[SRU][N:linux-bluefield][PATCH v1 0/2] xfrm: Add Direction to the SA in or out

Stav Aviram saviram at nvidia.com
Thu Oct 9 12:52:45 UTC 2025 

BugLink: https://bugs.launchpad.net/bugs/2127184

SRU Justification:

[IMPACT]
Affected Kernels: linux-bluefield-6.8 and ubuntu-kernel-noble (Ubuntu 24.04, kernel 6.8.0-85+)

Bug: IPsec XFRM state configuration with hardware packet offload fails when using iproute2-6.15.0 (MLNX OFED 25.10):
$ ip addr add dev enp1s0f0np0 84.133.36.108/24
$ ip link set up dev enp1s0f0np0
$ /opt/mellanox/iproute2/sbin/ip xfrm state add src 84.133.36.109 dst 84.133.36.108 proto esp spi 0x8ee reqid 0x8ee mode transport aead 'rfc4106(gcm(aes))' 0x357a418c87ce4d21b19fdec22e498832a1b1fb01 128 offload packet dev enp1s0f0np0 dir in sel src 84.133.36.109/16 dst 84.133.36.108/16
Error: Attribute failed policy validation.
dmesg: netlink: 'ip': attribute type 33 has an invalid length.

Root Cause: The kernel is missing two members in the xfrm_attr_type_t enum in include/uapi/linux/xfrm.h: XFRMA_SA_DIR and XFRMA_NAT_KEEPALIVE_INTERVAL. This occurred when commit "xfrm: Add support for per cpu xfrm state handling" (which adds XFRMA_SA_PCPU) was backported to Ubuntu 24.04 without also backporting the two preceding upstream commits that add XFRMA_SA_DIR (position 34) and XFRMA_NAT_KEEPALIVE_INTERVAL (position 35), causing XFRMA_SA_PCPU to incorrectly occupy position 34 instead of 36. This creates an enum value misalignment with iproute2-6.15.0: when iproute2 sends XFRMA_SA_DIR (attribute 34, type __u8), the kernel misinterprets it as XFRMA_SA_PCPU (also at position 34 in the broken enum, but expects type __u32), triggering netlink attribute validation failure and breaking IPsec hardware offload.


[FIX]
Backport two upstream commits that add the missing enum members, thus aligning kernel UAPI with iproute2-6.15.0:
a4a87fa4e96c - "xfrm: Add Direction to the SA in or out" (adds XFRMA_SA_DIR) - upstream v6.10-rc1
f531d13bdfe3f4f084 - "xfrm: support sending NAT keepalives in ESP in UDP states" (adds XFRMA_NAT_KEEPALIVE_INTERVAL) - upstream v6.11-rc1

[TEST CASE]
Successfully compiled on linux-bluefield-6.8 (master-next branch) and ubuntu-kernel-noble (master branch).
After installing patched kernel, the previously failing command succeeds - No "Attribute failed policy validation" errors and dmesg is clear.

[REGRESSION POTENTIAL]
Very low. The patches originate from upstream Linux v6.10-rc1 and v6.11-rc1 respectively. Both patches are well-contained within the XFRM subsystem.

Antony Antony (1):
  xfrm: Add Direction to the SA in or out

Eyal Birger (1):
  xfrm: support sending NAT keepalives in ESP in UDP states

 include/net/ipv6_stubs.h      |   3 +
 include/net/netns/xfrm.h      |   1 +
 include/net/xfrm.h            |  11 ++
 include/uapi/linux/xfrm.h     |   7 +
 net/ipv6/af_inet6.c           |   1 +
 net/ipv6/xfrm6_policy.c       |   7 +
 net/xfrm/Makefile             |   3 +-
 net/xfrm/xfrm_compat.c        |   5 +
 net/xfrm/xfrm_device.c        |   6 +
 net/xfrm/xfrm_nat_keepalive.c | 292 ++++++++++++++++++++++++++++++++++
 net/xfrm/xfrm_policy.c        |   8 +
 net/xfrm/xfrm_replay.c        |   3 +-
 net/xfrm/xfrm_state.c         |  25 +++
 net/xfrm/xfrm_user.c          | 149 ++++++++++++++++-
 14 files changed, 516 insertions(+), 5 deletions(-)
 create mode 100644 net/xfrm/xfrm_nat_keepalive.c

-- 
2.38.1

More information about the kernel-team mailing list