1 |
From fe1b2e1fb6f693523bdd05040398f65f41905a41 Mon Sep 17 00:00:00 2001 |
2 |
From: Shannon Nelson <shannon.nelson@oracle.com> |
3 |
Date: Wed, 22 Aug 2018 16:47:14 -0700 |
4 |
Subject: [PATCH 077/145] ixgbe: disallow IPsec Tx offload when in SR-IOV mode |
5 |
|
6 |
[ Upstream commit 47b6f50077e68bcd544f657526dad4bfdce7e87d ] |
7 |
|
8 |
There seems to be a problem in the x540's internal switch wherein if SR-IOV |
9 |
mode is enabled and an offloaded IPsec packet is sent to a local VF, |
10 |
the packet is silently dropped. This might never be a problem as it is |
11 |
somewhat a corner case, but if someone happens to be using IPsec offload |
12 |
from the PF to a VF that just happens to get migrated to the local box, |
13 |
communication will mysteriously fail. |
14 |
|
15 |
Not good. |
16 |
|
17 |
A simple way to protect from this is to simply not allow any IPsec offloads |
18 |
for outgoing packets when num_vfs != 0. This doesn't help any offloads that |
19 |
were created before SR-IOV was enabled, but we'll get to that later. |
20 |
|
21 |
Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com> |
22 |
Tested-by: Andrew Bowers <andrewx.bowers@intel.com> |
23 |
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> |
24 |
Signed-off-by: Sasha Levin <sashal@kernel.org> |
25 |
--- |
26 |
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 3 +++ |
27 |
1 file changed, 3 insertions(+) |
28 |
|
29 |
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c |
30 |
index da4322e4daed..add124e0381d 100644 |
31 |
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c |
32 |
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c |
33 |
@@ -676,6 +676,9 @@ static int ixgbe_ipsec_add_sa(struct xfrm_state *xs) |
34 |
} else { |
35 |
struct tx_sa tsa; |
36 |
|
37 |
+ if (adapter->num_vfs) |
38 |
+ return -EOPNOTSUPP; |
39 |
+ |
40 |
/* find the first unused index */ |
41 |
ret = ixgbe_ipsec_find_empty_idx(ipsec, false); |
42 |
if (ret < 0) { |
43 |
-- |
44 |
2.19.1 |
45 |
|