_core_dev *dev, bool from_fdb);
 void mlx5_eswitch_unblock_encap(struct mlx5_core_dev *dev);
=20
 int mlx5_eswitch_block_mode(struct mlx5_core_dev *dev);
@@ -974,7 +974,8 @@ mlx5_eswitch_reload_ib_reps(struct mlx5_eswitch *esw)
 	return 0;
 }
=20
-static inline bool mlx5_eswitch_block_encap(struct mlx5_core_dev *dev)
+static inline bool
+mlx5_eswitch_block_encap(struct mlx5_core_dev *dev, bool from_fdb)
 {
 	return true;
 }
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/d=
rivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
index 52c3de24bea3..4cf995be127d 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
@@ -4006,23 +4006,25 @@ int mlx5_devlink_eswitch_inline_mode_get(struct dev=
link *devlink, u8 *mode)
 	return esw_inline_mode_to_devlink(esw->offloads.inline_mode, mode);
 }
=20
-bool mlx5_eswitch_block_encap(struct mlx5_core_dev *dev)
+bool mlx5_eswitch_block_encap(struct mlx5_core_dev *dev, bool from_fdb)
 {
 	struct mlx5_eswitch *esw =3D dev->priv.eswitch;
+	enum devlink_eswitch_encap_mode encap;
+	bool allow_tunnel =3D false;
=20
 	if (!mlx5_esw_allowed(esw))
 		return true;
=20
 	down_write(&esw->mode_lock);
-	if (esw->mode !=3D MLX5_ESWITCH_LEGACY &&
-	    esw->offloads.encap !=3D DEVLINK_ESWITCH_ENCAP_MODE_NONE) {
-		up_write(&esw->mode_lock);
-		return false;
+	encap =3D esw->offloads.encap;
+	if (esw->mode =3D=3D MLX5_ESWITCH_LEGACY ||
+	    (encap =3D=3D DEVLINK_ESWITCH_ENCAP_MODE_NONE && !from_fdb)) {
+		allow_tunnel =3D true;
+		esw->offloads.num_block_encap++;
 	}
-
-	esw->offloads.num_block_encap++;
 	up_write(&esw->mode_lock);
-	return true;
+
+	return allow_tunnel;
 }
=20
 void mlx5_eswitch_unblock_encap(struct mlx5_core_dev *dev)
--=20
2.31.1

From nobody Wed Dec 17 19:19:08 2025
Received: from MW6PR02CU001.outbound.protection.outlook.com
 (mail-westus2azon11012039.outbound.protection.outlook.com [52.101.48.39])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D54AF1F12F4;
	Sun,  5 Oct 2025 08:30:52 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=fail smtp.client-ip=52.101.48.39
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1759653054; cv=fail;
 b=sn9iYUEpXzKHM1SWhm/s//GCQeeNHlQO+1g0Ysva14dfYCIk43irUt2cqoop+DwXOHWr/SCjuMCczp++BolVfpSTu3deUaj439VwZ27vN8yufh3MHWnINOu06M6cL8Z+QBIzmvKgODIV+5yQJD48wpajq39EBo5KKykS+FjIxM0=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1759653054; c=relaxed/simple;
	bh=j7G0C5fQRd8q7lfNP9ARFkcuPZ8KOPMDfW2kXKKiPPw=;
	h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=kwSkRCDpbKoLrPfYDH5TIwG0h5jcS241PHFaNJZbVEjGX28yBjgZRjLtIkzZwOB465SBCg3iyLGSIK7CEPrHgHLF4tYae+9pVU1YzvLee6ha90wt7KM02Bj5Z1v55SPStvxFmeDH0VCe4hn+v6M0lCqgsGD2eeoZj4yBtm3IWfI=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=nvidia.com;
 spf=fail smtp.mailfrom=nvidia.com;
 dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com
 header.b=uDW4uBh+; arc=fail smtp.client-ip=52.101.48.39
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=nvidia.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=fail smtp.mailfrom=nvidia.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com
 header.b="uDW4uBh+"
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=uCsHo6tiqegz0U8lg9AC49rPiLopcf6xWobZx3wruz/h86PiwbpMBk/fUEXVz0rhVBLqyIGg7Q4p0WYjTOPsjpHmBfzYqXZg8XEB88uXaYukGd9wVtwly8EUHLq9YXTriY6WV1D8JOK4rIWksx38QD33RU28Qin+CtGOe4gPSrf7AY9i6gv904SLAFxFKbx42bOCGqOROxRC6U8XfqXYWL5azUebXxEOUPWRtanbvLNTz/pOL4Sm0D4VxIeGfm+PHD4aPJa8IHjnvxzRQURVJWAen1MR/6tfpWA9x+SjfL80GbE1/zhaEGnALC8siiT4pjVWn6tnMqj5WtxW03a+xg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=P/mBqrkkE4N7HbKA60SQVKwTaU1CH1ORiJ9LZ/P4bZ8=;
