* [Intel-wired-lan] [PATCH net] ixgbe: ensure IPsec VF<->PF compatibility
@ 2022-03-30 11:01 ` Leon Romanovsky
0 siblings, 0 replies; 6+ messages in thread
From: Leon Romanovsky @ 2022-03-30 11:01 UTC (permalink / raw)
To: intel-wired-lan
From: Leon Romanovsky <leonro@nvidia.com>
The VF driver can forward any IPsec flags and such makes the function
is not extendable and prone to backward/forward incompatibility.
If new software runs on VF, it won't know that PF configured something
completely different as it "knows" only XFRM_OFFLOAD_INBOUND flag.
Fixes: eda0333ac293 ("ixgbe: add VF IPsec management")
Reviewed-by: Raed Salem <raeds@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
---
There is no simple fix for this VF/PF incompatibility as long as FW
doesn't filter/decline unsupported options when convey mailbox from VF
to PF.
---
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
index e596e1a9fc75..236f244e3f65 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
@@ -903,7 +903,9 @@ int ixgbe_ipsec_vf_add_sa(struct ixgbe_adapter *adapter, u32 *msgbuf, u32 vf)
/* Tx IPsec offload doesn't seem to work on this
* device, so block these requests for now.
*/
- if (!(sam->flags & XFRM_OFFLOAD_INBOUND)) {
+ sam->flags = sam->flags & ~XFRM_OFFLOAD_IPV6;
+ if (!(sam->flags & XFRM_OFFLOAD_INBOUND) ||
+ sam->flags & ~XFRM_OFFLOAD_INBOUND) {
err = -EOPNOTSUPP;
goto err_out;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH net] ixgbe: ensure IPsec VF<->PF compatibility @ 2022-03-30 11:01 ` Leon Romanovsky 0 siblings, 0 replies; 6+ messages in thread From: Leon Romanovsky @ 2022-03-30 11:01 UTC (permalink / raw) To: David S . Miller, Jakub Kicinski Cc: Leon Romanovsky, intel-wired-lan, Jeff Kirsher, Jesse Brandeburg, linux-kernel, netdev, Paolo Abeni, Raed Salem, Shannon Nelson, Tony Nguyen, Steffen Klassert From: Leon Romanovsky <leonro@nvidia.com> The VF driver can forward any IPsec flags and such makes the function is not extendable and prone to backward/forward incompatibility. If new software runs on VF, it won't know that PF configured something completely different as it "knows" only XFRM_OFFLOAD_INBOUND flag. Fixes: eda0333ac293 ("ixgbe: add VF IPsec management") Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> --- There is no simple fix for this VF/PF incompatibility as long as FW doesn't filter/decline unsupported options when convey mailbox from VF to PF. --- drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c index e596e1a9fc75..236f244e3f65 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c @@ -903,7 +903,9 @@ int ixgbe_ipsec_vf_add_sa(struct ixgbe_adapter *adapter, u32 *msgbuf, u32 vf) /* Tx IPsec offload doesn't seem to work on this * device, so block these requests for now. */ - if (!(sam->flags & XFRM_OFFLOAD_INBOUND)) { + sam->flags = sam->flags & ~XFRM_OFFLOAD_IPV6; + if (!(sam->flags & XFRM_OFFLOAD_INBOUND) || + sam->flags & ~XFRM_OFFLOAD_INBOUND) { err = -EOPNOTSUPP; goto err_out; } -- 2.35.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Intel-wired-lan] [PATCH net] ixgbe: ensure IPsec VF<->PF compatibility 2022-03-30 11:01 ` Leon Romanovsky @ 2022-03-30 16:13 ` Shannon Nelson -1 siblings, 0 replies; 6+ messages in thread From: Shannon Nelson @ 2022-03-30 16:13 UTC (permalink / raw) To: intel-wired-lan On 3/30/22 4:01 AM, Leon Romanovsky wrote: > From: Leon Romanovsky <leonro@nvidia.com> > > The VF driver can forward any IPsec flags and such makes the function > is not extendable and prone to backward/forward incompatibility. > > If new software runs on VF, it won't know that PF configured something > completely different as it "knows" only XFRM_OFFLOAD_INBOUND flag. > > Fixes: eda0333ac293 ("ixgbe: add VF IPsec management") > Reviewed-by: Raed Salem <raeds@nvidia.com> > Signed-off-by: Leon Romanovsky <leonro@nvidia.com> > --- > There is no simple fix for this VF/PF incompatibility as long as FW > doesn't filter/decline unsupported options when convey mailbox from VF > to PF. > --- > drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c > index e596e1a9fc75..236f244e3f65 100644 > --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c > +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c > @@ -903,7 +903,9 @@ int ixgbe_ipsec_vf_add_sa(struct ixgbe_adapter *adapter, u32 *msgbuf, u32 vf) > /* Tx IPsec offload doesn't seem to work on this > * device, so block these requests for now. > */ > - if (!(sam->flags & XFRM_OFFLOAD_INBOUND)) { > + sam->flags = sam->flags & ~XFRM_OFFLOAD_IPV6; > + if (!(sam->flags & XFRM_OFFLOAD_INBOUND) || > + sam->flags & ~XFRM_OFFLOAD_INBOUND) { So after stripping the IPV6 flag, you're checking to be sure that INBOUND is the only flag enabled, right? Could you use ??? if (sam->flags != XFRM_OFFLOAD_INBOUND) { instead? sln > err = -EOPNOTSUPP; > goto err_out; > } ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net] ixgbe: ensure IPsec VF<->PF compatibility @ 2022-03-30 16:13 ` Shannon Nelson 0 siblings, 0 replies; 6+ messages in thread From: Shannon Nelson @ 2022-03-30 16:13 UTC (permalink / raw) To: Leon Romanovsky, David S . Miller, Jakub Kicinski Cc: Leon Romanovsky, intel-wired-lan, Jeff Kirsher, Jesse Brandeburg, linux-kernel, netdev, Paolo Abeni, Raed Salem, Shannon Nelson, Tony Nguyen, Steffen Klassert On 3/30/22 4:01 AM, Leon Romanovsky wrote: > From: Leon Romanovsky <leonro@nvidia.com> > > The VF driver can forward any IPsec flags and such makes the function > is not extendable and prone to backward/forward incompatibility. > > If new software runs on VF, it won't know that PF configured something > completely different as it "knows" only XFRM_OFFLOAD_INBOUND flag. > > Fixes: eda0333ac293 ("ixgbe: add VF IPsec management") > Reviewed-by: Raed Salem <raeds@nvidia.com> > Signed-off-by: Leon Romanovsky <leonro@nvidia.com> > --- > There is no simple fix for this VF/PF incompatibility as long as FW > doesn't filter/decline unsupported options when convey mailbox from VF > to PF. > --- > drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c > index e596e1a9fc75..236f244e3f65 100644 > --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c > +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c > @@ -903,7 +903,9 @@ int ixgbe_ipsec_vf_add_sa(struct ixgbe_adapter *adapter, u32 *msgbuf, u32 vf) > /* Tx IPsec offload doesn't seem to work on this > * device, so block these requests for now. > */ > - if (!(sam->flags & XFRM_OFFLOAD_INBOUND)) { > + sam->flags = sam->flags & ~XFRM_OFFLOAD_IPV6; > + if (!(sam->flags & XFRM_OFFLOAD_INBOUND) || > + sam->flags & ~XFRM_OFFLOAD_INBOUND) { So after stripping the IPV6 flag, you're checking to be sure that INBOUND is the only flag enabled, right? Could you use if (sam->flags != XFRM_OFFLOAD_INBOUND) { instead? sln > err = -EOPNOTSUPP; > goto err_out; > } ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Intel-wired-lan] [PATCH net] ixgbe: ensure IPsec VF<->PF compatibility 2022-03-30 16:13 ` Shannon Nelson @ 2022-03-31 7:45 ` Leon Romanovsky -1 siblings, 0 replies; 6+ messages in thread From: Leon Romanovsky @ 2022-03-31 7:45 UTC (permalink / raw) To: intel-wired-lan On Wed, Mar 30, 2022 at 09:13:21AM -0700, Shannon Nelson wrote: > On 3/30/22 4:01 AM, Leon Romanovsky wrote: > > From: Leon Romanovsky <leonro@nvidia.com> > > > > The VF driver can forward any IPsec flags and such makes the function > > is not extendable and prone to backward/forward incompatibility. > > > > If new software runs on VF, it won't know that PF configured something > > completely different as it "knows" only XFRM_OFFLOAD_INBOUND flag. > > > > Fixes: eda0333ac293 ("ixgbe: add VF IPsec management") > > Reviewed-by: