From: Jakub Kicinski <kuba@kernel.org>
To: anthony.l.nguyen@intel.com
Cc: Jakub Kicinski <kuba@kernel.org>,
davem@davemloft.net, pabeni@redhat.com, edumazet@google.com,
andrew+netdev@lunn.ch, netdev@vger.kernel.org,
vinschen@redhat.com, alexander.nowlin@intel.com
Subject: Re: [PATCH net 6/8] ice: skip unnecessary VF reset when setting trust
Date: Fri, 22 May 2026 17:16:23 -0700 [thread overview]
Message-ID: <20260523001623.1757343-1-kuba@kernel.org> (raw)
In-Reply-To: <20260520183501.3360810-7-anthony.l.nguyen@intel.com>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
---
ice: skip unnecessary VF reset when setting trust
Similar to the i40e fix, ice_set_vf_trust() unconditionally calls
ice_reset_vf() when the trust setting changes. While the delay is smaller
than i40e this reset is still unnecessary in most cases.
> diff --git a/drivers/net/ethernet/intel/ice/ice_sriov.c b/drivers/net/ethernet/intel/ice/ice_sriov.c
> --- a/drivers/net/ethernet/intel/ice/ice_sriov.c
> +++ b/drivers/net/ethernet/intel/ice/ice_sriov.c
[ ... ]
> @@ -1399,11 +1416,19 @@ int ice_set_vf_trust(struct net_device *netdev, int vf_id, bool trusted)
>
> mutex_lock(&vf->cfg_lock);
>
> - while (!trusted && vf->num_mac_lldp)
> - ice_vf_update_mac_lldp_num(vf, ice_get_vf_vsi(vf), false);
> -
> + /* Reset only if revoking trust and VF has advanced features configured */
> + if (!trusted &&
> + (vf->num_mac_lldp > 0 ||
> + test_bit(ICE_VF_STATE_UC_PROMISC, vf->vf_states) ||
> + test_bit(ICE_VF_STATE_MC_PROMISC, vf->vf_states))) {
> + ice_reset_vf(vf, ICE_VF_RESET_NOTIFY);
[Severity: High]
When revoking trust, ice_reset_vf() is called before updating vf->trusted
to false.
During ice_reset_vf(), the VSI is rebuilt and synchronizes the
ICE_VIRTCHNL_VF_CAP_PRIVILEGE bit in vf->vf_caps with the current value of
vf->trusted, which is still true. The else block below is bypassed, and
although vf->trusted is later set to false, vf_caps will retain the
privileged capability bit.
Because ice_is_vf_trusted() strictly checks vf_caps, won't the VF
incorrectly retain privileged capabilities indefinitely after this operation?
> + while (vf->num_mac_lldp)
> + ice_vf_update_mac_lldp_num(vf, ice_get_vf_vsi(vf), false);
[Severity: High]
Is the MAC LLDP filter cleanup loop dead code?
ice_reset_vf() internally calls ice_vf_pre_vsi_rebuild(), which
unconditionally clears vf->num_mac_lldp to 0 via ice_vf_clear_counters().
As a result, the while condition evaluates to false immediately upon
returning from the reset, completely bypassing the intended cleanup logic.
Furthermore, because vf->num_mac_lldp is abruptly zeroed without going
through ice_vf_update_mac_lldp_num(), does the driver skip calling
ice_vsi_cfg_sw_lldp(), silently leaking the software LLDP switch filters
from its bookkeeping?
> + } else {
> + ice_setup_vf_trust(vf, trusted);
> + }
[Severity: High]
If we skip the VF reset when granting trust, what happens to expected VM
configuration workflows for promiscuous mode?
The PF driver intentionally lies to untrusted VFs that attempt to enable
promiscuous mode: it returns success to the VF without actually programming
the hardware. Historically, granting trust forced a full VF reset. This reset
prompted the VF driver to re-initialize and replay its configuration (including
promiscuous mode) to the PF, which would then correctly program the hardware
because the VF was now trusted.
By skipping the reset when granting trust, it appears a VF that previously
requested promiscuous mode will remain permanently desynchronized. The guest
OS believes it is in promiscuous mode, but the hardware is not programmed to
reflect this, which could result in dropped traffic.
[Severity: High]
When skipping the VF reset on trust revocation (because the VF lacks MAC
LLDP or promiscuous mode), are we allowing the VF to persistently retain
resources allocated while it was trusted?
The 'trusted' capability grants a VF the ability to bypass administrative
limits, such as ICE_MAX_MACADDR_PER_VF (which restricts standard VFs to 18
MAC addresses) and the maximum VLAN limit checked in ice_vf_has_max_vlans().
Prior to this patch, revoking trust unconditionally triggered a VF reset,
which rebuilt the VSI and completely wiped all dynamically allocated hardware
filters, effectively enforcing the demoted limits.
Without the reset, might a VF that allocated an excessive number of MAC
addresses or VLANs while trusted retain them in hardware indefinitely after
trust is revoked, creating a persistent resource limit bypass?
> vf->trusted = trusted;
> - ice_reset_vf(vf, ICE_VF_RESET_NOTIFY);
> +
> dev_info(ice_pf_to_dev(pf), "VF %u is now %strusted\n",
> vf_id, trusted ? "" : "un");
next prev parent reply other threads:[~2026-05-23 0:16 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-20 18:34 [PATCH net 0/8][pull request] Intel Wired LAN Driver Updates 2026-05-20 (ice, iavf, i40e, ixgbe) Tony Nguyen
2026-05-20 18:34 ` [PATCH net 1/8] ice: fix UAF/NULL deref when VSI rebuild and XDP attach race Tony Nguyen
2026-05-21 15:37 ` Jakub Kicinski
2026-05-23 0:16 ` Jakub Kicinski
2026-05-20 18:34 ` [PATCH net 2/8] ice: fix stats array overflow when VF requests more queues Tony Nguyen
2026-05-23 0:16 ` Jakub Kicinski
2026-05-20 18:34 ` [PATCH net 3/8] iavf: return EBUSY if reset in progress or not ready during MAC change Tony Nguyen
2026-05-20 18:34 ` [PATCH net 4/8] i40e: skip unnecessary VF reset when setting trust Tony Nguyen
2026-05-23 0:16 ` Jakub Kicinski
2026-05-23 0:16 ` Jakub Kicinski
2026-05-20 18:34 ` [PATCH net 5/8] iavf: send MAC change request synchronously Tony Nguyen
2026-05-23 0:16 ` Jakub Kicinski
2026-05-23 0:16 ` Jakub Kicinski
2026-05-20 18:34 ` [PATCH net 6/8] ice: skip unnecessary VF reset when setting trust Tony Nguyen
2026-05-23 0:16 ` Jakub Kicinski
2026-05-23 0:16 ` Jakub Kicinski [this message]
2026-05-20 18:34 ` [PATCH net 7/8] i40e: set supported_extts_flags for rising edge Tony Nguyen
2026-05-23 0:16 ` Jakub Kicinski
2026-05-20 18:34 ` [PATCH net 8/8] ixgbe: only access vfinfo and mv_list under RCU lock Tony Nguyen
2026-05-23 0:16 ` Jakub Kicinski
2026-05-23 0:16 ` Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260523001623.1757343-1-kuba@kernel.org \
--to=kuba@kernel.org \
--cc=alexander.nowlin@intel.com \
--cc=andrew+netdev@lunn.ch \
--cc=anthony.l.nguyen@intel.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=vinschen@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox