Re: [PATCH net-next] xfrm: fix xfrm_dev_offload_ok() returning true for software SAs
From: Petr Wozniak <hidden>
Date: 2026-05-27 16:47:22
From: Petr Wozniak <hidden>
Date: 2026-05-27 16:47:22
2026-05-27, Sabrina Dubroca wrote:
Incorrectly? IPsec in SW with GSO is a valid setup. I think you're breaking that with your patch.
Fair point — SW IPsec with GSO is intentional and the patch is too broad. The actual observable bug on this platform (MT7988A, EIP-197 async crypto): xfrm_dev_offload_ok() → true (SW SA, dev == NULL) → esp4_gso_encap() marks the skb → validate_xmit_xfrm() → esp_xmit() → async crypto → -EINPROGRESS → validate_xmit_xfrm() returns NULL On bridge interfaces (noqueue qdisc), __dev_queue_xmit() takes the direct branch, initialises rc = -ENOMEM and never overwrites it when skb is NULL → ENOMEM on every packet. On real netdevs with a qdisc, sch_direct_xmit() handles NULL gracefully and async completion via xfrm_dev_resume() delivers the packet correctly. Where would you suggest the actual fix should go — in the bridge/noqueue path, or in validate_xmit_xfrm() / sch_direct_xmit()? Petr