From patchwork Mon Feb 12 04:42:00 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Axtens X-Patchwork-Id: 871883 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3zftMB6Z1cz9t32; Mon, 12 Feb 2018 15:42:46 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1el5wx-0002Sh-FQ; Mon, 12 Feb 2018 04:42:43 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1el5ww-0002S9-E5 for kernel-team@lists.canonical.com; Mon, 12 Feb 2018 04:42:42 +0000 Received: from mail-pl0-f72.google.com ([209.85.160.72]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1el5ww-00028r-2A for kernel-team@lists.canonical.com; Mon, 12 Feb 2018 04:42:42 +0000 Received: by mail-pl0-f72.google.com with SMTP id h33so5844204plh.19 for ; Sun, 11 Feb 2018 20:42:41 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=e+T3sOAhnVx6mT3wemnOpTUCc27OEFdHQiely6EiOeU=; b=KWYEoyGzZjhQCUS1PkMN4lEOB8HCeiYVj8TkPfXNUKpqxUr8PWsMuoYk26xhzl8HsF clS3MJu6qw2tfakrgzWJEX6pcZkh2jZJ0LTcENmjLGalteyqb6HY5PySkANnSYPVTXaO 1Hu5zoEKw6oO8TYFmdlAW4jj7z19kehzAMKh8vnVW+Otyeev9thruRE181fPfqC/C5mI 2+c3mCijlGar5CRqgyGFCvmjxnDw9/ScoIZNhflSyGwTpDhazkglbK/SgbBKs+HxWsHx xz4GyIFwx1Sk4L7L1U0LuU3ntnfvIDqvGnwMOhQXeKicm/ktmrBPNmqa8ZpRijrnUmOX jETQ== X-Gm-Message-State: APf1xPCkVKme/v3L4bW3Q8FzJippBuSWotN/fT+VUA+43Dh07i5rpGcA NsJ2siBp3UA0qWyNwrsDDZbyNRlg06TEc1RRZ7ARGTzviDnYp0ywZpTv6dxpChCv+yby4Eb3yb2 /8FIWSAEDjhRfMdLL3yySl5XEGIzpjQsEH9H+0ewFNE3Wdpx6 X-Received: by 10.98.139.26 with SMTP id j26mr10577576pfe.4.1518410560702; Sun, 11 Feb 2018 20:42:40 -0800 (PST) X-Google-Smtp-Source: AH8x226ugVYDmq0n6xWMph1RU2Mppmf/cFLkcIYNORl6XwY5XTObOAKo4k7/yDFHt4v4WFQT+vjHug== X-Received: by 10.98.139.26 with SMTP id j26mr10577564pfe.4.1518410560477; Sun, 11 Feb 2018 20:42:40 -0800 (PST) Received: from localhost.localdomain ([2001:67c:1560:8007::aac:c356]) by smtp.gmail.com with ESMTPSA id z8sm16229098pgc.64.2018.02.11.20.42.37 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 11 Feb 2018 20:42:39 -0800 (PST) From: Daniel Axtens To: kernel-team@lists.canonical.com Subject: [SRU][X][PATCH 2/2] bnx2x: disable GSO where gso_size is too big for hardware Date: Mon, 12 Feb 2018 15:42:00 +1100 Message-Id: <20180212044200.15745-3-daniel.axtens@canonical.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20180212044200.15745-1-daniel.axtens@canonical.com> References: <20180212044200.15745-1-daniel.axtens@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Daniel Axtens BugLink: https://bugs.launchpad.net/bugs/1715519 CVE-2018-1000026 If a bnx2x card is passed a GSO packet with a gso_size larger than ~9700 bytes, it will cause a firmware error that will bring the card down: bnx2x: [bnx2x_attn_int_deasserted3:4323(enP24p1s0f0)]MC assert! bnx2x: [bnx2x_mc_assert:720(enP24p1s0f0)]XSTORM_ASSERT_LIST_INDEX 0x2 bnx2x: [bnx2x_mc_assert:736(enP24p1s0f0)]XSTORM_ASSERT_INDEX 0x0 = 0x00000000 0x25e43e47 0x00463e01 0x00010052 bnx2x: [bnx2x_mc_assert:750(enP24p1s0f0)]Chip Revision: everest3, FW Version: 7_13_1 ... (dump of values continues) ... Detect when the mac length of a GSO packet is greater than the maximum packet size (9700 bytes) and disable GSO. Signed-off-by: Daniel Axtens Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller (cherry picked from commit 8914a595110a6eca69a5e275b323f5d09e18f4f9) [nb: the reference to BY_FRAGS does not apply here, it was added in 4.8] Signed-off-by: Daniel Axtens --- drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c index 657bdbfada01..433c12e41682 100644 --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c @@ -12809,6 +12809,24 @@ static netdev_features_t bnx2x_features_check(struct sk_buff *skb, struct net_device *dev, netdev_features_t features) { + /* + * A skb with gso_size + header length > 9700 will cause a + * firmware panic. Drop GSO support. + * + * Eventually the upper layer should not pass these packets down. + * + * For speed, if the gso_size is <= 9000, assume there will + * not be 700 bytes of headers and pass it through. Only do a + * full (slow) validation if the gso_size is > 9000. + * + * (Due to the way SKB_BY_FRAGS works this will also do a full + * validation in that case.) + */ + if (unlikely(skb_is_gso(skb) && + (skb_shinfo(skb)->gso_size > 9000) && + !skb_gso_validate_mac_len(skb, 9700))) + features &= ~NETIF_F_GSO_MASK; + features = vlan_features_check(skb, features); return vxlan_features_check(skb, features); }