From: Hangbin Liu <liuhangbin@gmail.com>
To: Donald Hunter <donald.hunter@gmail.com>,
Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
Andrew Lunn <andrew@lunn.ch>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
Hangbin Liu <liuhangbin@gmail.com>
Subject: [PATCH net-next 0/4] ynl/ethtool/netlink: warn nla_len overflow for large string sets
Date: Tue, 31 Mar 2026 11:56:10 +0800 [thread overview]
Message-ID: <20260331-b4-ynl_ethtool-v1-0-dda2a9b55df8@gmail.com> (raw)
This series addresses a silent data corruption issue triggered when ynl
retrieves string sets from NICs with a large number of statistics entries
(e.g. mlx5_core with thousands of ETH_SS_STATS strings).
The root cause is that struct nlattr.nla_len is a __u16 (max 65535
bytes). When a NIC exports enough statistics strings, the
ETHTOOL_A_STRINGSET_STRINGS nest built by strset_fill_set() exceeds
this limit. nla_nest_end() silently truncates the length on assignment,
producing a corrupted netlink message. In the doit path the corrupted
message is delivered to userspace without any error; in the dumpit path
an -EMSGSIZE may be returned if the data does not fit in the dump skb.
Patch 1 improves the userspace tool: rename the doit/dumpit helpers
to do_set/do_get and convert do_get to use ynl.do() with an
explicit device header instead of a full dump with client-side filtering.
Patch 2 adds a --dbg-small-recv option to the YNL ethtool tool,
matching the same option already present in cli.py, to aid debugging
of netlink message size issues.
Patch 3 is the kernel fix: check whether the strings_attr nest would
exceed U16_MAX before calling nla_nest_end() in strset_fill_set(),
and return -EMSGSIZE early if so.
Patch 4 adds a generic WARN_ON_ONCE() in nla_nest_end() itself, so
that any future caller hitting the same overflow is immediately visible
in the kernel log rather than silently corrupting data.
---
Hangbin Liu (4):
tools: ynl: ethtool: use doit instead of dumpit for per-device GET
tools: ynl: ethtool: add --dbg-small-recv option
ethtool: strset: check nla_len overflow before nla_nest_end
netlink: warn on nla_len overflow in nla_nest_end()
include/net/netlink.h | 1 +
net/ethtool/strset.c | 4 +++
tools/net/ynl/pyynl/ethtool.py | 77 ++++++++++++++++++++++--------------------
3 files changed, 46 insertions(+), 36 deletions(-)
---
base-commit: dc9e9d61e301c087bcd990dbf2fa18ad3e2e1429
change-id: 20260324-b4-ynl_ethtool-f87cd42f572c
Best regards,
--
Hangbin Liu <liuhangbin@gmail.com>
next reply other threads:[~2026-03-31 3:56 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-31 3:56 Hangbin Liu [this message]
2026-03-31 3:56 ` [PATCH net-next 1/4] tools: ynl: ethtool: use doit instead of dumpit for per-device GET Hangbin Liu
2026-04-01 1:50 ` Jakub Kicinski
2026-04-01 7:21 ` Hangbin Liu
2026-04-02 0:51 ` Jakub Kicinski
2026-04-02 1:26 ` Hangbin Liu
2026-03-31 3:56 ` [PATCH net-next 2/4] tools: ynl: ethtool: add --dbg-small-recv option Hangbin Liu
2026-03-31 3:56 ` [PATCH net-next 3/4] ethtool: strset: check nla_len overflow before nla_nest_end Hangbin Liu
2026-04-01 1:46 ` Jakub Kicinski
2026-04-01 7:27 ` Hangbin Liu
2026-04-02 0:49 ` Jakub Kicinski
2026-04-02 1:30 ` Hangbin Liu
2026-03-31 3:56 ` [PATCH net-next 4/4] netlink: warn on nla_len overflow in nla_nest_end() Hangbin Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260331-b4-ynl_ethtool-v1-0-dda2a9b55df8@gmail.com \
--to=liuhangbin@gmail.com \
--cc=andrew@lunn.ch \
--cc=davem@davemloft.net \
--cc=donald.hunter@gmail.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox