Commit 59630e2c authored Oct 29, 2025 by Jianbo Liu Committed by Steffen Klassert Oct 30, 2025

xfrm: Prevent locally generated packets from direct output in tunnel mode

Add a check to ensure locally generated packets (skb->sk != NULL) do
not use direct output in tunnel mode, as these packets require proper
L2 header setup that is handled by the normal XFRM processing path.

Fixes: 5eddd76e ("xfrm: fix tunnel mode TX datapath in packet offload mode")
Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

parent 61fafbee

net/xfrm/xfrm_output.c

+5 −1

Original line number	Diff line number	Diff line
		@@ -772,8 +772,12 @@ int xfrm_output(struct sock sk, struct sk_buff skb)
		/* Exclusive direct xmit for tunnel mode, as
		* some filtering or matching rules may apply
		* in transport mode.
		* Locally generated packets also require
		* the normal XFRM path for L2 header setup,
		* as the hardware needs the L2 header to match
		* for encryption, so skip direct output as well.
		*/
		if (x->props.mode == XFRM_MODE_TUNNEL)
		if (x->props.mode == XFRM_MODE_TUNNEL && !skb->sk)
		return xfrm_dev_direct_output(sk, x, skb);

		return xfrm_output_resume(sk, skb, 0);