In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: E-switch, Create ingress ACL when needed
Currently, ingress acl is used for three features. It is created only when vport metadata match and prio tag are enabled. But active-backup lag mode also uses it. It is independent of vport metadata match and prio tag. And vport metadata match can be disabled using the following devlink command:
# devlink dev param set pci/0000:08:00.0 name eswportmetadata \ value false cmode runtime
If ingress acl is not created, will hit panic when creating drop rule for active-backup lag mode. If always create it, there will be about 5% performance degradation.
Fix it by creating ingress acl when needed. If eswportmetadata is true, ingress acl exists, then create drop rule using existing ingress acl. If eswportmetadata is false, create ingress acl and then create drop rule.