[PATCH net-next 0/9] net: safe guard net/core/tso.c users

[PATCH net-next 0/9] net: safe guard net/core/tso.c users

[Eric Dumazet]

Most net/core/tso.c users assume headers length is smaller than
TSO_HEADER_SIZE. This is because they use pre-allocated and
pre-mapped piece of memory of (N * TSO_HEADER_SIZE) bytes.

Add tso_features_check() helper so that these drivers
can request a fallback to GSO if headers are too big.

We could in the future add more checks in tso_features_check()
against max number of segments per TSO packet, as many
drivers also seem to drop packets if gso_size is too small
relative to their TX ring sizes.

Eric Dumazet (9):
  net: tso: add tso_features_check()
  net: mvneta: use tso_features_check()
  net: thunderx: use tso_features_check()
  dpaa2-eth: use tso_features_check()
  net: enetc: use tso_features_check()
  net: fec: use tso_features_check()
  net: mv643xx_eth: use tso_features_check()
  net: mvpp2: use tso_features_check()
  octeontx2-pf: use tso_features_check()

 drivers/net/ethernet/cavium/thunder/nicvf_main.c     |  2 ++
 drivers/net/ethernet/cavium/thunder/nicvf_queues.c   |  1 +
 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c     |  2 ++
 drivers/net/ethernet/freescale/enetc/enetc.c         |  2 ++
 drivers/net/ethernet/freescale/enetc/enetc4_pf.c     |  2 ++
 drivers/net/ethernet/freescale/enetc/enetc_pf.c      |  2 ++
 drivers/net/ethernet/freescale/enetc/enetc_vf.c      |  2 ++
 drivers/net/ethernet/freescale/fec_main.c            |  2 ++
 drivers/net/ethernet/marvell/mv643xx_eth.c           |  2 ++
 drivers/net/ethernet/marvell/mvneta.c                |  2 ++
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c      |  2 ++
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c |  2 ++
 .../net/ethernet/marvell/octeontx2/nic/otx2_txrx.c   |  1 +
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c |  2 ++
 drivers/net/ethernet/marvell/octeontx2/nic/rep.c     |  2 ++
 include/net/tso.h                                    | 11 +++++++++++
 net/core/tso.c                                       | 12 ++++++++++++
 17 files changed, 51 insertions(+)

-- 
2.53.0.1213.gd9a14994de-goog

[PATCH net-next 1/9] net: tso: add tso_features_check()

[Eric Dumazet]

net/core/tso.c users expecting headers size is smaller
than TSO_HEADER_SIZE must fallback to GSO when headers
are too big.

Provide tso_features_check() for drivers .ndo_features_check().

Signed-off-by: Eric Dumazet <edumazet@google.com>
---
 include/net/tso.h | 11 +++++++++++
 net/core/tso.c    | 12 ++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/include/net/tso.h b/include/net/tso.h
index e7e157ae0526c8d655aca67a8a49191ec870746b..9be7cb6553975a2a82e0987214fee6883bf74404 100644
--- a/include/net/tso.h
+++ b/include/net/tso.h
@@ -28,4 +28,15 @@ void tso_build_hdr(const struct sk_buff *skb, char *hdr, struct tso_t *tso,
 void tso_build_data(const struct sk_buff *skb, struct tso_t *tso, int size);
 int tso_start(struct sk_buff *skb, struct tso_t *tso);
 