 b=MRcKQqB59R1JZD6YdbcYHY+cMMNEvMGpqJRe9VuMw2ZkYcL3IORkTKB/PQ50A/1Gwh8jHA7j8Jwq+3rgM8CASS48wvu4OYmZ7cFsxe/9Ak++xFnLjUiQTd5JB9mYsJKTrm/kvPN3U33Sb00DcUcpAypxiEKOySxB6Mpd9ZdfRQA1Ec8BQ2JrQKoJ2Ctopxh4x0pmLm0cxZs8ko8EEIpCksne20VZ25XnfISCq5b3oXNpK7BM07XzazK2X+yxKjdZ17bl5nklptzPP5Ui7um4BH5nmMx1O3xTuppvKe4zcrjWcQaN6n2TeXIUrqO7A24mRm45Sle3yDmHnt8jMsrIpA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 216.228.117.161) smtp.rcpttodomain=google.com smtp.mailfrom=nvidia.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com;
 dkim=none (message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=P/mBqrkkE4N7HbKA60SQVKwTaU1CH1ORiJ9LZ/P4bZ8=;
 b=uDW4uBh+EMT41Vf1tYYS7fTwN5ILHY7h4SC4Y8ygU7dd2P6Hhn2uXj168QBnKOb/+qjwzqaXSLl4/5PSHQo6T7XyUuDTSl7ZZVRtbtHgeMRaXraBBGAyFJWZ3tMgIDyOG8vxkvLUjbqNGgG6a2h/bh2ticc5gLO1x/sGcvkKSuuBmAHuO8G+QFrWWcGEeYsh2QE7+krsJgwE+24L2NvkWBh6mea8VqA2RW2OE/SBLNR7RkO3bvxD66QggFmY7WsY8uwAzysXmqDG6MoSSPdNFSIFFMRP6iUb2FRy7Esc2FBLwKDi7DZU+QAWF3RGE4WGyB+8vrsAR09aEbxUQOWCsw==
Received: from BN9PR03CA0558.namprd03.prod.outlook.com (2603:10b6:408:138::23)
 by LV8PR12MB9450.namprd12.prod.outlook.com (2603:10b6:408:202::13) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9137.19; Sun, 5 Oct
 2025 08:30:47 +0000
Received: from BN1PEPF00004682.namprd03.prod.outlook.com
 (2603:10b6:408:138:cafe::5) by BN9PR03CA0558.outlook.office365.com
 (2603:10b6:408:138::23) with Microsoft SMTP Server (version=TLS1_3,
 cipher=TLS_AES_256_GCM_SHA384) id 15.20.9182.20 via Frontend Transport; Sun,
 5 Oct 2025 08:30:47 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161)
 smtp.mailfrom=nvidia.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
 216.228.117.161 as permitted sender) receiver=protection.outlook.com;
 client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C
Received: from mail.nvidia.com (216.228.117.161) by
 BN1PEPF00004682.mail.protection.outlook.com (10.167.243.88) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.9203.9 via Frontend Transport; Sun, 5 Oct 2025 08:30:47 +0000
Received: from rnnvmail202.nvidia.com (10.129.68.7) by mail.nvidia.com
 (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14; Sun, 5 Oct
 2025 01:30:26 -0700
Received: from rnnvmail203.nvidia.com (10.129.68.9) by rnnvmail202.nvidia.com
 (10.129.68.7) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Sun, 5 Oct
 2025 01:30:26 -0700
Received: from vdi.nvidia.com (10.127.8.10) by mail.nvidia.com (10.129.68.9)
 with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Sun, 5 Oct
 2025 01:30:22 -0700
From: Tariq Toukan <tariqt@nvidia.com>
To: Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>, Andrew Lunn <andrew+netdev@lunn.ch>, "David
 S. Miller" <davem@davemloft.net>
CC: Saeed Mahameed <saeedm@nvidia.com>, Leon Romanovsky <leon@kernel.org>,
	Tariq Toukan <tariqt@nvidia.com>, Mark Bloch <mbloch@nvidia.com>,
	<netdev@vger.kernel.org>, <linux-rdma@vger.kernel.org>,
	<linux-kernel@vger.kernel.org>, Gal Pressman <gal@nvidia.com>, "Carolina
 Jubran" <cjubran@nvidia.com>
Subject: [PATCH net 2/3] net/mlx5e: Prevent tunnel reformat when tunnel mode
 not allowed
Date: Sun, 5 Oct 2025 11:29:58 +0300
Message-ID: <1759652999-858513-3-git-send-email-tariqt@nvidia.com>
X-Mailer: git-send-email 2.8.0