Raed Salem <raeds@nvidia.com> > > Signed-off-by: Leon Romanovsky <leonro@nvidia.com> > > --- > > There is no simple fix for this VF/PF incompatibility as long as FW > > doesn't filter/decline unsupported options when convey mailbox from VF > > to PF. > > --- > > drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c > > index e596e1a9fc75..236f244e3f65 100644 > > --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c > > +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c > > @@ -903,7 +903,9 @@ int ixgbe_ipsec_vf_add_sa(struct ixgbe_adapter *adapter, u32 *msgbuf, u32 vf) > > /* Tx IPsec offload doesn't seem to work on this > > * device, so block these requests for now. > > */ > > - if (!(sam->flags & XFRM_OFFLOAD_INBOUND)) { > > + sam->flags = sam->flags & ~XFRM_OFFLOAD_IPV6; > > + if (!(sam->flags & XFRM_OFFLOAD_INBOUND) || > > + sam->flags & ~XFRM_OFFLOAD_INBOUND) { > > So after stripping the IPV6 flag, you're checking to be sure that INBOUND is > the only flag enabled, right? > Could you use > ??? if (sam->flags != XFRM_OFFLOAD_INBOUND) { > instead? Sure, I'll send new version soon. Thanks > > sln > > > err = -EOPNOTSUPP; > > goto err_out; > > } > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net] ixgbe: ensure IPsec VF<->PF compatibility @ 2022-03-31 7:45 ` Leon Romanovsky 0 siblings, 0 replies; 6+ messages in thread From: Leon Romanovsky @ 2022-03-31 7:45 UTC (permalink / raw) To: Shannon Nelson Cc: David S . Miller, Jakub Kicinski, intel-wired-lan, Jeff Kirsher, Jesse Brandeburg, linux-kernel, netdev, Paolo Abeni, Raed Salem, Shannon Nelson, Tony Nguyen, Steffen Klassert On Wed, Mar 30, 2022 at 09:13:21AM -0700, Shannon Nelson wrote: > On 3/30/22 4:01 AM, Leon Romanovsky wrote: > > From: Leon Romanovsky <leonro@nvidia.com> > > > > The VF driver can forward any IPsec flags and such makes the function > > is not extendable and prone to backward/forward incompatibility. > > > > If new software runs on VF, it won't know that PF configured something > > completely different as it "knows" only XFRM_OFFLOAD_INBOUND flag. > > > > Fixes: eda0333ac293 ("ixgbe: add VF IPsec management") > > Reviewed-by: Raed Salem <raeds@nvidia.com> > > Signed-off-by: Leon Romanovsky <leonro@nvidia.com> > > --- > > There is no simple fix for this VF/PF incompatibility as long as FW > > doesn't filter/decline unsupported options when convey mailbox from VF > > to PF. > > --- > > drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c > > index e596e1a9fc75..236f244e3f65 100644 > > --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c > > +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c > > @@ -903,7 +903,9 @@ int ixgbe_ipsec_vf_add_sa(struct ixgbe_adapter *adapter, u32 *msgbuf, u32 vf) > > /* Tx IPsec offload doesn't seem to work on this > > * device, so block these requests for now. > > */ > > - if (!(sam->flags & XFRM_OFFLOAD_INBOUND)) { > > + sam->flags = sam->flags & ~XFRM_OFFLOAD_IPV6; > > + if (!(sam->flags & XFRM_OFFLOAD_INBOUND) || > > + sam->flags & ~XFRM_OFFLOAD_INBOUND) { > > So after stripping the IPV6 flag, you're checking to be sure that INBOUND is > the only flag enabled, right? > Could you use > if (sam->flags != XFRM_OFFLOAD_INBOUND) { > instead? Sure, I'll send new version soon. Thanks > > sln > > > err = -EOPNOTSUPP; > > goto err_out; > > } > ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-03-31 7:45 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2022-03-30 11:01 [Intel-wired-lan] [PATCH net] ixgbe: ensure IPsec VF<->PF compatibility Leon Romanovsky 2022-03-30 11:01 ` Leon Romanovsky 2022-03-30 16:13 ` [Intel-wired-lan] " Shannon Nelson 2022-03-30 16:13 ` Shannon Nelson 2022-03-31 7:45 ` [Intel-wired-lan] " Leon Romanovsky 2022-03-31 7:45 ` Leon Romanovsky
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.