** Tags added: kernel-daily-bug -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-bluefield in Ubuntu. https://bugs.launchpad.net/bugs/2127184
Title: Ubuntu 24.04: IPsec XFRM packet offload fails with "Attribute failed policy validation" due to enum mismatch Status in linux-bluefield package in Ubuntu: New Bug description: SRU Justification: [IMPACT] Affected Kernels: linux-bluefield-6.8 and ubuntu-kernel-noble (Ubuntu 24.04, kernel 6.8.0-85+) Bug: IPsec XFRM state configuration with hardware packet offload fails when using iproute2-6.15.0 (MLNX OFED 25.10): $ ip addr add dev enp1s0f0np0 84.133.36.108/24 $ ip link set up dev enp1s0f0np0 $ /opt/mellanox/iproute2/sbin/ip xfrm state add src 84.133.36.109 dst 84.133.36.108 proto esp spi 0x8ee reqid 0x8ee mode transport aead 'rfc4106(gcm(aes))' 0x357a418c87ce4d21b19fdec22e498832a1b1fb01 128 offload packet dev enp1s0f0np0 dir in sel src 84.133.36.109/16 dst 84.133.36.108/16 Error: Attribute failed policy validation. dmesg: netlink: 'ip': attribute type 33 has an invalid length. Root Cause: The kernel is missing two members in the xfrm_attr_type_t enum in include/uapi/linux/xfrm.h: XFRMA_SA_DIR and XFRMA_NAT_KEEPALIVE_INTERVAL. This occurred when commit "xfrm: Add support for per cpu xfrm state handling" (which adds XFRMA_SA_PCPU) was backported to Ubuntu 24.04 without also backporting the two preceding upstream commits that add XFRMA_SA_DIR (position 34) and XFRMA_NAT_KEEPALIVE_INTERVAL (position 35), causing XFRMA_SA_PCPU to incorrectly occupy position 34 instead of 36. This creates an enum value misalignment with iproute2-6.15.0: when iproute2 sends XFRMA_SA_DIR (attribute 34, type __u8), the kernel misinterprets it as XFRMA_SA_PCPU (also at position 34 in the broken enum, but expects type __u32), triggering netlink attribute validation failure and breaking IPsec hardware offload. [FIX] Backport two upstream commits that add the missing enum members, thus aligning kernel UAPI with iproute2-6.15.0: a4a87fa4e96c - "xfrm: Add Direction to the SA in or out" (adds XFRMA_SA_DIR) - upstream v6.10-rc1 f531d13bdfe3f4f084 - "xfrm: support sending NAT keepalives in ESP in UDP states" (adds XFRMA_NAT_KEEPALIVE_INTERVAL) - upstream v6.11-rc1 [TEST CASE] Successfully compiled on linux-bluefield-6.8 (master-next branch) and ubuntu-kernel-noble (master branch). After installing patched kernel, the previously failing command succeeds - No "Attribute failed policy validation" errors and dmesg is clear. [REGRESSION POTENTIAL] Very low. The patches originate from upstream Linux v6.10-rc1 and v6.11-rc1 respectively. Both patches are well-contained within the XFRM subsystem. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/2127184/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
