From patchwork Mon Feb 12 04:43:36 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Axtens X-Patchwork-Id: 871886 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3zftP535k9z9t20; Mon, 12 Feb 2018 15:44:25 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1el5yX-0002gW-AI; Mon, 12 Feb 2018 04:44:21 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1el5yV-0002eN-IZ for kernel-team@lists.canonical.com; Mon, 12 Feb 2018 04:44:19 +0000 Received: from mail-it0-f70.google.com ([209.85.214.70]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1el5yV-0002Lm-8O for kernel-team@lists.canonical.com; Mon, 12 Feb 2018 04:44:19 +0000 Received: by mail-it0-f70.google.com with SMTP id w125so5274315itf.0 for ; Sun, 11 Feb 2018 20:44:19 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=RSgbG0qefFJtqVM2rDOlUM7gDofC5CShHBsLDJF1sBc=; b=bIBBIBZg1ZoTpFviDyluaOnNl/3BgLk8k5Jg4SF87ruXcL+MX1LmP2Eanm6ZiU+u+h WURhky9HgIjf+Gq1OBmVyHGN+99XpwLqepYmgAIrQihZpEWPnDveLv74z6+U9KsALsHD I53noBhWGapB/PzZL2E8nlR8hGvaKtfdXYbh4egmWnLGhU7UKcFNAmpsT9Tx4Hy683/M catN21d+fljbGjX5vuIskaV+Z+Hd9QcBcbtgfWTtoSauKkprcniXlmtdQ59+zdcklBmz 30raKPFGe4lLMXKMZ7eaqJodh4KYXydMKzKO8VtVGwvDTzs85zulUe+zT6GehIn+okOy 4bxA== X-Gm-Message-State: APf1xPDGocj0IzvPsX6RoUM8A0pbXKCui2Z8L2biE737WXm5EUQGydu4 LgMUbyX75s9vVR5Xo0QBv+2X+s0NgMcW2nNh42PSghqyqEq/M6K1QhLs1cOdTihzTkrcJTUh6Ny YpXJgg2Xj5S+/E6zCRvO9axnqZ+2/3CZt30+cNZN2crDnPwqu X-Received: by 10.107.52.16 with SMTP id b16mr12452179ioa.103.1518410658180; Sun, 11 Feb 2018 20:44:18 -0800 (PST) X-Google-Smtp-Source: AH8x226mtNyLbaHkeQ0KRELONQDoXy3Pa+1QpTHMhNMWS2XwRy2sb/iR/DS6bhMiS7+oE+AC2aDCww== X-Received: by 10.107.52.16 with SMTP id b16mr12452173ioa.103.1518410657997; Sun, 11 Feb 2018 20:44:17 -0800 (PST) Received: from localhost.localdomain ([2001:67c:1560:8007::aac:c356]) by smtp.gmail.com with ESMTPSA id s70sm5885412itb.0.2018.02.11.20.44.14 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 11 Feb 2018 20:44:17 -0800 (PST) From: Daniel Axtens To: kernel-team@lists.canonical.com Subject: [B/SRU A][PATCH 2/2] bnx2x: disable GSO where gso_size is too big for hardware Date: Mon, 12 Feb 2018 15:43:36 +1100 Message-Id: <20180212044336.15951-3-daniel.axtens@canonical.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20180212044336.15951-1-daniel.axtens@canonical.com> References: <20180212044336.15951-1-daniel.axtens@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Daniel Axtens BugLink: https://bugs.launchpad.net/bugs/1715519 CVE-2018-1000026 If a bnx2x card is passed a GSO packet with a gso_size larger than ~9700 bytes, it will cause a firmware error that will bring the card down: bnx2x: [bnx2x_attn_int_deasserted3:4323(enP24p1s0f0)]MC assert! bnx2x: [bnx2x_mc_assert:720(enP24p1s0f0)]XSTORM_ASSERT_LIST_INDEX 0x2 bnx2x: [bnx2x_mc_assert:736(enP24p1s0f0)]XSTORM_ASSERT_INDEX 0x0 = 0x00000000 0x25e43e47 0x00463e01 0x00010052 bnx2x: [bnx2x_mc_assert:750(enP24p1s0f0)]Chip Revision: everest3, FW Version: 7_13_1 ... (dump of values continues) ... Detect when the mac length of a GSO packet is greater than the maximum packet size (9700 bytes) and disable GSO. Signed-off-by: Daniel Axtens Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller (cherry picked from commit 8914a595110a6eca69a5e275b323f5d09e18f4f9) Signed-off-by: Daniel Axtens --- drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c index ddd5d3ebd201..eefb8f64136e 100644 --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c @@ -12934,6 +12934,24 @@ static netdev_features_t bnx2x_features_check(struct sk_buff *skb, struct net_device *dev, netdev_features_t features) { + /* + * A skb with gso_size + header length > 9700 will cause a + * firmware panic. Drop GSO support. + * + * Eventually the upper layer should not pass these packets down. + * + * For speed, if the gso_size is <= 9000, assume there will + * not be 700 bytes of headers and pass it through. Only do a + * full (slow) validation if the gso_size is > 9000. + * + * (Due to the way SKB_BY_FRAGS works this will also do a full + * validation in that case.) + */ + if (unlikely(skb_is_gso(skb) && + (skb_shinfo(skb)->gso_size > 9000) && + !skb_gso_validate_mac_len(skb, 9700))) + features &= ~NETIF_F_GSO_MASK; + features = vlan_features_check(skb, features); return vxlan_features_check(skb, features); }