ACK: [SRU][X][PATCH v2 2/2] bnx2x: disable GSO where gso_size is too big for hardware

Colin Ian King colin.king at canonical.com
Mon Feb 26 11:04:04 UTC 2018 

On 26/02/18 01:51, Daniel Axtens wrote:
> From: Daniel Axtens <dja at axtens.net>
> 
> BugLink: https://bugs.launchpad.net/bugs/1715519
> CVE-2018-1000026
> 
> If a bnx2x card is passed a GSO packet with a gso_size larger than
> ~9700 bytes, it will cause a firmware error that will bring the card
> down:
> 
> bnx2x: [bnx2x_attn_int_deasserted3:4323(enP24p1s0f0)]MC assert!
> bnx2x: [bnx2x_mc_assert:720(enP24p1s0f0)]XSTORM_ASSERT_LIST_INDEX 0x2
> bnx2x: [bnx2x_mc_assert:736(enP24p1s0f0)]XSTORM_ASSERT_INDEX 0x0 = 0x00000000 0x25e43e47 0x00463e01 0x00010052
> bnx2x: [bnx2x_mc_assert:750(enP24p1s0f0)]Chip Revision: everest3, FW Version: 7_13_1
> ... (dump of values continues) ...
> 
> Detect when the mac length of a GSO packet is greater than the maximum
> packet size (9700 bytes) and disable GSO.
> 
> Signed-off-by: Daniel Axtens <dja at axtens.net>
> Reviewed-by: Eric Dumazet <edumazet at google.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> (cherry picked from commit 8914a595110a6eca69a5e275b323f5d09e18f4f9)
> [nb: the reference to BY_FRAGS does not apply here, it was added in
>      4.8]
> Signed-off-by: Daniel Axtens <daniel.axtens at canonical.com>
> ---
>  drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 18 ++++++++++++++++++
>  1 file changed, 18 insertions(+)
> 
> diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
> index 657bdbfada01..433c12e41682 100644
> --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
> +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
> @@ -12809,6 +12809,24 @@ static netdev_features_t bnx2x_features_check(struct sk_buff *skb,
>  					      struct net_device *dev,
>  					      netdev_features_t features)
>  {
> +	/*
> +	 * A skb with gso_size + header length > 9700 will cause a
> +	 * firmware panic. Drop GSO support.
> +	 *
> +	 * Eventually the upper layer should not pass these packets down.
> +	 *
> +	 * For speed, if the gso_size is <= 9000, assume there will
> +	 * not be 700 bytes of headers and pass it through. Only do a
> +	 * full (slow) validation if the gso_size is > 9000.
> +	 *
> +	 * (Due to the way SKB_BY_FRAGS works this will also do a full
> +	 * validation in that case.)
> +	 */
> +	if (unlikely(skb_is_gso(skb) &&
> +		     (skb_shinfo(skb)->gso_size > 9000) &&
> +		     !skb_gso_validate_mac_len(skb, 9700)))
> +		features &= ~NETIF_F_GSO_MASK;
> +
>  	features = vlan_features_check(skb, features);
>  	return vxlan_features_check(skb, features);
>  }
> 
Thanks for the fix, looks OK to me.

Acked-by: Colin Ian King <colin.king at canonical.com>

More information about the kernel-team mailing list