Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp599535pxb; Tue, 5 Apr 2022 15:29:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzUnG1SoTbKtXRour5+66LG7iSNrdyg4yhchly4AhpewCDAkGOyhAVd3/IOH8AvjyScv+vP X-Received: by 2002:a17:903:2285:b0:154:7dd3:c949 with SMTP id b5-20020a170903228500b001547dd3c949mr5668419plh.108.1649197774340; Tue, 05 Apr 2022 15:29:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649197774; cv=none; d=google.com; s=arc-20160816; b=auAVadwL/xkOdNUXHGg9R/f6qK7PVF1tdlzIZM+EZFZucpoDsQkTtlpieTPdA3eABw chkCZ4OAa5tTxXCymu+msXkjsCY79pFw9L1ER5gPLPYG6bbq3TSghNIP/DNMpxQa16z4 rQFKa3hhw+9lagxenoxj9eLc6pL6SR4xSoJZpBDTymvDvMHllMfb/vrr2PIgyXFT+lFy u1hoVE80PqCG4chrp4yLcEyJD1iEIPyYaaimESGADVk2naHlr3wlFaRh0f7uRopeLbNy i3KvKmBgilrZBnja9GBwpZTM/WGSTvJUvVUyx1ZoY3x3OrgMt8TySPwxbTSmuZYS8PAi sXRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Zxjzp7AQV2i/2RlwdMwGqDaem7CUf8qiGT53P6ngBRg=; b=GUZ+PnFhEbfC9D9LFGY5lgFWoucZZR6aJDbPsUFfeh4FuLrQnEBkQD9qh7hre8ZVO4 FQ5RB+P8kucIC9P9Rnucx14cjyiYJB0XHvJRfLaVvvDpiJc2cgG5TlM5507gqBbckPIA 9jjTiYgoyAwEjNEyJjPHR7ePx4Q+PuygGYNl8EYIkhlEJgaB8L6ABctkHOCPtThLRysX 7/Y9yfdePB4QyJd3Z97AaUsOrkH3u/bvUyUSzuwEdRcpeVXsOXvS9gyW5t/+LAJZ967e nyVO1R+WSGHRmmAU4Olxx5cOGL5mq5sH4YDLjAJ16Xjoy27kMbS5nVZvTIBR9vJ9pTz4 0Vqg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=FtHPLqdV; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id u5-20020a170902e80500b00153b2d1645csi15528145plg.100.2022.04.05.15.29.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Apr 2022 15:29:34 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=FtHPLqdV; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 57B62200951; Tue, 5 Apr 2022 15:11:29 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1352115AbiDELFv (ORCPT + 99 others); Tue, 5 Apr 2022 07:05:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45580 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237583AbiDEImt (ORCPT ); Tue, 5 Apr 2022 04:42:49 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BF15814035; Tue, 5 Apr 2022 01:35:18 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 67D93B81B92; Tue, 5 Apr 2022 08:35:17 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B1550C385A0; Tue, 5 Apr 2022 08:35:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1649147716; bh=u2nGEvtwicBX4OYSzCM0UB7N5/sxr44UItVD1FL1gQw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FtHPLqdVt54KSZdVXIMmKTKLItEcTAeZw7GqJaid8uEfIhbU/mVB+ascpSLsMVUP3 UQJaF03ZvTFDmKkjwQBg1v01iDum1q0hkPAiIQf4MfRqfZrAdGEaBbl1oKY9FMezWw g6ESQktZecmy3yN9EUEXBvCi0WMT5G8XN1L4kDt4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Manish Chopra , Ariel Elior , "David S. Miller" Subject: [PATCH 5.16 0096/1017] qed: validate and restrict untrusted VFs vlan promisc mode Date: Tue, 5 Apr 2022 09:16:49 +0200 Message-Id: <20220405070357.046215659@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220405070354.155796697@linuxfoundation.org> References: <20220405070354.155796697@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Manish Chopra commit cbcc44db2cf7b836896733acc0e5ea966136ed22 upstream. Today when VFs are put in promiscuous mode, they can request PF