@@ -754,10 +754,16 @@ static netdev_tx_t cp_start_xmit (struct sk_buff *skb,
eor = (entry == (CP_TX_RING_SIZE - 1)) ? RingEnd : 0;
mss = skb_shinfo(skb)->gso_size;
+ if (mss > MSSMask) {
+ WARN_ONCE(1, "Net bug: GSO size %d too large for 8139CP\n",
+ mss);
+ goto out_dma_error;
+ }
+
opts2 = cpu_to_le32(cp_tx_vlan_tag(skb));
opts1 = DescOwn;
if (mss)
- opts1 |= LargeSend | ((mss & MSSMask) << MSSShift);
+ opts1 |= LargeSend | (mss << MSSShift);
else if (skb->ip_summed == CHECKSUM_PARTIAL) {
const struct iphdr *ip = ip_hdr(skb);
if (ip->protocol == IPPROTO_TCP)
@@ -1994,6 +2000,8 @@ static int cp_init_one (struct pci_dev *pdev, const struct pci_device_id *ent)
dev->vlan_features = NETIF_F_SG | NETIF_F_IP_CSUM | NETIF_F_TSO |
NETIF_F_HIGHDMA;
+ netif_set_gso_max_size(dev, MSSMask);
+
rc = register_netdev(dev);
if (rc)
goto err_out_iomap;
The maximum MSS value we can set is 0xFFF. When fixing the TSO code I noticed we just mask the gso_size value to the hardware's maximum and don't care about the consequences. That seems... unsagacious. Instead of masking, WARN and drop the packet if it's too large. And use netif_set_gso_max_size() so it shouldn't happen in the first place. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> --- drivers/net/ethernet/realtek/8139cp.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-)