diff --git a/drivers/net/sfc/efx.h b/drivers/net/sfc/efx.h
index 8141c76..dc0bd22 100644
--- a/drivers/net/sfc/efx.h
+++ b/drivers/net/sfc/efx.h
@@ -45,6 +45,9 @@ extern void efx_wake_queue(struct efx_nic *efx);
 #define EFX_TXQ_SIZE EFX_DEFAULT_DMAQ_SIZE
 #define EFX_TXQ_MASK (EFX_TXQ_SIZE - 1)
 
+/* Maximum number of TCP segments we support for soft-TSO */
+#define EFX_TSO_MAX_SEGS	100
+
 /* RX */
 extern int efx_probe_rx_queue(struct efx_rx_queue *rx_queue);
 extern void efx_remove_rx_queue(struct efx_rx_queue *rx_queue);
diff --git a/drivers/net/sfc/tx.c b/drivers/net/sfc/tx.c
index 585772b..7fdbf78 100644
--- a/drivers/net/sfc/tx.c
+++ b/drivers/net/sfc/tx.c
@@ -1072,6 +1072,21 @@ static int efx_enqueue_skb_tso(struct efx_tx_queue *tx_queue,
 	int frag_i, rc, rc2 = NETDEV_TX_OK;
 	struct tso_state state;
 
+	/* Since the stack does not limit the number of segments per
+	 * skb, we must do so.  Otherwise an attacker may be able to
+	 * make the TCP produce skbs that will never fit in our TX
+	 * queue, causing repeated resets.
+	 */
+	if (unlikely(skb_shinfo(skb)->gso_segs > EFX_TSO_MAX_SEGS)) {
+		unsigned int excess =
+			(skb_shinfo(skb)->gso_segs - EFX_TSO_MAX_SEGS) *
+			skb_shinfo(skb)->gso_size;
+		if (__pskb_trim(skb, skb->len - excess)) {
+			dev_kfree_skb_any(skb);
+			return NETDEV_TX_OK;
+		}
+	}
+
 	/* Find the packet protocol and sanity-check it */
 	state.protocol = efx_tso_check_protocol(skb);