to configure device for them to receive all VLANs traffic regardless of what vlan is configured by the PF (via ip link) and PF allows this config request regardless of whether VF is trusted or not. >From security POV, when VLAN is configured for VF through PF (via ip link), honour such config requests from VF only when they are configured to be trusted, otherwise restrict such VFs vlan promisc mode config. Cc: stable@vger.kernel.org Fixes: f990c82c385b ("qed*: Add support for ndo_set_vf_trust") Signed-off-by: Manish Chopra Signed-off-by: Ariel Elior Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/qlogic/qed/qed_sriov.c | 28 ++++++++++++++++++++++++++-- drivers/net/ethernet/qlogic/qed/qed_sriov.h | 1 + 2 files changed, 27 insertions(+), 2 deletions(-) --- a/drivers/net/ethernet/qlogic/qed/qed_sriov.c +++ b/drivers/net/ethernet/qlogic/qed/qed_sriov.c @@ -2984,12 +2984,16 @@ static int qed_iov_pre_update_vport(stru u8 mask = QED_ACCEPT_UCAST_UNMATCHED | QED_ACCEPT_MCAST_UNMATCHED; struct qed_filter_accept_flags *flags = ¶ms->accept_flags; struct qed_public_vf_info *vf_info; + u16 tlv_mask; + + tlv_mask = BIT(QED_IOV_VP_UPDATE_ACCEPT_PARAM) | + BIT(QED_IOV_VP_UPDATE_ACCEPT_ANY_VLAN); /* Untrusted VFs can't even be trusted to know that fact. * Simply indicate everything is configured fine, and trace * configuration 'behind their back'. */ - if (!(*tlvs & BIT(QED_IOV_VP_UPDATE_ACCEPT_PARAM))) + if (!(*tlvs & tlv_mask)) return 0; vf_info = qed_iov_get_public_vf_info(hwfn, vfid, true); @@ -3006,6 +3010,13 @@ static int qed_iov_pre_update_vport(stru flags->tx_accept_filter &= ~mask; } + if (params->update_accept_any_vlan_flg) { + vf_info->accept_any_vlan = params->accept_any_vlan; + + if (vf_info->forced_vlan && !vf_info->is_trusted_configured) + params->accept_any_vlan = false; + } + return 0; } @@ -5150,6 +5161,12 @@ static void qed_iov_handle_trust_change( params.update_ctl_frame_check = 1; params.mac_chk_en = !vf_info->is_trusted_configured; + params.update_accept_any_vlan_flg = 0; + + if (vf_info->accept_any_vlan && vf_info->forced_vlan) { + params.update_accept_any_vlan_flg = 1; + params.accept_any_vlan = vf_info->accept_any_vlan; + } if (vf_info->rx_accept_mode & mask) { flags->update_rx_mode_config = 1; @@ -5165,13 +5182,20 @@ static void qed_iov_handle_trust_change( if (!vf_info->is_trusted_configured) { flags->rx_accept_filter &= ~mask; flags->tx_accept_filter &= ~mask; + params.accept_any_vlan = false; } if (flags->update_rx_mode_config || flags->update_tx_mode_config || - params.update_ctl_frame_check) + params.update_ctl_frame_check || + params.update_accept_any_vlan_flg) { + DP_VERBOSE(hwfn, QED_MSG_IOV, + "vport update config for %s VF[abs 0x%x rel 0x%x]\n", + vf_info->is_trusted_configured ? "trusted" : "untrusted", + vf->abs_vf_id, vf->relative_vf_id); qed_sp_vport_update(hwfn, ¶ms, QED_SPQ_MODE_EBLOCK, NULL); + } } } --- a/drivers/net/ethernet/qlogic/qed/qed_sriov.h +++ b/drivers/net/ethernet/qlogic/qed/qed_sriov.h @@ -62,6 +62,7 @@ struct qed_public_vf_info { bool is_trusted_request; u8 rx_accept_mode; u8 tx_accept_mode; + bool accept_any_vlan; }; struct qed_iov_vf_init_params {