+static inline int tso_compute_hdr_len(const struct sk_buff *skb)
+{
+	int tlen = skb_is_gso_tcp(skb) ? tcp_hdrlen(skb) : sizeof(struct udphdr);
+	int hdr_len = skb_transport_offset(skb) + tlen;
+
+	return hdr_len;
+}
+
+netdev_features_t tso_features_check(struct sk_buff *skb,
+				     struct net_device *dev,
+				     netdev_features_t features);
 #endif	/* _TSO_H */
diff --git a/net/core/tso.c b/net/core/tso.c
index 6df997b9076e9842f3de7bb3e34599d8ff4e4fd4..81e2cc66d0dd29eeb647232e04032b1412382a6f 100644
--- a/net/core/tso.c
+++ b/net/core/tso.c
@@ -87,3 +87,15 @@ int tso_start(struct sk_buff *skb, struct tso_t *tso)
 	return hdr_len;
 }
 EXPORT_SYMBOL(tso_start);
+
+netdev_features_t tso_features_check(struct sk_buff *skb,
+				     struct net_device *dev,
+				     netdev_features_t features)
+{
+	if (skb_is_gso(skb)) {
+		if (tso_compute_hdr_len(skb) > TSO_HEADER_SIZE)
+			features &= ~NETIF_F_GSO_MASK;
+	}
+	return features;
+}
+EXPORT_SYMBOL(tso_features_check);
-- 
2.53.0.1213.gd9a14994de-goog

Re: [PATCH net-next 1/9] net: tso: add tso_features_check()

[Eric Dumazet]

On Thu, Apr 2, 2026 at 9:32 PM Eric Dumazet <edumazet@google.com> wrote:
>
> net/core/tso.c users expecting headers size is smaller
> than TSO_HEADER_SIZE must fallback to GSO when headers
> are too big.
>
> Provide tso_features_check() for drivers .ndo_features_check().
>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> ---
>  include/net/tso.h | 11 +++++++++++
>  net/core/tso.c    | 12 ++++++++++++
>  2 files changed, 23 insertions(+)
>
> diff --git a/include/net/tso.h b/include/net/tso.h
> index e7e157ae0526c8d655aca67a8a49191ec870746b..9be7cb6553975a2a82e0987214fee6883bf74404 100644
> --- a/include/net/tso.h
> +++ b/include/net/tso.h
> @@ -28,4 +28,15 @@ void tso_build_hdr(const struct sk_buff *skb, char *hdr, struct tso_t *tso,
>  void tso_build_data(const struct sk_buff *skb, struct tso_t *tso, int size);
>  int tso_start(struct sk_buff *skb, struct tso_t *tso);
>
> +static inline int tso_compute_hdr_len(const struct sk_buff *skb)
> +{
> +       int tlen = skb_is_gso_tcp(skb) ? tcp_hdrlen(skb) : sizeof(struct udphdr);
> +       int hdr_len = skb_transport_offset(skb) + tlen;
> +
> +       return hdr_len;
> +}
> +
> +netdev_features_t tso_features_check(struct sk_buff *skb,
> +                                    struct net_device *dev,
> +                                    netdev_features_t features);
>  #endif /* _TSO_H */
> diff --git a/net/core/tso.c b/net/core/tso.c
> index 6df997b9076e9842f3de7bb3e34599d8ff4e4fd4..81e2cc66d0dd29eeb647232e04032b1412382a6f 100644
> --- a/net/core/tso.c
> +++ b/net/core/tso.c
> @@ -87,3 +87,15 @@ int tso_start(struct sk_buff *skb, struct tso_t *tso)
>         return hdr_len;
>  }
>  EXPORT_SYMBOL(tso_start);
> +
> +netdev_features_t tso_features_check(struct sk_buff *skb,
> +                                    struct net_device *dev,
> +                                    netdev_features_t features)
> +{
> +       if (skb_is_gso(skb)) {
> +               if (tso_compute_hdr_len(skb) > TSO_HEADER_SIZE)
> +                       features &= ~NETIF_F_GSO_MASK;
> +       }
> +       return features;

I forgot that netif_skb_features() uses:

if (dev->netdev_ops->ndo_features_check)
    features &= dev->netdev_ops->ndo_features_check(skb, dev,
                                            features);
else
    features &= dflt_features_check(skb, dev, features);

So I need to call vlan_features_check() from tso_features_check()

pw-bot: cr

Re: [PATCH net-next 1/9] net: tso: add tso_features_check()

[Eric Dumazet]

