GSO where gso_size is too big for hardware

GSO where gso_size is too big for hardware

[Ben Hutchings]

Last year you applied these fixes for a potential denial-of-service in
the bnx2x driver:

commit 2b16f048729bf35e6c28a40cbfad07239f9dcd90
Author: Daniel Axtens <dja@axtens.net>
Date:   Wed Jan 31 14:15:33 2018 +1100

    net: create skb_gso_validate_mac_len()

commit 8914a595110a6eca69a5e275b323f5d09e18f4f9
Author: Daniel Axtens <dja@axtens.net>
Date:   Wed Jan 31 14:15:34 2018 +1100

    bnx2x: disable GSO where gso_size is too big for hardware

However I don't understand why the check is done only in the bnx2x
driver.  Shouldn't the networking core ensure that gso_size + L3/L4
headers is <= the device MTU?  If not, is every driver that does TSO
expected to check this?

Also, should these fixes go to stable?  I'm not sure whether you're
still handling stable patches for any of the unfixed versions (< 4.16)
now.

Ben.

-- 
Ben Hutchings, Software Developer                         Codethink Ltd
https://www.codethink.co.uk/                 Dale House, 35 Dale Street
                                     Manchester, M1 2HF, United Kingdom

Re: GSO where gso_size is too big for hardware

[Willem de Bruijn]

On Tue, Jan 22, 2019 at 11:24 AM Ben Hutchings
<ben.hutchings@codethink.co.uk> wrote:
>
> Last year you applied these fixes for a potential denial-of-service in
> the bnx2x driver:
>
> commit 2b16f048729bf35e6c28a40cbfad07239f9dcd90
> Author: Daniel Axtens <dja@axtens.net>
> Date:   Wed Jan 31 14:15:33 2018 +1100
>
>     net: create skb_gso_validate_mac_len()
>
> commit 8914a595110a6eca69a5e275b323f5d09e18f4f9
> Author: Daniel Axtens <dja@axtens.net>
> Date:   Wed Jan 31 14:15:34 2018 +1100
>
>     bnx2x: disable GSO where gso_size is too big for hardware
>
> However I don't understand why the check is done only in the bnx2x
> driver.  Shouldn't the networking core ensure that gso_size + L3/L4
> headers is <= the device MTU?  If not, is every driver that does TSO
> expected to check this?
>
> Also, should these fixes go to stable?  I'm not sure whether you're
> still handling stable patches for any of the unfixed versions (< 4.16)
> now.
>
> Ben.

Irrespective of the GSO issue, this sounds relevant to this other thread

  Stack sends oversize UDP packet to the driver
  https://www.mail-archive.com/netdev@vger.kernel.org/msg279006.html

which discusses a specific cause of larger than MTU packets and its
effect on the bnxt.

Perhaps these patches were initially applied to the bnx2x driver only,
because at the time that was the only nic known to lock up on such
packets? Either way, a device independent validation is indeed
probably preferable (independent of fixing that lo flapping root
cause).

Re: GSO where gso_size is too big for hardware

[Daniel Axtens]

Willem de Bruijn <willemdebruijn.kernel@gmail.com> writes:

> On Tue, Jan 22, 2019 at 11:24 AM Ben Hutchings
> <ben.hutchings@codethink.co.uk> wrote:
>>
>> Last year you applied these fixes for a potential denial-of-service in
>> the bnx2x driver:
>>
>> commit 2b16f048729bf35e6c28a40cbfad07239f9dcd90
>> Author: Daniel Axtens <dja@axtens.net>
>> Date:   Wed Jan 31 14:15:33 2018 +1100
>>
>>     net: create skb_gso_validate_mac_len()
>>
>> commit 8914a595110a6eca69a5e275b323f5d09e18f4f9
>> Author: Daniel Axtens <dja@axtens.net>
>> Date:   Wed Jan 31 14:15:34 2018 +1100
>>
>>     bnx2x: disable GSO where gso_size is too big for hardware
>>
>> However I don't understand why the check is done only in the bnx2x
>> driver.  Shouldn't the networking core ensure that gso_size + L3/L4
>> headers is <= the device MTU?  If not, is every driver that does TSO
>> expected to check this?
>>
>> Also, should these fixes go to stable?  I'm not sure whether you're
>> still handling stable patches for any of the unfixed versions (< 4.16)
>> now.
>>
>> Ben.
>
> Irrespective of the GSO issue, this sounds relevant to this other thread
>
>   Stack sends oversize UDP packet to the driver
>   https://www.mail-archive.com/netdev@vger.kernel.org/msg279006.html
>
> which discusses a specific cause of larger than MTU packets and its
> effect on the bnxt.
>
> Perhaps these patches were initially applied to the bnx2x driver only,
> because at the time that was the only nic known to lock up on such
> packets? Either way, a device independent validation is indeed
> probably preferable (independent of fixing that lo flapping root
> cause).

I did try to propose a more generic approach:

 1) "[PATCH 0/3] Check gso_size of packets when forwarding"
    (https://www.spinics.net/lists/netdev/msg478634.html)

In this series I looked just at forwarding, where there is a check
against regular MTU but not against GSO size. I added checks to
is_skb_forwardable and the Open vSwitch forwarding path, but in feedback
it was pointed out that I missed other ways a packet could be forwarded
such as tc-mired and bpf. A more generic approach was desired, so I
proposed:

 2) "[PATCH v2 0/4] Check size of packets before sending"
    (https://www.spinics.net/lists/netdev/msg480847.html)

This added a check to is_skb_forwardable and another check to
validate_xmit_skb. It was not considered desirable to include this as a
primary fix because it would be very hard to backport, so we included
the fix for the bnx2x card specifically instead. I think the idea was to
come back to this fix later.

I do remember then spending quite a bit of time trying to get the
generic fix sorted out after that. I remember working on the intricacies
of verifing various GSO stuff - I sent some fixes to GSO_BY_FRAGS
handling, and I know I got sidetracked by GSO_DODGY somehow as well. I
think the problem was that without dealing with dodgy, you end up with
edge cases where untrusted providers of dodgy packets can bypass a naive
length check. Anyway, then I got busy - my job at that point was mostly
support-driven and customers keep having new urgent issues! - so I
didn't get to finish it. This was about a year ago, so my recollection
may be wrong and I may have misunderstood things.

Regards,
Daniel