From: Harshitha Ramamurthy <harshitha.ramamurthy@intel.com>
To: intel-wired-lan@osuosl.org
Subject: [Intel-wired-lan] [next PATCH S34 02/12] i40e: Limit the number of mac and vlan addresses that can be added for VFs
Date: Wed, 13 Apr 2016 03:08:22 -0700 [thread overview]
Message-ID: <1460542112-20166-3-git-send-email-harshitha.ramamurthy@intel.com> (raw)
In-Reply-To: <1460542112-20166-1-git-send-email-harshitha.ramamurthy@intel.com>
From: Anjali Singhai Jain <anjali.singhai@intel.com>
If the VF is privileged/trusted it can do as it may please including
but not limited to hogging resources and playing unfair.
But if the VF is not privileged/trusted it still can add some number
(8) of MAC and VLAN addresses.
Other restrictions with respect to Port VLAN and normal VLAN still apply
to not privileged/trusted VF.
Signed-off-by: Anjali Singhai Jain <anjali.singhai@intel.com>
Change-Id: I3a9529201b184c8873e1ad2e300aff468c9e6296
---
Testing Hints :
With this a non trusted VF can add up to 8 mac addresses and up to
(8) vlan addresses if not under port vlan.
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 25 ++++++++++++++++++++--
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h | 3 +++
2 files changed, 26 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
index e2c3149..747cb28 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
@@ -1831,6 +1831,10 @@ error_param:
(u8 *)&stats, sizeof(stats));
}
+/* If the VF is not trusted restrict the number of MAC/VLAN it can program */
+#define I40E_VC_MAX_MAC_ADDR_PER_VF 8
+#define I40E_VC_MAX_VLAN_PER_VF 8
+
/**
* i40e_check_vf_permission
* @vf: pointer to the VF info
@@ -1863,6 +1867,11 @@ static inline int i40e_check_vf_permission(struct i40e_vf *vf, u8 *macaddr)
dev_err(&pf->pdev->dev,
"VF attempting to override administratively set MAC address, reload the VF driver to resume normal operation\n");
ret = -EPERM;
+ } else if ((vf->num_mac >= I40E_VC_MAX_MAC_ADDR_PER_VF) &&
+ !test_bit(I40E_VIRTCHNL_VF_CAP_PRIVILEGE, &vf->vf_caps)) {
+ dev_err(&pf->pdev->dev,
+ "VF is not trusted, switch the VF to trusted to add more functionality\n");
+ ret = -EPERM;
}
return ret;
}
@@ -1924,6 +1933,8 @@ static int i40e_vc_add_mac_addr_msg(struct i40e_vf *vf, u8 *msg, u16 msglen)
ret = I40E_ERR_PARAM;
spin_unlock_bh(&vsi->mac_filter_list_lock);
goto error_param;
+ } else {
+ vf->num_mac++;
}
}
spin_unlock_bh(&vsi->mac_filter_list_lock);
@@ -1982,6 +1993,8 @@ static int i40e_vc_del_mac_addr_msg(struct i40e_vf *vf, u8 *msg, u16 msglen)
ret = I40E_ERR_INVALID_MAC_ADDR;
spin_unlock_bh(&vsi->mac_filter_list_lock);
goto error_param;
+ } else {
+ vf->num_mac--;
}
spin_unlock_bh(&vsi->mac_filter_list_lock);
@@ -2016,8 +2029,13 @@ static int i40e_vc_add_vlan_msg(struct i40e_vf *vf, u8 *msg, u16 msglen)
i40e_status aq_ret = 0;
int i;
+ if ((vf->num_vlan >= I40E_VC_MAX_VLAN_PER_VF) &&
+ !test_bit(I40E_VIRTCHNL_VF_CAP_PRIVILEGE, &vf->vf_caps)) {
+ dev_err(&pf->pdev->dev,
+ "VF is not trusted, switch the VF to trusted to add more VLAN addresses\n");
+ goto error_param;
+ }
if (!test_bit(I40E_VF_STAT_ACTIVE, &vf->vf_states) ||
- !test_bit(I40E_VIRTCHNL_VF_CAP_PRIVILEGE, &vf->vf_caps) ||
!i40e_vc_isvalid_vsi_id(vf, vsi_id)) {
aq_ret = I40E_ERR_PARAM;
goto error_param;
@@ -2041,6 +2059,8 @@ static int i40e_vc_add_vlan_msg(struct i40e_vf *vf, u8 *msg, u16 msglen)
for (i = 0; i < vfl->num_elements; i++) {
/* add new VLAN filter */
int ret = i40e_vsi_add_vlan(vsi, vfl->vlan_id[i]);
+ if (!ret)
+ vf->num_vlan++;