On Thu, Apr 2, 2026 at 11:41 PM Eric Dumazet <edumazet@google.com> wrote:
>
> On Thu, Apr 2, 2026 at 9:32 PM Eric Dumazet <edumazet@google.com> wrote:
> >
> > net/core/tso.c users expecting headers size is smaller
> > than TSO_HEADER_SIZE must fallback to GSO when headers
> > are too big.
> >
> > Provide tso_features_check() for drivers .ndo_features_check().
> >
> > Signed-off-by: Eric Dumazet <edumazet@google.com>
> > ---
> >  include/net/tso.h | 11 +++++++++++
> >  net/core/tso.c    | 12 ++++++++++++
> >  2 files changed, 23 insertions(+)
> >
> > diff --git a/include/net/tso.h b/include/net/tso.h
> > index e7e157ae0526c8d655aca67a8a49191ec870746b..9be7cb6553975a2a82e0987214fee6883bf74404 100644
> > --- a/include/net/tso.h
> > +++ b/include/net/tso.h
> > @@ -28,4 +28,15 @@ void tso_build_hdr(const struct sk_buff *skb, char *hdr, struct tso_t *tso,
> >  void tso_build_data(const struct sk_buff *skb, struct tso_t *tso, int size);
> >  int tso_start(struct sk_buff *skb, struct tso_t *tso);
> >
> > +static inline int tso_compute_hdr_len(const struct sk_buff *skb)
> > +{
> > +       int tlen = skb_is_gso_tcp(skb) ? tcp_hdrlen(skb) : sizeof(struct udphdr);
> > +       int hdr_len = skb_transport_offset(skb) + tlen;
> > +
> > +       return hdr_len;
> > +}
> > +
> > +netdev_features_t tso_features_check(struct sk_buff *skb,
> > +                                    struct net_device *dev,
> > +                                    netdev_features_t features);
> >  #endif /* _TSO_H */
> > diff --git a/net/core/tso.c b/net/core/tso.c
> > index 6df997b9076e9842f3de7bb3e34599d8ff4e4fd4..81e2cc66d0dd29eeb647232e04032b1412382a6f 100644
> > --- a/net/core/tso.c
> > +++ b/net/core/tso.c
> > @@ -87,3 +87,15 @@ int tso_start(struct sk_buff *skb, struct tso_t *tso)
> >         return hdr_len;
> >  }
> >  EXPORT_SYMBOL(tso_start);
> > +
> > +netdev_features_t tso_features_check(struct sk_buff *skb,
> > +                                    struct net_device *dev,
> > +                                    netdev_features_t features)
> > +{
> > +       if (skb_is_gso(skb)) {
> > +               if (tso_compute_hdr_len(skb) > TSO_HEADER_SIZE)
> > +                       features &= ~NETIF_F_GSO_MASK;
> > +       }
> > +       return features;
>
> I forgot that netif_skb_features() uses:
>
> if (dev->netdev_ops->ndo_features_check)
>     features &= dev->netdev_ops->ndo_features_check(skb, dev,
>                                             features);
> else
>     features &= dflt_features_check(skb, dev, features);
>
> So I need to call vlan_features_check() from tso_features_check()

I could be wrong though, vlan_features_check() is about  skbs with
multiple vlan tags,
and net/core/tso.c should support them just fine.

Re: [PATCH net-next 1/9] net: tso: add tso_features_check()

[Jakub Kicinski]

On Fri, 3 Apr 2026 00:20:13 -0700 Eric Dumazet wrote:
> > I forgot that netif_skb_features() uses:
> >
> > if (dev->netdev_ops->ndo_features_check)
> >     features &= dev->netdev_ops->ndo_features_check(skb, dev,
> >                                             features);
> > else
> >     features &= dflt_features_check(skb, dev, features);
> >
> > So I need to call vlan_features_check() from tso_features_check()  
> 
> I could be wrong though, vlan_features_check() is about  skbs with
> multiple vlan tags,
> and net/core/tso.c should support them just fine.

