From patchwork Tue Jul 23 23:32:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tony Nguyen X-Patchwork-Id: 13740470 X-Patchwork-Delegate: kuba@kernel.org Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7BE8D1494B1; Tue, 23 Jul 2024 23:32:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.11 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721777570; cv=none; b=MTB+HspOHAXXi6lGuylBNK0McrgkQwMyg+OTSD33Pmp2j7Qe4cLObeRAuWXMS2shKdGlGfkpBMhz8C6qmJTb6k1gep0gwsanWWZif5RgGMZOOqXjrzqCguoGiW+uyvmEgiPZGjFjw4K23A+MfVYv7sZ7XNsxl/6tA4iE4cTQkF8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721777570; c=relaxed/simple; bh=eKog2Ep3dti5ZCaAkQIODl65EVfABP7KbitPd02YmDg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=dWGhASewGaiNg1xxdyhvQaP7U4pQQfvPwsdV7BSKMm8yKVIGh161mwzE5J/ngQsYcH/pBqp6wiXxOKl0koYqplbYqbxU52kq5jtdpccXDycShAWuchuKn2/CZ3f+9R5IDHRFlvYNp6YsIfST9jd7okG/WAbXtcnD4BrN6rd/v/8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=MoWjQ2Qp; arc=none smtp.client-ip=192.198.163.11 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="MoWjQ2Qp" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1721777569; x=1753313569; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=eKog2Ep3dti5ZCaAkQIODl65EVfABP7KbitPd02YmDg=; b=MoWjQ2Qp/kIqD6mUwbWp/ftlonf8xTiILrIj/6Im9dFN8benRa3TVg4V V4alse0imLN0117roV2Mi7ZBbB5k8y8e1xFztSz9GpTi0CgOpb4vAuMoL 7dg7IRISZ3t/9nKThELWzM7LfDQ7FlFubdDRxrG/e819gvePjetWtVN2/ J8LT81LBCupz8Q6BT/7+C5r82+Q5QteBtUx+PDjQts50HYaL6BhD6sgoV i2/oEUGqR7QX7Uf9po0XRV3ct71FPQIPqRtb6lFv2/+ZY7eADy8m4WvJN gSgV3LhxJuq1Q9A4aFMKI2y+meXB3PM+ovaz+r5feHZvzu18f7+/XyRIe Q==; X-CSE-ConnectionGUID: kTr0XR/pRq64r4NuFh/oTQ== X-CSE-MsgGUID: IzcHURH2S4WPyfiZVKiVdg== X-IronPort-AV: E=McAfee;i="6700,10204,11142"; a="30049074" X-IronPort-AV: E=Sophos;i="6.09,231,1716274800"; d="scan'208";a="30049074" Received: from orviesa001.jf.intel.com ([10.64.159.141]) by fmvoesa105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 23 Jul 2024 16:32:46 -0700 X-CSE-ConnectionGUID: AoIF7R08RaencD5z7N4/hQ== X-CSE-MsgGUID: XebpQBRzSYa4fJTBt56PNg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.09,231,1716274800"; d="scan'208";a="89847952" Received: from anguy11-upstream.jf.intel.com ([10.166.9.133]) by orviesa001.jf.intel.com with ESMTP; 23 Jul 2024 16:32:46 -0700 From: Tony Nguyen To: davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, edumazet@google.com, netdev@vger.kernel.org Cc: Ahmed Zaki , anthony.l.nguyen@intel.com, stable@vger.kernel.org, Przemek Kitszel , Sridhar Samudrala , Wojciech Drewek , Rafal Romanowski Subject: [PATCH net 1/2] ice: Add a per-VF limit on number of FDIR filters Date: Tue, 23 Jul 2024 16:32:39 -0700 Message-ID: <20240723233242.3146628-2-anthony.l.nguyen@intel.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20240723233242.3146628-1-anthony.l.nguyen@intel.com> References: <20240723233242.3146628-1-anthony.l.nguyen@intel.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Ahmed Zaki While the iavf driver adds a s/w limit (128) on the number of FDIR filters that the VF can request, a malicious VF driver can request more than that and exhaust the resources for other VFs. Add a similar limit in ice. CC: stable@vger.kernel.org Fixes: 1f7ea1cd6a37 ("ice: Enable FDIR Configure for AVF") Reviewed-by: Przemek Kitszel Suggested-by: Sridhar Samudrala Signed-off-by: Ahmed Zaki Reviewed-by: Wojciech Drewek Tested-by: Rafal Romanowski Signed-off-by: Tony Nguyen --- .../net/ethernet/intel/ice/ice_ethtool_fdir.c | 2 +- drivers/net/ethernet/intel/ice/ice_fdir.h | 3 +++ .../net/ethernet/intel/ice/ice_virtchnl_fdir.c | 16 ++++++++++++++++ .../net/ethernet/intel/ice/ice_virtchnl_fdir.h | 1 + 4 files changed, 21 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool_fdir.c b/drivers/net/ethernet/intel/ice/ice_ethtool_fdir.c index e3cab8e98f52..5412eff8ef23 100644 --- a/drivers/net/ethernet/intel/ice/ice_ethtool_fdir.c +++ b/drivers/net/ethernet/intel/ice/ice_ethtool_fdir.c @@ -534,7 +534,7 @@ ice_parse_rx_flow_user_data(struct ethtool_rx_flow_spec *fsp, * * Returns the number of available flow director filters to this VSI */ -static int ice_fdir_num_avail_fltr(struct ice_hw *hw, struct ice_vsi *vsi) +int ice_fdir_num_avail_fltr(struct ice_hw *hw, struct ice_vsi *vsi) { u16 vsi_num = ice_get_hw_vsi_num(hw, vsi->idx); u16 num_guar; diff --git a/drivers/net/ethernet/intel/ice/ice_fdir.h b/drivers/net/ethernet/intel/ice/ice_fdir.h index 021ecbac7848..ab5b118daa2d 100644 --- a/drivers/net/ethernet/intel/ice/ice_fdir.h +++ b/drivers/net/ethernet/intel/ice/ice_fdir.h @@ -207,6 +207,8 @@ struct ice_fdir_base_pkt { const u8 *tun_pkt; }; +struct ice_vsi; + int ice_alloc_fd_res_cntr(struct ice_hw *hw, u16 *cntr_id); int ice_free_fd_res_cntr(struct ice_hw *hw, u16 cntr_id); int ice_alloc_fd_guar_item(struct ice_hw *hw, u16 *cntr_id, u16 num_fltr); @@ -218,6 +220,7 @@ int ice_fdir_get_gen_prgm_pkt(struct ice_hw *hw, struct ice_fdir_fltr *input, u8 *pkt, bool frag, bool tun); int ice_get_fdir_cnt_all(struct ice_hw *hw); +int ice_fdir_num_avail_fltr(struct ice_hw *hw, struct ice_vsi *vsi); bool ice_fdir_is_dup_fltr(struct ice_hw *hw, struct ice_fdir_fltr *input); bool ice_fdir_has_frag(enum ice_fltr_ptype flow); struct ice_fdir_fltr * diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c index 8e4ff3af86c6..b4feb0927687 100644 --- a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c +++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c @@ -536,6 +536,8 @@ static void ice_vc_fdir_reset_cnt_all(struct ice_vf_fdir *fdir) fdir->fdir_fltr_cnt[flow][0] = 0; fdir->fdir_fltr_cnt[flow][1] = 0; } + + fdir->fdir_fltr_cnt_total = 0; } /** @@ -1560,6 +1562,7 @@ ice_vc_add_fdir_fltr_post(struct ice_vf *vf, struct ice_vf_fdir_ctx *ctx, resp->status = status; resp->flow_id = conf->flow_id; vf->fdir.fdir_fltr_cnt[conf->input.flow_type][is_tun]++; + vf->fdir.fdir_fltr_cnt_total++; ret = ice_vc_send_msg_to_vf(vf, ctx->v_opcode, v_ret, (u8 *)resp, len); @@ -1624,6 +1627,7 @@ ice_vc_del_fdir_fltr_post(struct ice_vf *vf, struct ice_vf_fdir_ctx *ctx, resp->status = status; ice_vc_fdir_remove_entry(vf, conf, conf->flow_id); vf->fdir.fdir_fltr_cnt[conf->input.flow_type][is_tun]--; + vf->fdir.fdir_fltr_cnt_total--; ret = ice_vc_send_msg_to_vf(vf, ctx->v_opcode, v_ret, (u8 *)resp, len); @@ -1790,6 +1794,7 @@ int ice_vc_add_fdir_fltr(struct ice_vf *vf, u8 *msg) struct virtchnl_fdir_add *stat = NULL; struct virtchnl_fdir_fltr_conf *conf; enum virtchnl_status_code v_ret; + struct ice_vsi *vf_vsi; struct device *dev; struct ice_pf *pf; int is_tun = 0; @@ -1798,6 +1803,17 @@ int ice_vc_add_fdir_fltr(struct ice_vf *vf, u8 *msg) pf = vf->pf; dev = ice_pf_to_dev(pf); + vf_vsi = ice_get_vf_vsi(vf); + +#define ICE_VF_MAX_FDIR_FILTERS 128 + if (!ice_fdir_num_avail_fltr(&pf->hw, vf_vsi) || + vf->fdir.fdir_fltr_cnt_total >= ICE_VF_MAX_FDIR_FILTERS) { + v_ret = VIRTCHNL_STATUS_ERR_PARAM; + dev_err(dev, "Max number of FDIR filters for VF %d is reached\n", + vf->vf_id); + goto err_exit; + } + ret = ice_vc_fdir_param_check(vf, fltr->vsi_id); if (ret) { v_ret = VIRTCHNL_STATUS_ERR_PARAM; diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.h b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.h index c5bcc8d7481c..ac6dcab454b4 100644 --- a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.h +++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.h @@ -29,6 +29,7 @@ struct ice_vf_fdir_ctx { struct ice_vf_fdir { u16 fdir_fltr_cnt[ICE_FLTR_PTYPE_MAX][ICE_FD_HW_SEG_MAX]; int prof_entry_cnt[ICE_FLTR_PTYPE_MAX][ICE_FD_HW_SEG_MAX]; + u16 fdir_fltr_cnt_total; struct ice_fd_hw_prof **fdir_prof; struct idr fdir_rule_idr; From patchwork Tue Jul 23 23:32:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tony Nguyen X-Patchwork-Id: 13740471 X-Patchwork-Delegate: kuba@kernel.org Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EBC121494D6 for ; Tue, 23 Jul 2024 23:32:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.11 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721777570; cv=none; b=ut7Iy1EZRkh8h4c82DOBZcVHgJ9JuBTiflB6gfHesH4B6uMprtlZrnSTcD2hjD3ahwLQCJmJkfoU3htIoHjNX/FLmPMlogU437xzSJDkIhWcbCXEMlPZHYoTRKVVJI+C/+eEXjR5wAtwN821Xj7P5kpy24MgQ3u5/x1vvronNXU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721777570; c=relaxed/simple; bh=2y47HrzQ10u1vvE6/1JwHiK3GbG94ai+BkLVFonBNXo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=dq49ZW6ewB29gkv31UkqdrzQ7WXJrBXzIK6FMrHja3noqJMm6QQqlWv35S7SQprviRdIt/krBLly40pHP+A8HOuQ7k57shIRGeDsPoth/EoNKW3tzLrxI0MGxlS0JIY2oJvZchtT4/oNL9ZpVrnbzDf2XBtVXKAZNlTMPFpKOUU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=QbgTn+VT; arc=none smtp.client-ip=192.198.163.11 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="QbgTn+VT" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1721777569; x=1753313569; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=2y47HrzQ10u1vvE6/1JwHiK3GbG94ai+BkLVFonBNXo=; b=QbgTn+VTZkrnaQ/LPbyuB4z2q+l8xuCdVIlxvCz9RalIsinhS/W3i9rG KefN1Dj3p1rKQT3S8/dVp3DLcRI0AyKdU1gfid/mYTbEcobqHzv9sM2Qx mzlhwb3u+mYgAQWmhjyvS7xqDQRilvLtLkGcmFIchcAdl9Bwi65yIvJfB pDpo5ZdAavYp1TKVORSpAqwfb90AOuTVdFNTXEWmoifsWrZIGr9+OMIX7 7oKm9e52rrE5C/2HBrnd2hi9+KvywsaNsE+I/L3DPWGebtUg4m3KDWGLB