In-Reply-To: <1759652999-858513-1-git-send-email-tariqt@nvidia.com>
References: <1759652999-858513-1-git-send-email-tariqt@nvidia.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-NV-OnPremToCloud: ExternallySecured
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BN1PEPF00004682:EE_|LV8PR12MB9450:EE_
X-MS-Office365-Filtering-Correlation-Id: 1744d064-fe8b-4f48-b8ab-08de03e97c07
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|82310400026|1800799024|36860700013|376014;
X-Microsoft-Antispam-Message-Info: 
	=?us-ascii?Q?OBElJxCldLJ3z9ol9ZQMjZbwZ1BMJCPvT34TQ8T3qId2nq4g/C7SjZ+9SnIK?=
 =?us-ascii?Q?QJl0wgfqYi7o/XpYrN0fdksbC9TJ6hDx+fgMNWUTKtCOHz+Asi8aAMs4ia8g?=
 =?us-ascii?Q?PDWJV/ohNHMx23AdQqanr+g1qj7Q5k0eMDg2TWEiYvJiaQZGlosmvKE8VZAy?=
 =?us-ascii?Q?g7eRwRWmFPu4S3EFrdwskcH/Uki+fKyoZV77a+xly5BlJ4HH/e8CHGaBCfNp?=
 =?us-ascii?Q?BGAF3PP3vLaau0JZUA8wsskz04mAsyyE9NL81KSRPXvkhgQqM6dQHMakdEmF?=
 =?us-ascii?Q?TyXtrZ8M0LAYlQF6yyZDbUBPzu2zWmMo6RkhBygJEOdD0fIXVEiWdWsi9mt5?=
 =?us-ascii?Q?3RmIaYqYqCgmmQZj3wPiTba+V2ND9lg4FRsyuvqy2mx5488cTp5KM73sv37r?=
 =?us-ascii?Q?iTwgc7vnhbNpGJvkNVJTJnfD7NJCHZ3hBosqmSyYyzVIyu4MoUzfX0PquRXq?=
 =?us-ascii?Q?peafocuA9QD2425QPwZIeHKdwXIUv9e2DdpKbitMJl3W3+iTkL9BXinUKVnj?=
 =?us-ascii?Q?n5qsrA1+0b2+jH2kFRJHk33VH2AP3YfVcaMUSWbfoGcCuIauPRNz5Y+OrLko?=
 =?us-ascii?Q?X1khYruvNSzZlWR/uztwtCtDzhdmYYWE4/Z/eXuPS6COeCxZWI/LHFTG7L6u?=
 =?us-ascii?Q?9x48nfLziNO+w6QPUJEF8UOx+8FYw9J1D4voc4UL+NT8uCDS5rEiivicXgBc?=
 =?us-ascii?Q?mQ8l5VavZuEgi6clDtLbaZm5Vj4zjOQmYsovtt2NlbDJuA8DmqfvXWWrF+tO?=
 =?us-ascii?Q?TBkG/D6EenPH9pGL3jiI8YySJ3831cw7in9lglA4H8w0G2gFjhgwq2BF++Wj?=
 =?us-ascii?Q?YeUOxY2HEbYDgYlWBM7mRygnBlLsZbIBJvN0LnrB69SArKmzLaOCHaQpPPPZ?=
 =?us-ascii?Q?fvbNJyz6CrzGYLtwK9LblviCjFYFUxDzYnDShiMSuYM1DFMridrAQ7wy+lpz?=
 =?us-ascii?Q?5CN7gSQyayA+ikf6HG9LLLfuMQZMdfqLFCahZZ3hQoMwLNY+MRdNXjw1yJNA?=
 =?us-ascii?Q?0h5gNb9PcYkMnt0JQPX5RUZrUclxksMaAZ6QdLEi9wGVRymrc2UG+s6bD9YL?=
 =?us-ascii?Q?OvRnTSnX3zxja/mU5MwZjMGc5MvJzKod797iot7FkYv+tGeF9q4aB/5dFoII?=
 =?us-ascii?Q?WkecPQAxWVkF++b54/Who7NSHTP9J2MmuiBmHeRcuqbC4+AqGauiatfAH4pa?=
 =?us-ascii?Q?eyzIFCAvC75gyQJeYI2V9gUv3JOuFYKr9PyHm5bYm4KvhKNYhHnTGZD9tzRh?=
 =?us-ascii?Q?J4fhL/q0XUDgiWey9JM8hiUuPq8c5td8ApThSTcqRkgmS+7lfGUoYjg3B2SX?=
 =?us-ascii?Q?RZwnkgF6f3aUoStoQwRt9n6yePjlIRXFdA03UI+9SpaCbNdmy4LaqZtIj/Ri?=
 =?us-ascii?Q?Y3SD6U0wY7SRlfTqgAPguGFwKfRGZXhBm3QlU9G/uMbpjEtt2wPd6oSp6IrF?=
 =?us-ascii?Q?5gPEJYHpooqmpcfScmBo7a37aODMFweAPcBYUbcK1TPgUSvG6W5OOxjsWp+U?=
 =?us-ascii?Q?1FcH3G4stVm7cBwuoFolSZP1d1TBWU5cfG2CLGDMDC4ObN6fBnoVUK446RrF?=
 =?us-ascii?Q?zWb2ibibU+r9hDYUjaQ=3D?=
X-Forefront-Antispam-Report: 
	CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230040)(82310400026)(1800799024)(36860700013)(376014);DIR:OUT;SFP:1101;
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Oct 2025 08:30:47.4387
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 1744d064-fe8b-4f48-b8ab-08de03e97c07
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	BN1PEPF00004682.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV8PR12MB9450
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Carolina Jubran <cjubran@nvidia.com>

When configuring IPsec packet offload in tunnel mode, the driver tries
to create tunnel reformat objects unconditionally. This is incorrect,
because tunnel mode is only permitted under specific encapsulation
settings, and that decision is already made when the flow table is
created.

