* [PATCH next-queue 1/2] ixgbe: disallow ipsec tx offload when in sr-iov mode
@ 2018-08-22 22:59 Shannon Nelson
2018-08-22 22:59 ` [PATCH next-queue 2/2] ixgbe: fix the return value for unsupported VF offload Shannon Nelson
0 siblings, 1 reply; 2+ messages in thread
From: Shannon Nelson @ 2018-08-22 22:59 UTC (permalink / raw)
To: jeffrey.t.kirsher; +Cc: steffen.klassert, netdev
There seems to be a problem in the x540's internal switch wherein if SR/IOV
mode is enabled and an offloaded IPsec packet is sent to a local VF,
the packet is silently dropped. This might never be a problem as it is
somewhat a corner case, but if someone happens to be using IPsec offload
from the PF to a VF that just happens to get migrated to the local box,
communication will mysteriously fail.
Not good.
A simple way to protect from this is to simply not allow any IPsec offloads
for outgoing packets when num_vfs != 0. This doesn't help any offloads that
were created before SR/IOV was enabled, but we'll get to that later.
Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
index 68395ab..24076b4 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
@@ -697,6 +697,9 @@ static int ixgbe_ipsec_add_sa(struct xfrm_state *xs)
} else {
struct tx_sa tsa;
+ if (adapter->num_vfs)
+ return -EOPNOTSUPP;
+
/* find the first unused index */
ret = ixgbe_ipsec_find_empty_idx(ipsec, false);
if (ret < 0) {
--
2.7.4
^ permalink raw reply related [flat|nested] 2+ messages in thread* [PATCH next-queue 2/2] ixgbe: fix the return value for unsupported VF offload
2018-08-22 22:59 [PATCH next-queue 1/2] ixgbe: disallow ipsec tx offload when in sr-iov mode Shannon Nelson
@ 2018-08-22 22:59 ` Shannon Nelson
0 siblings, 0 replies; 2+ messages in thread
From: Shannon Nelson @ 2018-08-22 22:59 UTC (permalink / raw)
To: jeffrey.t.kirsher; +Cc: steffen.klassert, netdev
When failing the request because we can't support that offload,
reporting EOPNOTSUPP makes much more sense than ENXIO.
Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
index 24076b4..7890f4a 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
@@ -898,7 +898,7 @@ int ixgbe_ipsec_vf_add_sa(struct ixgbe_adapter *adapter, u32 *msgbuf, u32 vf)
* device, so block these requests for now.
*/
if (!(sam->flags & XFRM_OFFLOAD_INBOUND)) {
- err = -ENXIO;
+ err = -EOPNOTSUPP;
goto err_out;
}
--
2.7.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-08-23 2:26 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-08-22 22:59 [PATCH next-queue 1/2] ixgbe: disallow ipsec tx offload when in sr-iov mode Shannon Nelson
2018-08-22 22:59 ` [PATCH next-queue 2/2] ixgbe: fix the return value for unsupported VF offload Shannon Nelson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox