[PATCH] usbnet: limit max_mtu based on device's hard_mtu

[PATCH] usbnet: limit max_mtu based on device's hard_mtu

[Laurent Vivier]

The usbnet driver initializes net->max_mtu to ETH_MAX_MTU before calling
the device's bind() callback. When the bind() callback sets
dev->hard_mtu based the device's actual capability (from CDC Ethernet's
wMaxSegmentSize descriptor), max_mtu is never updated to reflect this
hardware limitation).

This allows userspace (DHCP or IPv6 RA) to configure MTU larger than the
device can handle, leading to silent packet drops when the backend sends
packet exceeding the device's buffer size.

Fix this by limiting net->max_mtu to the device's hard_mtu after the
bind callback returns.

See https://gitlab.com/qemu-project/qemu/-/issues/3268 and
    https://bugs.passt.top/attachment.cgi?bugid=189

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
---
 drivers/net/usb/usbnet.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index 36742e64cff7..8dbbeb8ce3f8 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1821,9 +1821,14 @@ usbnet_probe(struct usb_interface *udev, const struct usb_device_id *prod)
 		if ((dev->driver_info->flags & FLAG_NOARP) != 0)
 			net->flags |= IFF_NOARP;
 
-		/* maybe the remote can't receive an Ethernet MTU */
-		if (net->mtu > (dev->hard_mtu - net->hard_header_len))
-			net->mtu = dev->hard_mtu - net->hard_header_len;
+		/* limit max_mtu to the device's hard_mtu */
+		if (net->max_mtu > (dev->hard_mtu - net->hard_header_len))
+			net->max_mtu = dev->hard_mtu - net->hard_header_len;
+
+		/* limit mtu to max_mtu */
+		if (net->mtu > net->max_mtu)
+			net->mtu = net->max_mtu;
+
 	} else if (!info->in || !info->out)
 		status = usbnet_get_endpoints(dev, udev);
 	else {
-- 
2.52.0

Re: [PATCH] usbnet: limit max_mtu based on device's hard_mtu

[Stefano Brivio]

On Wed, 14 Jan 2026 10:03:17 +0100
Laurent Vivier <lvivier@redhat.com> wrote:

> The usbnet driver initializes net->max_mtu to ETH_MAX_MTU before calling
> the device's bind() callback. When the bind() callback sets
> dev->hard_mtu based the device's actual capability (from CDC Ethernet's
> wMaxSegmentSize descriptor), max_mtu is never updated to reflect this
> hardware limitation).
> 
> This allows userspace (DHCP or IPv6 RA) to configure MTU larger than the
> device can handle, leading to silent packet drops when the backend sends
> packet exceeding the device's buffer size.
> 
> Fix this by limiting net->max_mtu to the device's hard_mtu after the
> bind callback returns.
> 
> See https://gitlab.com/qemu-project/qemu/-/issues/3268 and
>     https://bugs.passt.top/attachment.cgi?bugid=189
> 
> Signed-off-by: Laurent Vivier <lvivier@redhat.com>

Thanks for fixing this!

Link: https://bugs.passt.top/show_bug.cgi?id=189
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>

-- 
Stefano

Re: [PATCH] usbnet: limit max_mtu based on device's hard_mtu

[Jakub Kicinski]

On Wed, 14 Jan 2026 10:03:17 +0100 Laurent Vivier wrote:
> The usbnet driver initializes net->max_mtu to ETH_MAX_MTU before calling
> the device's bind() callback. When the bind() callback sets
> dev->hard_mtu based the device's actual capability (from CDC Ethernet's
> wMaxSegmentSize descriptor), max_mtu is never updated to reflect this
> hardware limitation).
> 
> This allows userspace (DHCP or IPv6 RA) to configure MTU larger than the
> device can handle, leading to silent packet drops when the backend sends
> packet exceeding the device's buffer size.
> 
> Fix this by limiting net->max_mtu to the device's hard_mtu after the
> bind callback returns.

Change looks good, please add Stefano's tags, a Fixes tag pointing at
the oldest commit in the git history where this user-visible issue can
be reproduced (use the first tag in git history if necessary), and
resend. Please mark the commit as [PATCH net v2] when resending.
Start a new thread (don't reply to this one). And one more thing..

> diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
> index 36742e64cff7..8dbbeb8ce3f8 100644
> --- a/drivers/net/usb/usbnet.c
> +++ b/drivers/net/usb/usbnet.c
> @@ -1821,9 +1821,14 @@ usbnet_probe(struct usb_interface *udev, const struct usb_device_id *prod)
>  		if ((dev->driver_info->flags & FLAG_NOARP) != 0)
>  			net->flags |= IFF_NOARP;
>  
> -		/* maybe the remote can't receive an Ethernet MTU */
> -		if (net->mtu > (dev->hard_mtu - net->hard_header_len))
> -			net->mtu = dev->hard_mtu - net->hard_header_len;
> +		/* limit max_mtu to the device's hard_mtu */

please remove these comments, we can read the code

> +		if (net->max_mtu > (dev->hard_mtu - net->hard_header_len))
> +			net->max_mtu = dev->hard_mtu - net->hard_header_len;
> +
> +		/* limit mtu to max_mtu */

and this one

> +		if (net->mtu > net->max_mtu)
> +			net->mtu = net->max_mtu;
-- 
pw-bot: cr