The offending commit attempted to block this case in the state add
path, but the check there happens too late and does not prevent the
reformat from being configured.

Fix by taking short reservations for both the eswitch mode and the
encap at the start of state setup. This preserves the block ordering
(mode --> encap) used later: the mode is blocked during RX/TX get, and
the encap is blocked during flow-table creation. This lets us fail
early if either reservation cannot be obtained, it means a mode
transition is underway or a conflicting configuration already owns
encap. If both succeed, the flow-table path later takes the ownership
and the reservations are released on exit.

Fixes: 146c196b60e4 ("net/mlx5e: Create IPsec table with tunnel support onl=
y when encap is disabled")
Signed-off-by: Carolina Jubran <cjubran@nvidia.com>
Reviewed-by: Jianbo Liu <jianbol@nvidia.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
---
 .../mellanox/mlx5/core/en_accel/ipsec.c       | 38 +++++++++++++------
 .../mellanox/mlx5/core/en_accel/ipsec.h       |  2 +-
 .../mellanox/mlx5/core/en_accel/ipsec_fs.c    | 24 +++++++-----
 3 files changed, 43 insertions(+), 21 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/dri=
vers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
index 00e77c71e201..0a4fb8c92268 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
@@ -772,6 +772,7 @@ static int mlx5e_xfrm_add_state(struct net_device *dev,
 				struct netlink_ext_ack *extack)
 {
 	struct mlx5e_ipsec_sa_entry *sa_entry =3D NULL;
+	bool allow_tunnel_mode =3D false;
 	struct mlx5e_ipsec *ipsec;
 	struct mlx5e_priv *priv;
 	gfp_t gfp;
@@ -803,6 +804,20 @@ static int mlx5e_xfrm_add_state(struct net_device *dev,
 		goto err_xfrm;
 	}
=20
+	if (mlx5_eswitch_block_mode(priv->mdev))
+		goto unblock_ipsec;
+
+	if (x->props.mode =3D=3D XFRM_MODE_TUNNEL &&
+	    x->xso.type =3D=3D XFRM_DEV_OFFLOAD_PACKET) {
+		allow_tunnel_mode =3D mlx5e_ipsec_fs_tunnel_allowed(sa_entry);
+		if (!allow_tunnel_mode) {
+			NL_SET_ERR_MSG_MOD(extack,
+					   "Packet offload tunnel mode is disabled due to encap settings");
+			err =3D -EINVAL;
+			goto unblock_mode;
+		}
+	}
+
 	/* check esn */
 	if (x->props.flags & XFRM_STATE_ESN)
 		mlx5e_ipsec_update_esn_state(sa_entry);
@@ -817,7 +832,7 @@ static int mlx5e_xfrm_add_state(struct net_device *dev,
=20
 	err =3D mlx5_ipsec_create_work(sa_entry);
 	if (err)
-		goto unblock_ipsec;
+		goto unblock_encap;
=20
 	err =3D mlx5e_ipsec_create_dwork(sa_entry);
 	if (err)
@@ -832,14 +847,6 @@ static int mlx5e_xfrm_add_state(struct net_device *dev,
 	if (err)
 		goto err_hw_ctx;
=20
-	if (x->props.mode =3D=3D XFRM_MODE_TUNNEL &&
-	    x->xso.type =3D=3D XFRM_DEV_OFFLOAD_PACKET &&
-	    !mlx5e_ipsec_fs_tunnel_enabled(sa_entry)) {
-		NL_SET_ERR_MSG_MOD(extack, "Packet offload tunnel mode is disabled due t=
o encap settings");
-		err =3D -EINVAL;
-		goto err_add_rule;
-	}
-
 	/* We use *_bh() variant because xfrm_timer_handler(), which runs
 	 * in softirq context, can reach our state delete logic and we need
 	 * xa_erase_bh() there.
