[Intel-wired-lan] [PATCH next-queue 1/2] ixgbe: disallow ipsec tx offload when in sr-iov mode

[Intel-wired-lan] [PATCH next-queue 1/2] ixgbe: disallow ipsec tx offload when in sr-iov mode

[Shannon Nelson]

There seems to be a problem in the x540's internal switch wherein if SR/IOV
mode is enabled and an offloaded IPsec packet is sent to a local VF,
the packet is silently dropped.  This might never be a problem as it is
somewhat a corner case, but if someone happens to be using IPsec offload
from the PF to a VF that just happens to get migrated to the local box,
communication will mysteriously fail.

Not good.

A simple way to protect from this is to simply not allow any IPsec offloads
for outgoing packets when num_vfs != 0.  This doesn't help any offloads that
were created before SR/IOV was enabled, but we'll get to that later.

Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com>
---
 drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
index 68395ab..24076b4 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
@@ -697,6 +697,9 @@ static int ixgbe_ipsec_add_sa(struct xfrm_state *xs)
 	} else {
 		struct tx_sa tsa;
 
+		if (adapter->num_vfs)
+			return -EOPNOTSUPP;
+
 		/* find the first unused index */
 		ret = ixgbe_ipsec_find_empty_idx(ipsec, false);
 		if (ret < 0) {
-- 
2.7.4

[Intel-wired-lan] [PATCH next-queue 2/2] ixgbe: fix the return value for unsupported VF offload

[Shannon Nelson]

When failing the request because we can't support that offload,
reporting EOPNOTSUPP makes much more sense than ENXIO.

Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com>
---
 drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
index 24076b4..7890f4a 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
@@ -898,7 +898,7 @@ int ixgbe_ipsec_vf_add_sa(struct ixgbe_adapter *adapter, u32 *msgbuf, u32 vf)
 	 * device, so block these requests for now.
 	 */
 	if (!(sam->flags & XFRM_OFFLOAD_INBOUND)) {
-		err = -ENXIO;
+		err = -EOPNOTSUPP;
 		goto err_out;
 	}
 
-- 
2.7.4

[Intel-wired-lan] [PATCH next-queue 1/2] ixgbe: disallow ipsec tx offload when in sr-iov mode

[Bowers, AndrewX]

> -----Original Message-----
> From: Intel-wired-lan [mailto:intel-wired-lan-bounces at osuosl.org] On
> Behalf Of Shannon Nelson
> Sent: Wednesday, August 22, 2018 4:47 PM
> To: intel-wired-lan at lists.osuosl.org
> Subject: [Intel-wired-lan] [PATCH next-queue 1/2] ixgbe: disallow ipsec tx
> offload when in sr-iov mode
> 
> There seems to be a problem in the x540's internal switch wherein if SR/IOV
> mode is enabled and an offloaded IPsec packet is sent to a local VF, the
> packet is silently dropped.  This might never be a problem as it is somewhat a
> corner case, but if someone happens to be using IPsec offload from the PF to
> a VF that just happens to get migrated to the local box, communication will
> mysteriously fail.
> 
> Not good.
> 
> A simple way to protect from this is to simply not allow any IPsec offloads for
> outgoing packets when num_vfs != 0.  This doesn't help any offloads that
> were created before SR/IOV was enabled, but we'll get to that later.
> 
> Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com>
> ---
>  drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 3 +++
>  1 file changed, 3 insertions(+)

Tested-by: Andrew Bowers <andrewx.bowers@intel.com>

[Intel-wired-lan] [PATCH next-queue 2/2] ixgbe: fix the return value for unsupported VF offload

[Bowers, AndrewX]

> -----Original Message-----
> From: Intel-wired-lan [mailto:intel-wired-lan-bounces at osuosl.org] On
> Behalf Of Shannon Nelson
> Sent: Wednesday, August 22, 2018 4:47 PM
> To: intel-wired-lan at lists.osuosl.org
> Subject: [Intel-wired-lan] [PATCH next-queue 2/2] ixgbe: fix the return value
> for unsupported VF offload
> 
> When failing the request because we can't support that offload, reporting
> EOPNOTSUPP makes much more sense than ENXIO.
> 
> Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com>
> ---
>  drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Tested-by: Andrew Bowers <andrewx.bowers@intel.com>