[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <874la1r0io.fsf@linkitivity.dja.id.au>
Date: Tue, 22 Jan 2019 11:36:47 +1100
From: Daniel Axtens <dja@...ens.net>
To: Michael Chan <michael.chan@...adcom.com>,
Netdev <netdev@...r.kernel.org>,
David Miller <davem@...emloft.net>
Subject: Re: Stack sends oversize UDP packet to the driver
Hi Michael,
> I've received a bug report of oversized UDP packets sent to the
> bnxt_en driver for transmission. There is no check for illegal length
> in the driver and it will send a corrupted BD to the NIC if the
> non-TSO length exceeds the maximum MTU supported by the driver. This
> ultimately causes the driver to hang.
>
> Looking a little deeper, it looks like the route of the SKB was
> initially to "lo" and therefore no fragmentation was done. And it
> looks like the route later got changed to the bnxt_en dev before
> transmission. The user was doing multiple VM reboots and the bad
> length was happening on the Linux host.
>
> I can add a length check in the driver to prevent this. But is there
> a better way to prevent this in the stack? Thanks.
I hit a similar sounding issue on a bnx2x - see commit
8914a595110a6eca69a5e275b323f5d09e18f4f9
In that case, a GSO packet with gso_size too large for the firmware was
coming to the bnx2x driver from an ibmveth device via Open vSwitch. I
also toyed with a fix in the stack and ended up fixing just the driver.
I was hoping to get a generic fix in to the stack afterwards, but didn't
get anything finished. Looking back at old branches, it looks like I
considered adding MTU validation to validate_xmit_skb, but I never got
that upstream. My vague recollection is that I ended up caught by edge
cases: GSO_DODGY allows an untrusted source to set gso parameters, so
that needed to be validated first - and that was complex and potentially
slow, and I just got overtaken by more urgent work. (Note that this was
a year ago and was in many ways my introduction to TSO/GSO, so I could
be completely wrong.) Anyway, I can send you my partial work if it would
be helpful.
Regards,
Daniel
Powered by blists - more mailing lists