if (test_bit(I40E_VF_STAT_UC_PROMISC, &vf->vf_states))
i40e_aq_set_vsi_uc_promisc_on_vlan(&pf->hw, vsi->seid,
@@ -2083,7 +2103,6 @@ static int i40e_vc_remove_vlan_msg(struct i40e_vf *vf, u8 *msg, u16 msglen)
int i;
if (!test_bit(I40E_VF_STAT_ACTIVE, &vf->vf_states) ||
- !test_bit(I40E_VIRTCHNL_VF_CAP_PRIVILEGE, &vf->vf_caps) ||
!i40e_vc_isvalid_vsi_id(vf, vsi_id)) {
aq_ret = I40E_ERR_PARAM;
goto error_param;
@@ -2104,6 +2123,8 @@ static int i40e_vc_remove_vlan_msg(struct i40e_vf *vf, u8 *msg, u16 msglen)
for (i = 0; i < vfl->num_elements; i++) {
int ret = i40e_vsi_kill_vlan(vsi, vfl->vlan_id[i]);
+ if (!ret)
+ vf->num_vlan--;
if (test_bit(I40E_VF_STAT_UC_PROMISC, &vf->vf_states))
i40e_aq_set_vsi_uc_promisc_on_vlan(&pf->hw, vsi->seid,
diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h
index 8cbf579..bf54873 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h
@@ -111,6 +111,9 @@ struct i40e_vf {
bool link_forced;
bool link_up; /* only valid if VF link is forced */
bool spoofchk;
+ u16 num_mac;
+ u16 num_vlan;
+
/* RDMA Client */
struct i40e_virtchnl_iwarp_qvlist_info *qvlist_info;
};
--
2.4.3
next prev parent reply other threads:[~2016-04-13 10:08 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-13 10:08 [Intel-wired-lan] [next PATCH S34 00/12] i40e/i40evf updates Harshitha Ramamurthy
2016-04-13 10:08 ` [Intel-wired-lan] [next PATCH S34 01/12] i40e: Change the default for VFs to be not privileged Harshitha Ramamurthy
2016-04-18 21:21 ` Bowers, AndrewX
2016-04-13 10:08 ` Harshitha Ramamurthy [this message]
2016-04-18 19:03 ` [Intel-wired-lan] [next PATCH S34 02/12] i40e: Limit the number of mac and vlan addresses that can be added for VFs Bowers, AndrewX
2016-04-13 10:08 ` [Intel-wired-lan] [next PATCH S34 03/12] i40e: Prevent falling to promiscuous if the VF is not trusted Harshitha Ramamurthy
2016-04-18 19:06 ` Bowers, AndrewX
2016-04-13 10:08 ` [Intel-wired-lan] [next PATCH S34 04/12] i40e: Remove HMC AQ API implementation Harshitha Ramamurthy
2016-04-28 15:34 ` Bowers, AndrewX
2016-04-13 10:08 ` [Intel-wired-lan] [next PATCH S34 05/12] i40e: Flow-based side-band filter count and its use for input set change Harshitha Ramamurthy
2016-04-18 19:43 ` Bowers, AndrewX
2016-04-13 10:08 ` [Intel-wired-lan] [next PATCH S34 06/12] i40evf: RSS Hash Option parameters Harshitha Ramamurthy
2016-04-27 22:19 ` Bowers, AndrewX
2016-04-13 10:08 ` [Intel-wired-lan] [next PATCH S34 07/12] i40e: Fix uninitialized variable Harshitha Ramamurthy
2016-04-18 22:01 ` Bowers, AndrewX
2016-04-13 10:08 ` [Intel-wired-lan] [next PATCH S34 08/12] i40e: ptp - avoid aggregate return warnings Harshitha Ramamurthy
2016-04-13 10:08 ` [Intel-wired-lan] [next PATCH S34 09/12] i40e: Use consistent type for vf_id Harshitha Ramamurthy
2016-04-18 22:49 ` Bowers, AndrewX
2016-04-13 10:08 ` [Intel-wired-lan] [next PATCH S34 10/12] i40e: Drop extra copy of function Harshitha Ramamurthy
2016-04-18 22:50 ` Bowers, AndrewX
2016-04-13 10:08 ` [Intel-wired-lan] [next PATCH S34 11/12] i40e: Update device ids for X722 Harshitha Ramamurthy
2016-04-18 22:52 ` Bowers, AndrewX
2016-04-13 10:08 ` [Intel-wired-lan] [next PATCH S34 12/12] i40e/i40evf : Bump driver version from 1.5.5 to 1.5.10 Harshitha Ramamurthy
2016-04-18 22:53 ` Bowers, AndrewX
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1460542112-20166-3-git-send-email-harshitha.ramamurthy@intel.com \
--to=harshitha.ramamurthy@intel.com \
--cc=intel-wired-lan@osuosl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.