@@ -855,8 +862,7 @@ static int mlx5e_xfrm_add_state(struct net_device *dev,
 		queue_delayed_work(ipsec->wq, &sa_entry->dwork->dwork,
 				   MLX5_IPSEC_RESCHED);
=20
-	if (x->xso.type =3D=3D XFRM_DEV_OFFLOAD_PACKET &&
-	    x->props.mode =3D=3D XFRM_MODE_TUNNEL) {
+	if (allow_tunnel_mode) {
 		xa_lock_bh(&ipsec->sadb);
 		__xa_set_mark(&ipsec->sadb, sa_entry->ipsec_obj_id,
 			      MLX5E_IPSEC_TUNNEL_SA);
@@ -865,6 +871,11 @@ static int mlx5e_xfrm_add_state(struct net_device *dev,
=20
 out:
 	x->xso.offload_handle =3D (unsigned long)sa_entry;
+	if (allow_tunnel_mode)
+		mlx5_eswitch_unblock_encap(priv->mdev);
+
+	mlx5_eswitch_unblock_mode(priv->mdev);
+
 	return 0;
=20
 err_add_rule:
@@ -877,6 +888,11 @@ static int mlx5e_xfrm_add_state(struct net_device *dev,
 	if (sa_entry->work)
 		kfree(sa_entry->work->data);
 	kfree(sa_entry->work);
+unblock_encap:
+	if (allow_tunnel_mode)
+		mlx5_eswitch_unblock_encap(priv->mdev);
+unblock_mode:
+	mlx5_eswitch_unblock_mode(priv->mdev);
 unblock_ipsec:
 	mlx5_eswitch_unblock_ipsec(priv->mdev);
 err_xfrm:
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h b/dri=
vers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
index 23703f28386a..5d7c15abfcaf 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
@@ -319,7 +319,7 @@ void mlx5e_accel_ipsec_fs_del_rule(struct mlx5e_ipsec_s=
a_entry *sa_entry);
 int mlx5e_accel_ipsec_fs_add_pol(struct mlx5e_ipsec_pol_entry *pol_entry);
 void mlx5e_accel_ipsec_fs_del_pol(struct mlx5e_ipsec_pol_entry *pol_entry);
 void mlx5e_accel_ipsec_fs_modify(struct mlx5e_ipsec_sa_entry *sa_entry);
-bool mlx5e_ipsec_fs_tunnel_enabled(struct mlx5e_ipsec_sa_entry *sa_entry);
+bool mlx5e_ipsec_fs_tunnel_allowed(struct mlx5e_ipsec_sa_entry *sa_entry);
=20
 int mlx5_ipsec_create_sa_ctx(struct mlx5e_ipsec_sa_entry *sa_entry);
 void mlx5_ipsec_free_sa_ctx(struct mlx5e_ipsec_sa_entry *sa_entry);
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/=
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
index 0bc080274584..bf1d2769d4f1 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
@@ -2850,18 +2850,24 @@ void mlx5e_accel_ipsec_fs_modify(struct mlx5e_ipsec=
_sa_entry *sa_entry)
 	memcpy(sa_entry, &sa_entry_shadow, sizeof(*sa_entry));
 }
=20
-bool mlx5e_ipsec_fs_tunnel_enabled(struct mlx5e_ipsec_sa_entry *sa_entry)
+bool mlx5e_ipsec_fs_tunnel_allowed(struct mlx5e_ipsec_sa_entry *sa_entry)
 {
-	struct mlx5_accel_esp_xfrm_attrs *attrs =3D &sa_entry->attrs;
-	struct mlx5e_ipsec_rx *rx;
-	struct mlx5e_ipsec_tx *tx;
+	struct mlx5e_ipsec *ipsec =3D sa_entry->ipsec;
+	struct xfrm_state *x =3D sa_entry->x;
+	bool from_fdb;
=20
-	rx =3D ipsec_rx(sa_entry->ipsec, attrs->addrs.family, attrs->type);
-	tx =3D ipsec_tx(sa_entry->ipsec, attrs->type);
-	if (sa_entry->attrs.dir =3D=3D XFRM_DEV_OFFLOAD_OUT)
-		return tx->allow_tunnel_mode;
+	if (x->xso.dir =3D=3D XFRM_DEV_OFFLOAD_OUT) {
+		struct mlx5e_ipsec_tx *tx =3D ipsec_tx(ipsec, x->xso.type);
+
+		from_fdb =3D (tx =3D=3D ipsec->tx_esw);
+	} else {
+		struct mlx5e_ipsec_rx *rx =3D ipsec_rx(ipsec, x->props.family,
+						     x->xso.type);
+
+		from_fdb =3D (rx =3D=3D ipsec->rx_esw);
+	}
=20
-	return rx->allow_tunnel_mode;
+	return mlx5_eswitch_block_encap(ipsec->mdev, from_fdb);
 }
=20
