Patch "net/mlx5e: IPsec: Fix crypto offload for non TCP/UDP encapsulated traffic" has been added to the 5.15-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    net/mlx5e: IPsec: Fix crypto offload for non TCP/UDP encapsulated traffic

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-mlx5e-ipsec-fix-crypto-offload-for-non-tcp-udp-e.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 5b90a11281bfa3d7b8ab251e79b9bd7ae0f89647
Author: Raed Salem <raeds@xxxxxxxxxx>
Date:   Thu Dec 2 17:43:50 2021 +0200

    net/mlx5e: IPsec: Fix crypto offload for non TCP/UDP encapsulated traffic
    
    [ Upstream commit 5352859b3bfa0ca188b2f1d2c1436fddc781e3b6 ]
    
    IPsec crypto offload always set the ethernet segment checksum flags with
    the inner L4 header checksum flag enabled for encapsulated IPsec offloaded
    packet regardless of the encapsulated L4 header type, and even if it
    doesn't exists in the first place, this breaks non TCP/UDP traffic as
    such.
    
    Set the inner L4 checksum flag only when the encapsulated L4 header
    protocol is TCP/UDP using software parser swp_inner_l4_offset field as
    indication.
    
    Fixes: 5cfb540ef27b ("net/mlx5e: Set IPsec WAs only in IP's non checksum partial case.")
    Signed-off-by: Raed Salem <raeds@xxxxxxxxxx>
    Reviewed-by: Maor Dickman <maord@xxxxxxxxxx>
    Signed-off-by: Saeed Mahameed <saeedm@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.h b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.h
index b98db50c3418d..428881e0adcbe 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.h
@@ -131,14 +131,17 @@ static inline bool
 mlx5e_ipsec_txwqe_build_eseg_csum(struct mlx5e_txqsq *sq, struct sk_buff *skb,
 				  struct mlx5_wqe_eth_seg *eseg)
 {
-	struct xfrm_offload *xo = xfrm_offload(skb);
+	u8 inner_ipproto;
 
 	if (!mlx5e_ipsec_eseg_meta(eseg))
 		return false;
 
 	eseg->cs_flags = MLX5_ETH_WQE_L3_CSUM;
-	if (xo->inner_ipproto) {
-		eseg->cs_flags |= MLX5_ETH_WQE_L4_INNER_CSUM | MLX5_ETH_WQE_L3_INNER_CSUM;
+	inner_ipproto = xfrm_offload(skb)->inner_ipproto;
+	if (inner_ipproto) {
+		eseg->cs_flags |= MLX5_ETH_WQE_L3_INNER_CSUM;
+		if (inner_ipproto == IPPROTO_TCP || inner_ipproto == IPPROTO_UDP)
+			eseg->cs_flags |= MLX5_ETH_WQE_L4_INNER_CSUM;
 	} else if (likely(skb->ip_summed == CHECKSUM_PARTIAL)) {
 		eseg->cs_flags |= MLX5_ETH_WQE_L4_CSUM;
 		sq->stats->csum_partial_inner++;