Re: [Intel-wired-lan] [PATCH net] i40e: Do not allow untrusted VF to remove administratively set MAC

Thu, 08 Feb 2024 04:04:30 -0800 

> -----Original Message-----
> From: Intel-wired-lan <[email protected]> On Behalf Of
> Simon Horman
> Sent: Friday, February 2, 2024 1:43 PM
> To: ivecera <[email protected]>
> Cc: Mateusz Palczewski <[email protected]>;
> [email protected]; Williams, Mitch A <[email protected]>;
> Brandeburg, Jesse <[email protected]>; open list <linux-
> [email protected]>; Eric Dumazet <[email protected]>; Nguyen,
> Anthony L <[email protected]>; Jeff Kirsher
> <[email protected]>; Sylwester Dziedziuch
> <[email protected]>; Jakub Kicinski <[email protected]>; Paolo
> Abeni <[email protected]>; David S. Miller <[email protected]>;
> moderated list:INTEL ETHERNET DRIVERS <[email protected]>
> Subject: Re: [Intel-wired-lan] [PATCH net] i40e: Do not allow untrusted VF to
> remove administratively set MAC
> 
> On Wed, Jan 31, 2024 at 02:17:14PM +0100, Ivan Vecera wrote:
> > Currently when PF administratively sets VF's MAC address and the VF is
> > put down (VF tries to delete all MACs) then the MAC is removed from
> > MAC filters and primary VF MAC is zeroed.
> >
> > Do not allow untrusted VF to remove primary MAC when it was set
> > administratively by PF.
> >
> > Reproducer:
> > 1) Create VF
> > 2) Set VF interface up
> > 3) Administratively set the VF's MAC
> > 4) Put VF interface down
> >
> > [root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs
> > [root@host ~]# ip link set enp2s0f0v0 up [root@host ~]# ip link set
> > enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d [root@host ~]# ip link show
> > enp2s0f0
> > 23: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> mq state UP mode DEFAULT group default qlen 1000
> >     link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff
> >     vf 0     link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof 
> > checking on,
> link-state auto, trust off
> > [root@host ~]# ip link set enp2s0f0v0 down [root@host ~]# ip link show
> > enp2s0f0
> > 23: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> mq state UP mode DEFAULT group default qlen 1000
> >     link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff
> >     vf 0     link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof 
> > checking on,
> link-state auto, trust off
> >
> > Fixes: 700bbf6c1f9e ("i40e: allow VF to remove any MAC filter")
> > Fixes: ceb29474bbbc ("i40e: Add support for VF to specify its primary
> > MAC address")
> > Signed-off-by: Ivan Vecera <[email protected]>
> 
> Thanks Ivan,
> 
> Reviewed-by: Simon Horman <[email protected]>


Tested-by: Rafal Romanowski <[email protected]>

Reply via email to