 void mlx5e_ipsec_handle_mpv_event(int event, struct mlx5e_priv *slave_priv,
--=20
2.31.1
From nobody Wed Dec 17 19:19:08 2025
Received: from PH8PR06CU001.outbound.protection.outlook.com
 (mail-westus3azon11012052.outbound.protection.outlook.com [40.107.209.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 848AF1FF7D7;
	Sun,  5 Oct 2025 08:31:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=fail smtp.client-ip=40.107.209.52
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1759653064; cv=fail;
 b=rYrWp6YiqYpp8xb3/8JxTcyaaalqDS500qIzICSsFLreaFYwYKhteXaJj2+AzgX1H9OiUqHd9XycGLtDbkooFWu5TfPlyR5DO/JGiNYGRuFCB2RUfzg/cD19edvckQcqvthK0ywckGkiRBsK3tVCSAmC9Ycmm56RcP9e4ZpjUfc=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1759653064; c=relaxed/simple;
	bh=1d6p+bKpq7aowflts87+tIj6WAetsuZizKVzUP7jm+w=;
	h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=nqqJ5vHuAMtehkCZkxGPRbEi/dJfFlJMz7H+2N8H1gkfk4JzgaYA1QKeMxnAHioMrazXYFg2fOmjDXij3rxZqzryx1bpxAJE+mGCLcEyUdKa+YUu/0QDx4UF/pI9izbKPWlz9Yi30fUy5zw4RxZ/f+2Wb+K4wkO5hjCOlYzoYT0=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=nvidia.com;
 spf=fail smtp.mailfrom=nvidia.com;
 dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com
 header.b=n6wViu0u; arc=fail smtp.client-ip=40.107.209.52
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=nvidia.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=fail smtp.mailfrom=nvidia.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com
 header.b="n6wViu0u"
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=VIq96jIMm3e1myAi2aq4AY0ih9yJuz53/t5AIotGQHTbrGDi+N8d0Jm8gTR+FAe6wVZgF/i2paa4wR6xut7sHZMxDlJum6MvOPvS3ZBCa7SkOBbw5dnpLVix9ku78DXSOJzPnyydVVzxtFkotfzeyYT+RAnlQsuWMZUJsWWPgV6Am0+RZ8K9LSu4+gVcU6P67ir16Abk+My7ykc5otfGh96re3iNBgtvQNfHpqWN6SOaJyEMNLWNXV51I59fBrNsx/ylmyHN5LZvXeJmVHlh6uZ1g2Sr9IqZRDQGYwX7R0CtJ01E+Rd4IkHZm8ZT2PruOAxJBbKjcavVN5gq97KKBg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=aOTivTVkUryA1hapXLUgHaR/2hzGmsKeYTbwh7ShYUA=;
 b=alBWDZCdt2UcFFUNJUC3+n8bEc7oc8CSIobU5LRYaePGcXgAUWU9AjWceTBnQBpvxsUz1cIhoIRiv7ih85eFi0kvQODlF8JeC2DAHdVs6nDkRcZdp7XRaL6soJyU6fNIC65smac5H585+XVcREyjn/GtAYnzhxYhg/26bUbx20uXdUsmaIG1z3llNrfKG6PIQabVOBG3uj2IURKbFM6ZPSbmx70y4SLVKlyzyNJXpYnANgF5YsxbGVmZZXGo0Ak3YSNSvYKzqIbzPBVPF7YDBAVZv1w/ZNdAsCPHcNHOBI283HCnswtmeEhX9ytdYPZAX3aGId+EZE3sJtMzg56w4Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 216.228.117.161) smtp.rcpttodomain=google.com smtp.mailfrom=nvidia.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com;
 dkim=none (message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=aOTivTVkUryA1hapXLUgHaR/2hzGmsKeYTbwh7ShYUA=;
 b=n6wViu0u8rCfoslZXmOMJjXr/2Wx2dc2OtIaH60dIxk3pno5zOr67/RFCEMxReGKCNMFxHA+PGiFfJiAbR4Zwjh/6tE3EovJRugnUj3oQzYYtY4J2CssJRYNiZFPuK/MFPmFoR12gsTha7fYyfMFhe9f4po2djfo0RI/4HT3W0xfQYqOhH4KNr9xgjyztn/9DEkYTyIkrfCFG53maPEK7Efll0LipAqjo7LiNH/rDBgbhdDunJFDULmIkZ0SRcYb7cr3eNVEylAa6HqoAN3hZG5cSAqsgY5n6zpYFYcWTTb+Rd46jbVY/Y9EqHLu40vs48hCXb2YdCvakKJNOV0Yqw==
Received: from BN9PR03CA0284.namprd03.prod.outlook.com (2603:10b6:408:f5::19)
 by PH7PR12MB6585.namprd12.prod.outlook.com (2603:10b6:510:213::22) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9182.20; Sun, 5 Oct
 2025 08:30:53 +0000
Received: from BN1PEPF00004683.namprd03.prod.outlook.com
