www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Dragos Tatulea <dtatulea@nvidia.com>
	Fri, 20 Dec 2024 08:15:03 +0000 (10:15 +0200)
committer	Jakub Kicinski <kuba@kernel.org>
	Mon, 23 Dec 2024 18:54:01 +0000 (10:54 -0800)
commit	8c6254479b3d5bd788d2b5fefaa48fb194331ed0
tree	12e61240b9795b41f15aebf2acc37ac2058122c4	tree
parent	050a4c011b0dfeb91664a5d7bd3647ff38db08ce	commit \| diff

net/mlx5e: macsec: Maintain TX SA from encoding_sa

In MACsec, it is possible to create multiple active TX SAs on a SC,
but only one such SA can be used at a time for transmission. This SA
is selected through the encoding_sa link parameter.

When there are 2 or more active TX SAs configured (encoding_sa=0):
ip macsec add macsec0 tx sa 0 pn 1 on key 00 <KEY1>
ip macsec add macsec0 tx sa 1 pn 1 on key 00 <KEY2>

... the traffic should be still sent via TX SA 0 as the encoding_sa was
not changed. However, the driver ignores the encoding_sa and overrides
it to SA 1 by installing the flow steering id of the newly created TX SA
into the SCI -> flow steering id hash map. The future packet tx
descriptors will point to the incorrect flow steering rule (SA 1).

This patch fixes the issue by avoiding the creation of the flow steering
rule for an active TX SA that is not the encoding_sa. The driver side
tx_sa object and the FW side macsec object are still created. When the
encoding_sa link parameter is changed to another active TX SA, only the
new flow steering rule will be created in the mlx5e_macsec_upd_txsa()
handler.

Fixes: 8ff0ac5be144 ("net/mlx5: Add MACsec offload Tx command support")
Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
Reviewed-by: Lior Nahmanson <liorna@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20241220081505.1286093-3-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>