[PATCH] net/i40e: fix FDIR VLAN TCI partial mask validation

[PATCH] net/i40e: fix FDIR VLAN TCI partial mask validation

[Ciara Loftus]

Currently, the i40e flow validation logic accepts some partial VLAN TCI
masks alongside the full mask, and reports an error for any other value.
This is broken in two ways.

First, the error case is not handled correctly. An error is recorded
however execution continues as normal, and a filter is programmed using
the invalid mask, silently producing wrong matching behaviour.

Second, the hardware always compares the full 16-bit TCI field with no
per-bit masking. Partial masks are therefore not honoured and should not
be accepted.

Fix this by accepting only either a wildcard or exact match mask and
handle the invalid mask cases appropriately.

Bugzilla ID: 1340
Fixes: 81aebb47d1 ("net/i40e: fix flow director for eth + VLAN pattern")
Cc: stable@dpdk.org

Signed-off-by: Ciara Loftus <ciara.loftus@intel.com>
---
 drivers/net/intel/i40e/i40e_flow.c | 20 +++++++-------------
 1 file changed, 7 insertions(+), 13 deletions(-)

diff --git a/drivers/net/intel/i40e/i40e_flow.c b/drivers/net/intel/i40e/i40e_flow.c
index 84cfddb92d..9369256b48 100644
--- a/drivers/net/intel/i40e/i40e_flow.c
+++ b/drivers/net/intel/i40e/i40e_flow.c
@@ -30,9 +30,6 @@
 #define I40E_IPV6_FRAG_HEADER	44
 #define I40E_TENANT_ARRAY_NUM	3
 #define I40E_VLAN_TCI_MASK	0xFFFF
-#define I40E_VLAN_PRI_MASK	0xE000
-#define I40E_VLAN_CFI_MASK	0x1000
-#define I40E_VLAN_VID_MASK	0x0FFF
 
 static int i40e_flow_validate(struct rte_eth_dev *dev,
 			      const struct rte_flow_attr *attr,
@@ -1765,22 +1762,19 @@ i40e_flow_parse_fdir_pattern(struct rte_eth_dev *dev,
 
 			RTE_ASSERT(!(input_set & I40E_INSET_LAST_ETHER_TYPE));
 			if (vlan_spec && vlan_mask) {
-				if (vlan_mask->hdr.vlan_tci !=
-				    rte_cpu_to_be_16(I40E_VLAN_TCI_MASK) &&
+				if (vlan_mask->hdr.vlan_tci != 0 &&
 				    vlan_mask->hdr.vlan_tci !=
-				    rte_cpu_to_be_16(I40E_VLAN_PRI_MASK) &&
-				    vlan_mask->hdr.vlan_tci !=
-				    rte_cpu_to_be_16(I40E_VLAN_CFI_MASK) &&
-				    vlan_mask->hdr.vlan_tci !=
-				    rte_cpu_to_be_16(I40E_VLAN_VID_MASK)) {
+				    rte_cpu_to_be_16(I40E_VLAN_TCI_MASK)) {
 					rte_flow_error_set(error, EINVAL,
 						   RTE_FLOW_ERROR_TYPE_ITEM,
 						   item,
 						   "Unsupported TCI mask.");
+					return -rte_errno;
+				}
+				if (vlan_mask->hdr.vlan_tci != 0) {
+					input_set |= I40E_INSET_VLAN_INNER;
+					filter->input.flow_ext.vlan_tci = vlan_spec->hdr.vlan_tci;
 				}
-				input_set |= I40E_INSET_VLAN_INNER;
-				filter->input.flow_ext.vlan_tci =
-					vlan_spec->hdr.vlan_tci;
 			}
 			if (vlan_spec && vlan_mask && vlan_mask->hdr.eth_proto) {
 				if (vlan_mask->hdr.eth_proto != RTE_BE16(0xffff)) {
-- 
2.43.0

Re: [PATCH] net/i40e: fix FDIR VLAN TCI partial mask validation

[Bruce Richardson]

On Mon, Mar 23, 2026 at 10:43:45AM +0000, Ciara Loftus wrote:
> Currently, the i40e flow validation logic accepts some partial VLAN TCI
> masks alongside the full mask, and reports an error for any other value.
> This is broken in two ways.
> 
> First, the error case is not handled correctly. An error is recorded
> however execution continues as normal, and a filter is programmed using
> the invalid mask, silently producing wrong matching behaviour.
> 
> Second, the hardware always compares the full 16-bit TCI field with no
> per-bit masking. Partial masks are therefore not honoured and should not
> be accepted.
> 
> Fix this by accepting only either a wildcard or exact match mask and
> handle the invalid mask cases appropriately.
> 
> Bugzilla ID: 1340
> Fixes: 81aebb47d1 ("net/i40e: fix flow director for eth + VLAN pattern")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Ciara Loftus <ciara.loftus@intel.com>
> ---
>  drivers/net/intel/i40e/i40e_flow.c | 20 +++++++-------------
>  1 file changed, 7 insertions(+), 13 deletions(-)
> 
Acked-by: Bruce Richardson <bruce.richardson@intel.com>

Applied to dpdk-next-net-intel,

Thanks,
/Bruce