 (2603:10b6:408:f5:cafe::2c) by BN9PR03CA0284.outlook.office365.com
 (2603:10b6:408:f5::19) with Microsoft SMTP Server (version=TLS1_3,
 cipher=TLS_AES_256_GCM_SHA384) id 15.20.9160.17 via Frontend Transport; Sun,
 5 Oct 2025 08:30:52 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161)
 smtp.mailfrom=nvidia.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
 216.228.117.161 as permitted sender) receiver=protection.outlook.com;
 client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C
Received: from mail.nvidia.com (216.228.117.161) by
 BN1PEPF00004683.mail.protection.outlook.com (10.167.243.89) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.9203.9 via Frontend Transport; Sun, 5 Oct 2025 08:30:52 +0000
Received: from rnnvmail203.nvidia.com (10.129.68.9) by mail.nvidia.com
 (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14; Sun, 5 Oct
 2025 01:30:30 -0700
Received: from rnnvmail203.nvidia.com (10.129.68.9) by rnnvmail203.nvidia.com
 (10.129.68.9) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Sun, 5 Oct
 2025 01:30:30 -0700
Received: from vdi.nvidia.com (10.127.8.10) by mail.nvidia.com (10.129.68.9)
 with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Sun, 5 Oct
 2025 01:30:26 -0700
From: Tariq Toukan <tariqt@nvidia.com>
To: Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>, Andrew Lunn <andrew+netdev@lunn.ch>, "David
 S. Miller" <davem@davemloft.net>
CC: Saeed Mahameed <saeedm@nvidia.com>, Leon Romanovsky <leon@kernel.org>,
	Tariq Toukan <tariqt@nvidia.com>, Mark Bloch <mbloch@nvidia.com>,
	<netdev@vger.kernel.org>, <linux-rdma@vger.kernel.org>,
	<linux-kernel@vger.kernel.org>, Gal Pressman <gal@nvidia.com>, Cosmin Ratiu
	<cratiu@nvidia.com>
Subject: [PATCH net 3/3] net/mlx5e: Do not fail PSP init on missing caps
Date: Sun, 5 Oct 2025 11:29:59 +0300
Message-ID: <1759652999-858513-4-git-send-email-tariqt@nvidia.com>
X-Mailer: git-send-email 2.8.0
In-Reply-To: <1759652999-858513-1-git-send-email-tariqt@nvidia.com>
References: <1759652999-858513-1-git-send-email-tariqt@nvidia.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-NV-OnPremToCloud: ExternallySecured
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BN1PEPF00004683:EE_|PH7PR12MB6585:EE_
X-MS-Office365-Filtering-Correlation-Id: d61a6d9a-011e-4aea-6382-08de03e97f36
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|82310400026|1800799024|36860700013|376014;
X-Microsoft-Antispam-Message-Info: 
	=?us-ascii?Q?3r7Na+YYKGQePhyktuWs1TLe4HJcQEKCZE1gw9dVYxxpqI7rzbt8UEiFS6Ho?=
 =?us-ascii?Q?w9qj7uVVFkdVaAf1+uGpy2K0mS9QUxk9mm9DW1ngdNTwCQJu7QMBauzsrRt0?=
 =?us-ascii?Q?G2ghhMp4tNYr4brxPZiNwtMdZY/fG76JPVeJ2oIgNJpHwbC+AbeF9nAhsXcZ?=
 =?us-ascii?Q?zvlA4DcW/rKbKLI8omjQIEfM8KAbGFhNeASONDUYgvvKqzBpFPZWTisSB+cq?=
 =?us-ascii?Q?3EyukYTEWPU9Ys0Qr5va2zUsspOFyUwwlaymS1lNwTICcFGFfiUAkk+GpCBh?=
 =?us-ascii?Q?yxRBru4kaJYoUVeU0OuOy29PivX8PFmNIy0i3dGKF0p6AWWWmhKSeJ3kpQ2W?=
 =?us-ascii?Q?7YUjIIFCCzIBrwfLr3PeH+T14agxVO5tRC1bNXgu4oDKXvXFtkaIYbL1UHeX?=
 =?us-ascii?Q?SfhHc87Js8alybUPc26Aq6zIqskCOW5e/ROvDUlBnedU1/ZzdKg3QGzbCDK3?=
 =?us-ascii?Q?ZJi9134c3gBbH/8JeNMraJAJhN1abFPfH4rC7RjhZ3gCKWZ4tykyaARVN5BX?=
 =?us-ascii?Q?Q/kHNuJv6uKMmLZPoDpVWmY9+YL+lUrrBKeASts+kzDILyeFPXvXndgelofQ?=
 =?us-ascii?Q?/MJY8P3G+ks9t65mn48FI04rn7qLaECcRX/8QraeOuRc6EPQ3RTCEKeGazmM?=
