From: Daniel Axtens <dja@axtens.net>
To: Michael Chan <michael.chan@broadcom.com>,
Netdev <netdev@vger.kernel.org>,
David Miller <davem@davemloft.net>
Subject: Re: Stack sends oversize UDP packet to the driver
Date: Tue, 22 Jan 2019 11:36:47 +1100 [thread overview]
Message-ID: <874la1r0io.fsf@linkitivity.dja.id.au> (raw)
In-Reply-To: <CACKFLim91WB__vrki_MtpZ5Evg7aDcV=ojgOMPPufVc2syJHOA@mail.gmail.com>
Hi Michael,
> I've received a bug report of oversized UDP packets sent to the
> bnxt_en driver for transmission. There is no check for illegal length
> in the driver and it will send a corrupted BD to the NIC if the
> non-TSO length exceeds the maximum MTU supported by the driver. This
> ultimately causes the driver to hang.
>
> Looking a little deeper, it looks like the route of the SKB was
> initially to "lo" and therefore no fragmentation was done. And it
> looks like the route later got changed to the bnxt_en dev before
> transmission. The user was doing multiple VM reboots and the bad
> length was happening on the Linux host.
>
> I can add a length check in the driver to prevent this. But is there
> a better way to prevent this in the stack? Thanks.
I hit a similar sounding issue on a bnx2x - see commit
8914a595110a6eca69a5e275b323f5d09e18f4f9
In that case, a GSO packet with gso_size too large for the firmware was
coming to the bnx2x driver from an ibmveth device via Open vSwitch. I
also toyed with a fix in the stack and ended up fixing just the driver.
I was hoping to get a generic fix in to the stack afterwards, but didn't
get anything finished. Looking back at old branches, it looks like I
considered adding MTU validation to validate_xmit_skb, but I never got
that upstream. My vague recollection is that I ended up caught by edge
cases: GSO_DODGY allows an untrusted source to set gso parameters, so
that needed to be validated first - and that was complex and potentially
slow, and I just got overtaken by more urgent work. (Note that this was
a year ago and was in many ways my introduction to TSO/GSO, so I could
be completely wrong.) Anyway, I can send you my partial work if it would
be helpful.
Regards,
Daniel
next prev parent reply other threads:[~2019-01-22 0:36 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-20 22:26 Stack sends oversize UDP packet to the driver Michael Chan
2019-01-22 0:36 ` Daniel Axtens [this message]
2019-01-22 0:59 ` Michael Chan
2019-01-22 18:28 ` Mahesh Bandewar (महेश बंडेवार)
2019-01-22 20:09 ` David Miller
2019-01-30 9:07 ` Michael Chan
2019-01-31 1:00 ` Mahesh Bandewar (महेश बंडेवार)
2019-02-05 19:35 ` Michael Chan
2019-02-07 4:51 ` Mahesh Bandewar (महेश बंडेवार)
2019-02-08 20:26 ` Mahesh Bandewar (महेश बंडेवार)
2019-02-12 8:55 ` Michael Chan
[not found] ` <CAF2d9jgskHTb-nmbVo9A2CQhh9T3OnH_vbfGcMBii13oq1teCw@mail.gmail.com>
2019-01-22 0:45 ` Michael Chan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874la1r0io.fsf@linkitivity.dja.id.au \
--to=dja@axtens.net \
--cc=davem@davemloft.net \
--cc=michael.chan@broadcom.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).