From patchwork Wed Aug 22 22:59:40 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Shannon Nelson X-Patchwork-Id: 961099 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=oracle.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=oracle.com header.i=@oracle.com header.b="imL1Sars"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 41wjgG02Yfz9s47 for ; Thu, 23 Aug 2018 09:00:10 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727014AbeHWC0t (ORCPT ); Wed, 22 Aug 2018 22:26:49 -0400 Received: from aserp2120.oracle.com ([141.146.126.78]:45610 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726424AbeHWC0t (ORCPT ); Wed, 22 Aug 2018 22:26:49 -0400 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w7MMxI8G176408; Wed, 22 Aug 2018 22:59:56 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id; s=corp-2018-07-02; bh=66Lj25FElFGL9pvRme2v1V4buXHilro/uO5d5AGmob4=; b=imL1SarsHKabqRvnFu+Bsyv2w39QPfuh1VXoB2nGfFmZ0kSvuRzeItvXXeYKJHO7Jobm AkVhNObJAOARjCe/8zep/+wcitASw2ensG28wGb1Pcpxi9qkeLrQjl5ldhFLY4QT7HYx vbIAkE+EzngcwgM3/g0nnjpCctOqUjcU5yjI1mK+fmkE5cfhhN0bs1PI5BtUcf7Os11y E5wujTZ/2ocZqeMZTSXi4HJ9C8+EtJWThdDqWCHkD1vqcLM8938I/ED3rQC98zfhEsD1 jNum4oBE5PyqWVGFcDseQ6XV6tfaiu9qO+KQBQYJFomUFII1B424b3Gn5KCa/9Pd46Ug mg== Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp2120.oracle.com with ESMTP id 2kxbdq4x9y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 22 Aug 2018 22:59:56 +0000 Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w7MMxoSS023207 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 22 Aug 2018 22:59:51 GMT Received: from abhmp0005.oracle.com (abhmp0005.oracle.com [141.146.116.11]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w7MMxnkt021346; Wed, 22 Aug 2018 22:59:50 GMT Received: from slnelson-mint18.us.oracle.com (/10.159.153.199) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 22 Aug 2018 15:59:49 -0700 From: Shannon Nelson To: jeffrey.t.kirsher@intel.com Cc: steffen.klassert@secunet.com, netdev@vger.kernel.org Subject: [PATCH next-queue 1/2] ixgbe: disallow ipsec tx offload when in sr-iov mode Date: Wed, 22 Aug 2018 15:59:40 -0700 Message-Id: <1534978781-25779-1-git-send-email-shannon.nelson@oracle.com> X-Mailer: git-send-email 2.7.4 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8993 signatures=668707 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=1 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=969 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1808220227 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org There seems to be a problem in the x540's internal switch wherein if SR/IOV mode is enabled and an offloaded IPsec packet is sent to a local VF, the packet is silently dropped. This might never be a problem as it is somewhat a corner case, but if someone happens to be using IPsec offload from the PF to a VF that just happens to get migrated to the local box, communication will mysteriously fail. Not good. A simple way to protect from this is to simply not allow any IPsec offloads for outgoing packets when num_vfs != 0. This doesn't help any offloads that were created before SR/IOV was enabled, but we'll get to that later. Signed-off-by: Shannon Nelson --- drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c index 68395ab..24076b4 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c @@ -697,6 +697,9 @@ static int ixgbe_ipsec_add_sa(struct xfrm_state *xs) } else { struct tx_sa tsa; + if (adapter->num_vfs) + return -EOPNOTSUPP; + /* find the first unused index */ ret = ixgbe_ipsec_find_empty_idx(ipsec, false); if (ret < 0) {