mlx5en: destroy TIR before DEK during TLS RX teardown

Reorder the TLS RX teardown sequence so the TIR is destroyed before
the DEK.  DESTROY_TIR for a TLS-enabled TIR issues a TRA RX fence
that drains all in-flight packets from the crypto pipeline.  If the
DEK is destroyed first, packets still in flight hit a TPT encryption
error (vendor syndrome 0x55) because the key they reference is
already gone.

Reviewed by:	kib
Sponsored by:	Nvidia networking
MFC after:	1 week
This commit is contained in:
Ariel Ehrenberg
2026-04-16 00:45:07 +03:00
committed by Konstantin Belousov
parent c316ec2590
commit bf636accdd
+11 -4
View File
@@ -596,14 +596,21 @@ mlx5e_tls_rx_work(struct work_struct *work)
if (ptag->flow_rule != NULL)
mlx5e_accel_fs_del_inpcb(ptag->flow_rule);
/*
* Destroy TIR before DEK. DESTROY_TIR for a TLS-
* enabled TIR issues a TRA RX fence that drains all
* in-flight packets from the crypto pipeline. If the
* DEK were destroyed first, packets still in flight
* would hit a TPT encryption error (vendor syndrome
* 0x55) because the key they reference is already gone.
*/
if (ptag->tirn != 0)
mlx5_tls_close_tir(priv->mdev, ptag->tirn);
/* try to destroy DEK context by ID */
if (ptag->dek_index_ok)
mlx5_encryption_key_destroy(priv->mdev, ptag->dek_index);
/* try to destroy TIR context by ID */
if (ptag->tirn != 0)
mlx5_tls_close_tir(priv->mdev, ptag->tirn);
/* free tag */
mlx5e_tls_rx_tag_zfree(ptag);
break;