From: Vlad Buslov <vladbu@nvidia.com>
Date: Tue, 5 Jul 2022 11:39:10 +0200
Subject: net/mlx5e: Extend flower police validation
Patch-mainline: v6.0-rc1
Git-commit: f7434ba0abfc28da40723f05645d19c87353764a
References: jsc#PED-1549

Recent net commit 4d1e07d83ccc ("net/mlx5e: Fix matchall police parameters
validation") removed notexceed action id validation from
mlx5e_police_validate() and left it up to callers. However, since
tc_act_can_offload_police() only exists in net-next its validation is
extended in this dedicated followup patch.

Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
Reviewed-by: Jianbo Liu <jianbol@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
---
 drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/police.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/police.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/police.c
@@ -10,6 +10,12 @@ tc_act_can_offload_police(struct mlx5e_t
 			  int act_index,
 			  struct mlx5_flow_attr *attr)
 {
+	if (act->police.notexceed.act_id != FLOW_ACTION_PIPE &&
+	    act->police.notexceed.act_id != FLOW_ACTION_ACCEPT) {
+		NL_SET_ERR_MSG_MOD(parse_state->extack,
+				   "Offload not supported when conform action is not pipe or ok");
+		return false;
+	}
 	if (mlx5e_policer_validate(parse_state->flow_action, act,
 				   parse_state->extack))
 		return false;