From: Jakub Kicinski <kuba@kernel.org>
To: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Cc: davem@davemloft.net, netdev@vger.kernel.org, edumazet@google.com,
pabeni@redhat.com, andrew+netdev@lunn.ch, horms@kernel.org,
daniel.zahka@gmail.com
Subject: Re: [PATCH net-next 3/3] psp: validate IPv4 header fields in psp_dev_rcv()
Date: Tue, 28 Apr 2026 18:43:36 -0700 [thread overview]
Message-ID: <20260428184336.2244b6a1@kernel.org> (raw)
In-Reply-To: <willemdebruijn.kernel.223eebd28b57a@gmail.com>
On Tue, 28 Apr 2026 20:22:34 -0400 Willem de Bruijn wrote:
> Jakub Kicinski wrote:
> > psp_dev_rcv() is called from the NIC driver's RX completion path
> > before the frame reaches ip_rcv_core(), so the IP header has not
> > been validated in SW, yet. We expect that the device has done
> > all this validation, but let's also add the SW checks, to avoid
> > surprises.
>
> If devices are expected to have verified this, should these be more
> noisy checks, similar to netdev_rx_csum_fault?
Maybe "expect" is a bit of a strong word, I meant "anticipate" /
"suspect". Dropping invalid packet in SW doesn't seem like a huge
problem, other paths in this function already do. For rx csum the
problem is that we got a incorrectly math'ed out value for what is
likely a valid packet.
That's just to explain my thinking, if you prefer we warn / dump skb
I can respin.
next prev parent reply other threads:[~2026-04-29 1:43 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-28 20:53 [PATCH net-next 0/3] net: psp: add more validation Jakub Kicinski
2026-04-28 20:53 ` [PATCH net-next 1/3] psp: validate protocol before mutating skb in psp_dev_encapsulate() Jakub Kicinski
2026-04-29 0:12 ` Eric Dumazet
2026-04-29 2:47 ` Willem de Bruijn
2026-04-28 20:53 ` [PATCH net-next 2/3] psp: add a comment about a psp_dev add netlink notification Jakub Kicinski
2026-04-29 2:48 ` Willem de Bruijn
2026-04-28 20:53 ` [PATCH net-next 3/3] psp: validate IPv4 header fields in psp_dev_rcv() Jakub Kicinski
2026-04-29 0:14 ` Eric Dumazet
2026-04-29 0:22 ` Willem de Bruijn
2026-04-29 1:43 ` Jakub Kicinski [this message]
2026-04-29 2:42 ` Willem de Bruijn
2026-04-30 0:40 ` [PATCH net-next 0/3] net: psp: add more validation patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260428184336.2244b6a1@kernel.org \
--to=kuba@kernel.org \
--cc=andrew+netdev@lunn.ch \
--cc=daniel.zahka@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.