From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <vladz@cloudius-systems.com>
Received: from mail-wi0-f173.google.com (mail-wi0-f173.google.com
 [209.85.212.173]) by dpdk.org (Postfix) with ESMTP id F34357EB0
 for <dev@dpdk.org>; Fri, 25 Sep 2015 14:28:34 +0200 (CEST)
Received: by wicgb1 with SMTP id gb1so18271528wic.1
 for <dev@dpdk.org>; Fri, 25 Sep 2015 05:28:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:date
 :message-id:subject:from:to:cc:content-type;
 bh=Ucet+crf+JVfLU4suy+SzjvUYQbmyHZDS38djhsWH9g=;
 b=ayrHibLrqlzaVYL7QXzUHFSaX+0y4Ob/Cu+Cn8q59Ew+h9v/837YMTMQabmYm7Kz6z
 ZlQgE1R2EUq7wmLZLW6zAWb9+Wl+ikOpIXwxaVeCHWYj+mkPAl8x/7qL0FDOdVN7gCZA
 21pbxE8e2NK43yvghVFWG4Q7Bzqko/F7mWfYyPiHYSTso7HFkXVQtUcy3+SeLlInsMN3
 KMqjim4KPFZBQM9Vj1nTDR9Y/q0wKyVCXbtfD9E352rtUE9lJ68hbeOyzDrZeKeOkcrA
 DWktH7bye5CqBjQG/2JJHHfnD3jtbeneipeMafN246rExzGDU6xE3OEiZCo9/yLB5CKL
 Uo4A==
X-Gm-Message-State: ALoCoQmyKe5XRvQQwWjwe6wrSS9HcGQhZEXxV1THNwJvIVpJYZaFIQ0OH4qdBHNMeVJUvKb2X05W
MIME-Version: 1.0
X-Received: by 10.194.48.102 with SMTP id k6mr6733926wjn.124.1443184114759;
 Fri, 25 Sep 2015 05:28:34 -0700 (PDT)
Received: by 10.194.83.106 with HTTP; Fri, 25 Sep 2015 05:28:34 -0700 (PDT)
Received: by 10.194.83.106 with HTTP; Fri, 25 Sep 2015 05:28:34 -0700 (PDT)
In-Reply-To: <1443170678-7249-1-git-send-email-jingjing.wu@intel.com>
References: <1443170678-7249-1-git-send-email-jingjing.wu@intel.com>
Date: Fri, 25 Sep 2015 15:28:34 +0300
Message-ID: <CAOYyTHag3u+6TiCQieT7zRCDgAi77EOrFz9BJP5oGocR8K3wTQ@mail.gmail.com>
From: Vladislav Zolotarov <vladz@cloudius-systems.com>
To: Jingjing Wu <jingjing.wu@intel.com>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Cc: dev@dpdk.org, yulong.pei@intel.com
Subject: Re: [dpdk-dev] [PATCH] i40e: workaround for Security issue in
	SR-IOV mode
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Sep 2015 12:28:35 -0000

On Sep 25, 2015 11:44 AM, "Jingjing Wu" <jingjing.wu@intel.com> wrote:
>
> In SR-IOV mode a VF sending LFC or PFC would throttle the entire port.
> The workaround is to add a filter to drop pause frames from VFs from
> sending pause frames.

This is a very strange approach - this would silently disable the Tx FC
while a user would think it's enabled. Wouldn't the right approach be to
let the user decide weather to enable this feature or even better - allow
PF to disable this feature in the VF?

>
> Signed-off-by: Jingjing Wu <jingjing.wu@intel.com>
> ---
>  drivers/net/i40e/i40e_ethdev.c | 30 ++++++++++++++++++++++++++++++
>  1 file changed, 30 insertions(+)
>
> diff --git a/drivers/net/i40e/i40e_ethdev.c
b/drivers/net/i40e/i40e_ethdev.c
> index 2dd9fdc..6cc2172 100644
> --- a/drivers/net/i40e/i40e_ethdev.c
> +++ b/drivers/net/i40e/i40e_ethdev.c
> @@ -382,6 +382,30 @@ static inline void i40e_flex_payload_reg_init(struct
i40e_hw *hw)
>         I40E_WRITE_REG(hw, I40E_GLQF_PIT(17), 0x00007440);
>  }
>
> +#define I40E_FLOW_CONTROL_ETHERTYPE  0x8808
> +
> +/*
> + * Add a ethertype filter to drop all flow control frames transimited
> + * from VSIs.
> +*/
> +static void
> +i40e_add_tx_flow_control_drop_filter(struct i40e_pf *pf)
> +{
> +       struct i40e_hw *hw = I40E_PF_TO_HW(pf);
> +       uint16_t flags = I40E_AQC_ADD_CONTROL_PACKET_FLAGS_IGNORE_MAC |
> +                       I40E_AQC_ADD_CONTROL_PACKET_FLAGS_DROP |
> +                       I40E_AQC_ADD_CONTROL_PACKET_FLAGS_TX;
> +       int ret;
> +
> +       ret = i40e_aq_add_rem_control_packet_filter(hw, NULL,
> +                               I40E_FLOW_CONTROL_ETHERTYPE, flags,
> +                               pf->main_vsi_seid, 0,
> +                               TRUE, NULL, NULL);
> +       if (ret)
> +               PMD_INIT_LOG(ERR, "Failed to add filter to drop flow
control "
> +                                 " frames from VSIs.");
> +}
> +
>  static int
>  eth_i40e_dev_init(struct rte_eth_dev *dev)
>  {
> @@ -584,6 +608,12 @@ eth_i40e_dev_init(struct rte_eth_dev *dev)
>
>         /* enable uio intr after callback register */
>         rte_intr_enable(&(pci_dev->intr_handle));
> +       /*
> +        * Add a ethertype filter to drop all flow control frames
transimited
> +        * from VSIs. This is used to workaround the issue -- in SR-IOV
mode
> +        * where a VF sending LFC or PFC would throttle the entire port.
> +        */
> +       i40e_add_tx_flow_control_drop_filter(pf);
>
>         /* initialize mirror rule list */
>         TAILQ_INIT(&pf->mirror_list);
> --
> 2.4.0
>