Steffen Klassert <[email protected]> wrote:
> Commit 94579ac3f6d0 ("xfrm: Fix double ESP trailer insertion in IPsec
> crypto offload.") added a XFRM_XMIT flag to avoid duplicate ESP trailer
> insertion on HW offload. This flag is set on the secpath that is shared
> amongst segments. This lead to a situation where some segments are
> not transformed correctly when segmentation happens at layer 3.
>
> Fix this by using private skb extensions for segmented and hw offloaded
> ESP packets.
>
> Fixes: 94579ac3f6d0 ("xfrm: Fix double ESP trailer insertion in IPsec crypto
> offload.")
> Signed-off-by: Steffen Klassert <[email protected]>
> ---
> include/linux/skbuff.h | 1 +
> net/core/skbuff.c | 23 ++++++++++++++++++-----
> net/ipv4/esp4_offload.c | 16 +++++++++++++++-
> net/ipv6/esp6_offload.c | 16 +++++++++++++++-
> net/xfrm/xfrm_device.c | 2 --
> 5 files changed, 49 insertions(+), 9 deletions(-)
>
> - if (hw_offload)
> + if (hw_offload) {
> + ext = skb_ext_cow(skb->extensions, skb->active_extensions);
It should be possible to do
if (hw_offload) {
if (!skb_ext_add(skb, SKB_EXT_SECPATH);
return -ENOMEM;
xo = xfrm_offload(skb);
....
without need for a new 'cow' function.
skb_ext_add() will auto-COW if the extension area has a refcount > 1.
