Hi Michael, > I've received a bug report of oversized UDP packets sent to the > bnxt_en driver for transmission. There is no check for illegal length > in the driver and it will send a corrupted BD to the NIC if the > non-TSO length exceeds the maximum MTU supported by the driver. This > ultimately causes the driver to hang. > > Looking a little deeper, it looks like the route of the SKB was > initially to "lo" and therefore no fragmentation was done. And it > looks like the route later got changed to the bnxt_en dev before > transmission. The user was doing multiple VM reboots and the bad > length was happening on the Linux host. > > I can add a length check in the driver to prevent this. But is there > a better way to prevent this in the stack? Thanks.
I hit a similar sounding issue on a bnx2x - see commit 8914a595110a6eca69a5e275b323f5d09e18f4f9 In that case, a GSO packet with gso_size too large for the firmware was coming to the bnx2x driver from an ibmveth device via Open vSwitch. I also toyed with a fix in the stack and ended up fixing just the driver. I was hoping to get a generic fix in to the stack afterwards, but didn't get anything finished. Looking back at old branches, it looks like I considered adding MTU validation to validate_xmit_skb, but I never got that upstream. My vague recollection is that I ended up caught by edge cases: GSO_DODGY allows an untrusted source to set gso parameters, so that needed to be validated first - and that was complex and potentially slow, and I just got overtaken by more urgent work. (Note that this was a year ago and was in many ways my introduction to TSO/GSO, so I could be completely wrong.) Anyway, I can send you my partial work if it would be helpful. Regards, Daniel