 =?us-ascii?Q?cWzULwP++ArvB/E3LiaPipC2udyrIJ/TdoCALXTCU2ParOHAiE2cjrieetrY?=
 =?us-ascii?Q?o5R6jCB0ICTWHg1HldrtwpQtFR0WVeGDoociCnervu91AtDunVq5Gfkey5iv?=
 =?us-ascii?Q?UkvfD3Oel5PLYuZTOvhBFowFU2YEZjJ1kC+aGBVJ/22X0wxnDqbtKohAp2Ix?=
 =?us-ascii?Q?O87/4fmhOC3ki2I6wLud1KXJkrXseX09ydcdvnQW9BG/WvISoOfcEzDzWDzI?=
 =?us-ascii?Q?iUNzy5WXH3k1sFSTdngAXI58Gyvks/wI8RGcbTKVkCxiKsYsrI67ZB433ibb?=
 =?us-ascii?Q?+fF/EmPQufc9K1A4Ce+UiETm6rsXuxsXagpQVmIiqyCVEPd+UtdI9i/BtZZo?=
 =?us-ascii?Q?yiRWXXzO/lI9KDNgRVI8PSK5ViXBYqSG+B5pLinY1arDfdq4PE1ezOow7NVC?=
 =?us-ascii?Q?xqb43nQhl47xRfCVYbnN34sMaPhVjmVky/7LUA02zGqzVDxaYoktuPH8wYCP?=
 =?us-ascii?Q?0fkPq0h+7gqzWSReuM37KSnBVqQiv5LQTTY5OlbNNuKVS5LYLyc70mZCXuz0?=
 =?us-ascii?Q?6h7wh9WPDysCZc1Bsbvoc7ybnNB/od8ktNDCq2VMzNYDJcbzeDVxuDJqDBq/?=
 =?us-ascii?Q?8qkYHqdlsA47YbZxpEaeEyH9zFTsRftwQdKRcH8An7KN4dMV+CLCzkYrco49?=
 =?us-ascii?Q?lODl5l7DPkIZyEM4o+sGuuHma5amgzIdKtWg+XrK2WOZysabC43lylRb8BZE?=
 =?us-ascii?Q?lFjrfqmSzzibwNyBSU0+HnLlIwHGla8aUpelMJadl8QFEIAww9Zj9/atEtzU?=
 =?us-ascii?Q?uQTLE1qCKPVQIw93HLnV8eJTwAw1P80M954298PkPzMwuurbqsmGdd7mzzRn?=
 =?us-ascii?Q?uP6QKlY0jiOciXQJk9376GTzR/KHlExA55SnWkvf1Scn1YFvD2/qtNe1Jsiu?=
 =?us-ascii?Q?UzENEWLYby1mOPh+RE8=3D?=
X-Forefront-Antispam-Report: 
	CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230040)(82310400026)(1800799024)(36860700013)(376014);DIR:OUT;SFP:1101;
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Oct 2025 08:30:52.7888
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 d61a6d9a-011e-4aea-6382-08de03e97f36
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	BN1PEPF00004683.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR12MB6585
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Cosmin Ratiu <cratiu@nvidia.com>

PSP support requires a set of cap bits to be set, otherwise an init
error is logged.

But logging an error when PSP cannot be initialized is too much, and not
in line with other features. If a feature cannot be initialized because
it is not supported, that's not an error. An error should only be
printed when the feature cannot be initialized because of an actual
error.

Fixes: 89ee2d92f66c ("net/mlx5e: Support PSP offload functionality")
Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
---
 drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp.c b/drive=
rs/net/ethernet/mellanox/mlx5/core/en_accel/psp.c
index b4cb131c5f81..8565cfe8d7dc 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp.c
@@ -893,27 +893,27 @@ int mlx5e_psp_init(struct mlx5e_priv *priv)
=20
 	if (!mlx5_is_psp_device(mdev)) {
 		mlx5_core_dbg(mdev, "PSP offload not supported\n");
-		return -EOPNOTSUPP;
+		return 0;
 	}
=20
 	if (!MLX5_CAP_ETH(mdev, swp)) {
 		mlx5_core_dbg(mdev, "SWP not supported\n");
-		return -EOPNOTSUPP;
+		return 0;
 	}
=20
 	if (!MLX5_CAP_ETH(mdev, swp_csum)) {
 		mlx5_core_dbg(mdev, "SWP checksum not supported\n");
-		return -EOPNOTSUPP;
+		return 0;
 	}
=20
 	if (!MLX5_CAP_ETH(mdev, swp_csum_l4_partial)) {
 		mlx5_core_dbg(mdev, "SWP L4 partial checksum not supported\n");
-		return -EOPNOTSUPP;
+		return 0;
 	}
=20
 	if (!MLX5_CAP_ETH(mdev, swp_lso)) {
 		mlx5_core_dbg(mdev, "PSP LSO not supported\n");
-		return -EOPNOTSUPP;
+		return 0;
 	}
=20
 	psp =3D kzalloc(sizeof(*psp), GFP_KERNEL);
--=20
2.31.1