RE: [Intel-wired-lan] [PATCH net] i40e: Do not allow untrusted VF to remove administratively set MAC

From: Romanowski, Rafal
Date: Thu Feb 08 2024 - 07:03:34 EST

Next message: Andi Shyti: "Re: [V3] i2c: i2c-qcom-geni: Correct I2C TRE sequence"
Previous message: Lukasz Luba: "[PATCH v8 23/23] Documentation: EM: Update with runtime modification design"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> From: Intel-wired-lan <intel-wired-lan-bounces@xxxxxxxxxx> On Behalf Of
> Simon Horman
> Sent: Friday, February 2, 2024 1:43 PM
> To: ivecera <ivecera@xxxxxxxxxx>
> Cc: Mateusz Palczewski <mateusz.palczewski@xxxxxxxxx>;
> netdev@xxxxxxxxxxxxxxx; Williams, Mitch A <mitch.a.williams@xxxxxxxxx>;
> Brandeburg, Jesse <jesse.brandeburg@xxxxxxxxx>; open list <linux-
> kernel@xxxxxxxxxxxxxxx>; Eric Dumazet <edumazet@xxxxxxxxxx>; Nguyen,
> Anthony L <anthony.l.nguyen@xxxxxxxxx>; Jeff Kirsher
> <jeffrey.t.kirsher@xxxxxxxxx>; Sylwester Dziedziuch
> <sylwesterx.dziedziuch@xxxxxxxxx>; Jakub Kicinski <kuba@xxxxxxxxxx>; Paolo
> Abeni <pabeni@xxxxxxxxxx>; David S. Miller <davem@xxxxxxxxxxxxx>;
> moderated list:INTEL ETHERNET DRIVERS <intel-wired-lan@xxxxxxxxxxxxxxxx>
> Subject: Re: [Intel-wired-lan] [PATCH net] i40e: Do not allow untrusted VF to
> remove administratively set MAC
>
> On Wed, Jan 31, 2024 at 02:17:14PM +0100, Ivan Vecera wrote:
> > Currently when PF administratively sets VF's MAC address and the VF is
> > put down (VF tries to delete all MACs) then the MAC is removed from
> > MAC filters and primary VF MAC is zeroed.
> >
> > Do not allow untrusted VF to remove primary MAC when it was set
> > administratively by PF.
> >
> > Reproducer:
> > 1) Create VF
> > 2) Set VF interface up
> > 3) Administratively set the VF's MAC
> > 4) Put VF interface down
> >
> > [root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs
> > [root@host ~]# ip link set enp2s0f0v0 up [root@host ~]# ip link set
> > enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d [root@host ~]# ip link show
> > enp2s0f0
> > 23: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> mq state UP mode DEFAULT group default qlen 1000
> > link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff
> > vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on,
> link-state auto, trust off
> > [root@host ~]# ip link set enp2s0f0v0 down [root@host ~]# ip link show
> > enp2s0f0
> > 23: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> mq state UP mode DEFAULT group default qlen 1000
> > link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff
> > vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on,
> link-state auto, trust off
> >
> > Fixes: 700bbf6c1f9e ("i40e: allow VF to remove any MAC filter")
> > Fixes: ceb29474bbbc ("i40e: Add support for VF to specify its primary
> > MAC address")
> > Signed-off-by: Ivan Vecera <ivecera@xxxxxxxxxx>
>
> Thanks Ivan,
>
> Reviewed-by: Simon Horman <horms@xxxxxxxxxx>

Tested-by: Rafal Romanowski <rafal.romanowski@xxxxxxxxx>

Next message: Andi Shyti: "Re: [V3] i2c: i2c-qcom-geni: Correct I2C TRE sequence"
Previous message: Lukasz Luba: "[PATCH v8 23/23] Documentation: EM: Update with runtime modification design"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]