1. Patchew
  2. linux
  3. View series

[PATCH net v1] net/mlx5e: Fix eswitch mode block underflow on IPsec acquire SA

Prathamesh Deshpande posted 1 patch 1 month ago 
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
[PATCH net v1] net/mlx5e: Fix eswitch mode block underflow on IPsec acquire SA
Posted by Prathamesh Deshpande 1 month ago 
mlx5e_xfrm_add_state() handles acquire-flow temporary SAs by allocating
software state and skipping hardware offload setup.

That path jumps to the common success label before taking the eswitch mode
block. After tunnel-mode validation was moved earlier, the common success
label unconditionally calls mlx5_eswitch_unblock_mode(). For acquire SAs,
this decrements esw->offloads.num_block_mode without a matching increment.

Return directly after installing the acquire SA offload handle, so only the
paths that successfully called mlx5_eswitch_block_mode() call the matching
unblock.

Fixes: 22239eb258bc ("net/mlx5e: Prevent tunnel reformat when tunnel mode not allowed")
Signed-off-by: Prathamesh Deshpande <prathameshdeshpande7@gmail.com>
---
 drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
index a52e12c3c95a..db260e3d1412 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
@@ -792,8 +792,10 @@ static int mlx5e_xfrm_add_state(struct net_device *dev,
 	sa_entry->dev = dev;
 	sa_entry->ipsec = ipsec;
 	/* Check if this SA is originated from acquire flow temporary SA */
-	if (x->xso.flags & XFRM_DEV_OFFLOAD_FLAG_ACQ)
-		goto out;
+	if (x->xso.flags & XFRM_DEV_OFFLOAD_FLAG_ACQ) {
+		x->xso.offload_handle = (unsigned long)sa_entry;
+		return 0;
+	}
 
 	err = mlx5e_xfrm_validate_state(priv->mdev, x, extack);
 	if (err)
@@ -870,7 +872,6 @@ static int mlx5e_xfrm_add_state(struct net_device *dev,
 		xa_unlock_bh(&ipsec->sadb);
 	}
 
-out:
 	x->xso.offload_handle = (unsigned long)sa_entry;
 	if (allow_tunnel_mode)
 		mlx5_eswitch_unblock_encap(priv->mdev);
-- 
2.43.0
Re: [PATCH net v1] net/mlx5e: Fix eswitch mode block underflow on IPsec acquire SA
Posted by Tariq Toukan 3 weeks, 2 days ago 

On 11/05/2026 1:59, Prathamesh Deshpande wrote:
> mlx5e_xfrm_add_state() handles acquire-flow temporary SAs by allocating
> software state and skipping hardware offload setup.
> 
> That path jumps to the common success label before taking the eswitch mode
> block. After tunnel-mode validation was moved earlier, the common success
> label unconditionally calls mlx5_eswitch_unblock_mode(). For acquire SAs,
> this decrements esw->offloads.num_block_mode without a matching increment.
> 
> Return directly after installing the acquire SA offload handle, so only the
> paths that successfully called mlx5_eswitch_block_mode() call the matching
> unblock.
> 
> Fixes: 22239eb258bc ("net/mlx5e: Prevent tunnel reformat when tunnel mode not allowed")
> Signed-off-by: Prathamesh Deshpande <prathameshdeshpande7@gmail.com>
> ---
>   drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 7 ++++---
>   1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
> index a52e12c3c95a..db260e3d1412 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
> @@ -792,8 +792,10 @@ static int mlx5e_xfrm_add_state(struct net_device *dev,
>   	sa_entry->dev = dev;
>   	sa_entry->ipsec = ipsec;
>   	/* Check if this SA is originated from acquire flow temporary SA */
> -	if (x->xso.flags & XFRM_DEV_OFFLOAD_FLAG_ACQ)
> -		goto out;
> +	if (x->xso.flags & XFRM_DEV_OFFLOAD_FLAG_ACQ) {
> +		x->xso.offload_handle = (unsigned long)sa_entry;
> +		return 0;
> +	}
>   
>   	err = mlx5e_xfrm_validate_state(priv->mdev, x, extack);
>   	if (err)
> @@ -870,7 +872,6 @@ static int mlx5e_xfrm_add_state(struct net_device *dev,
>   		xa_unlock_bh(&ipsec->sadb);
>   	}
>   
> -out:
>   	x->xso.offload_handle = (unsigned long)sa_entry;
>   	if (allow_tunnel_mode)
>   		mlx5_eswitch_unblock_encap(priv->mdev);

Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Re: [PATCH net v1] net/mlx5e: Fix eswitch mode block underflow on IPsec acquire SA
Posted by Simon Horman 4 weeks ago 
On Sun, May 10, 2026 at 11:59:00PM +0100, Prathamesh Deshpande wrote:
> mlx5e_xfrm_add_state() handles acquire-flow temporary SAs by allocating
> software state and skipping hardware offload setup.
> 
> That path jumps to the common success label before taking the eswitch mode
> block. After tunnel-mode validation was moved earlier, the common success
> label unconditionally calls mlx5_eswitch_unblock_mode(). For acquire SAs,
> this decrements esw->offloads.num_block_mode without a matching increment.
> 
> Return directly after installing the acquire SA offload handle, so only the
> paths that successfully called mlx5_eswitch_block_mode() call the matching
> unblock.
> 
> Fixes: 22239eb258bc ("net/mlx5e: Prevent tunnel reformat when tunnel mode not allowed")
> Signed-off-by: Prathamesh Deshpande <prathameshdeshpande7@gmail.com>

Reviewed-by: Simon Horman <horms@kernel.org>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.