eV574drg+iYbwxNUIV/b0r8YYctgog2WGqbAM3VV+ZAoxHzxy5U1C3trJ A==; X-CSE-ConnectionGUID: o00tuqX1QO6VaxZ9bClJdg== X-CSE-MsgGUID: 8+nTDLx9TsG3woe02BQEUw== X-IronPort-AV: E=McAfee;i="6700,10204,11142"; a="30049082" X-IronPort-AV: E=Sophos;i="6.09,231,1716274800"; d="scan'208";a="30049082" Received: from orviesa001.jf.intel.com ([10.64.159.141]) by fmvoesa105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 23 Jul 2024 16:32:46 -0700 X-CSE-ConnectionGUID: +/6at0KcTeWYuGx87LYEsA== X-CSE-MsgGUID: +gU89QC+QIOR6MWPQYm6ug== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.09,231,1716274800"; d="scan'208";a="89847955" Received: from anguy11-upstream.jf.intel.com ([10.166.9.133]) by orviesa001.jf.intel.com with ESMTP; 23 Jul 2024 16:32:46 -0700 From: Tony Nguyen To: davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, edumazet@google.com, netdev@vger.kernel.org Cc: Wojciech Drewek , anthony.l.nguyen@intel.com, Marcin Szycik , Przemek Kitszel , Simon Horman , Sujai Buvaneswaran Subject: [PATCH net 2/2] ice: Fix recipe read procedure Date: Tue, 23 Jul 2024 16:32:40 -0700 Message-ID: <20240723233242.3146628-3-anthony.l.nguyen@intel.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20240723233242.3146628-1-anthony.l.nguyen@intel.com> References: <20240723233242.3146628-1-anthony.l.nguyen@intel.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Wojciech Drewek When ice driver reads recipes from firmware information about need_pass_l2 and allow_pass_l2 flags is not stored correctly. Those flags are stored as one bit each in ice_sw_recipe structure. Because of that, the result of checking a flag has to be casted to bool. Note that the need_pass_l2 flag currently works correctly, because it's stored in the first bit. Fixes: bccd9bce29e0 ("ice: Add guard rule when creating FDB in switchdev") Reviewed-by: Marcin Szycik Reviewed-by: Przemek Kitszel Signed-off-by: Wojciech Drewek Reviewed-by: Simon Horman Tested-by: Sujai Buvaneswaran Signed-off-by: Tony Nguyen --- drivers/net/ethernet/intel/ice/ice_switch.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/intel/ice/ice_switch.c b/drivers/net/ethernet/intel/ice/ice_switch.c index 3caafcdc301f..fe8847184cb1 100644 --- a/drivers/net/ethernet/intel/ice/ice_switch.c +++ b/drivers/net/ethernet/intel/ice/ice_switch.c @@ -2400,10 +2400,10 @@ ice_get_recp_frm_fw(struct ice_hw *hw, struct ice_sw_recipe *recps, u8 rid, /* Propagate some data to the recipe database */ recps[idx].priority = root_bufs.content.act_ctrl_fwd_priority; - recps[idx].need_pass_l2 = root_bufs.content.act_ctrl & - ICE_AQ_RECIPE_ACT_NEED_PASS_L2; - recps[idx].allow_pass_l2 = root_bufs.content.act_ctrl & - ICE_AQ_RECIPE_ACT_ALLOW_PASS_L2; + recps[idx].need_pass_l2 = !!(root_bufs.content.act_ctrl & + ICE_AQ_RECIPE_ACT_NEED_PASS_L2); + recps[idx].allow_pass_l2 = !!(root_bufs.content.act_ctrl & + ICE_AQ_RECIPE_ACT_ALLOW_PASS_L2); bitmap_zero(recps[idx].res_idxs, ICE_MAX_FV_WORDS); if (root_bufs.content.result_indx & ICE_AQ_RECIPE_RESULT_EN) { set_bit(root_bufs.content.result_indx &