Thread (2 messages) 2 messages, 2 authors, 2026-05-27

Re: [PATCH net-next] xfrm: fix xfrm_dev_offload_ok() returning true for software SAs

From: Petr Wozniak <hidden>
Date: 2026-05-27 16:47:22

2026-05-27, Sabrina Dubroca wrote:
Incorrectly? IPsec in SW with GSO is a valid setup. I think you're
breaking that with your patch.
Fair point — SW IPsec with GSO is intentional and the patch is too broad.

The actual observable bug on this platform (MT7988A, EIP-197 async crypto):

  xfrm_dev_offload_ok() → true (SW SA, dev == NULL)
  → esp4_gso_encap() marks the skb
  → validate_xmit_xfrm() → esp_xmit() → async crypto → -EINPROGRESS
  → validate_xmit_xfrm() returns NULL

On bridge interfaces (noqueue qdisc), __dev_queue_xmit() takes the
direct branch, initialises rc = -ENOMEM and never overwrites it
when skb is NULL → ENOMEM on every packet.

On real netdevs with a qdisc, sch_direct_xmit() handles NULL
gracefully and async completion via xfrm_dev_resume() delivers
the packet correctly.

Where would you suggest the actual fix should go — in the
bridge/noqueue path, or in validate_xmit_xfrm() / sch_direct_xmit()?

Petr
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help