But we probably still need to clear NETIF_F_IP_CSUM for example?
Better safe than sorry. (I won't repeat the sashiko complaints 
assuming you saw those ;))

Re: [PATCH net-next 1/9] net: tso: add tso_features_check()

[Eric Dumazet]

On Fri, Apr 3, 2026 at 1:47 PM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Fri, 3 Apr 2026 00:20:13 -0700 Eric Dumazet wrote:
> > > I forgot that netif_skb_features() uses:
> > >
> > > if (dev->netdev_ops->ndo_features_check)
> > >     features &= dev->netdev_ops->ndo_features_check(skb, dev,
> > >                                             features);
> > > else
> > >     features &= dflt_features_check(skb, dev, features);
> > >
> > > So I need to call vlan_features_check() from tso_features_check()
> >
> > I could be wrong though, vlan_features_check() is about  skbs with
> > multiple vlan tags,
> > and net/core/tso.c should support them just fine.
>
> But we probably still need to clear NETIF_F_IP_CSUM for example?
> Better safe than sorry. (I won't repeat the sashiko complaints
> assuming you saw those ;))

Ah not yet, let me check ;)

Re: [PATCH net-next 1/9] net: tso: add tso_features_check()

[Eric Dumazet]

On Fri, Apr 3, 2026 at 1:49 PM Eric Dumazet <edumazet@google.com> wrote:
>
> On Fri, Apr 3, 2026 at 1:47 PM Jakub Kicinski <kuba@kernel.org> wrote:
> >
> > On Fri, 3 Apr 2026 00:20:13 -0700 Eric Dumazet wrote:
> > > > I forgot that netif_skb_features() uses:
> > > >
> > > > if (dev->netdev_ops->ndo_features_check)
> > > >     features &= dev->netdev_ops->ndo_features_check(skb, dev,
> > > >                                             features);
> > > > else
> > > >     features &= dflt_features_check(skb, dev, features);
> > > >
> > > > So I need to call vlan_features_check() from tso_features_check()
> > >
> > > I could be wrong though, vlan_features_check() is about  skbs with
> > > multiple vlan tags,
> > > and net/core/tso.c should support them just fine.
> >
> > But we probably still need to clear NETIF_F_IP_CSUM for example?
> > Better safe than sorry. (I won't repeat the sashiko complaints
> > assuming you saw those ;))
>
> Ah not yet, let me check ;)

Oh well, lots of orthonal errors.

It is probably time for qdisc_pkt_len_segs_init() to pull the headers
(at least for GSO packets)
and return an error if this pull fails, instead of letting malicious
packets continue their way :/

[PATCH net-next 2/9] net: mvneta: use tso_features_check()

[Eric Dumazet]

We must fallback to GSO if a TSO packet has too big headers,
or risk corruptions.

Fixes: 2adb719d74f6 ("net: mvneta: Implement software TSO")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ezequiel Garcia <ezequiel.garcia@free-electrons.com>
Cc: Marcin Wojtas <marcin.s.wojtas@gmail.com>
---
 drivers/net/ethernet/marvell/mvneta.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
index 0c061fb0ed072aa192a0c5c7a3209b045540721a..5b52e125220c1f293cd9696016b6ea527e6f86f2 100644
--- a/drivers/net/ethernet/marvell/mvneta.c
+++ b/drivers/net/ethernet/marvell/mvneta.c
@@ -2823,6 +2823,7 @@ static int mvneta_tx_tso(struct sk_buff *skb, struct net_device *dev,
 
 	/* Initialize the TSO handler, and prepare the first payload */
 	hdr_len = tso_start(skb, &tso);
+	DEBUG_NET_WARN_ON_ONCE(hdr_len > TSO_HEADER_SIZE);
 
 	total_len = skb->len - hdr_len;
 	while (total_len > 0) {
@@ -5320,6 +5321,7 @@ static int mvneta_setup_tc(struct net_device *dev, enum tc_setup_type type,
 static const struct net_device_ops mvneta_netdev_ops = {
 	.ndo_open            = mvneta_open,
 	.ndo_stop            = mvneta_stop,
+	.ndo_features_check  = tso_features_check,
 	.ndo_start_xmit      = mvneta_tx,
 	.ndo_set_rx_mode     = mvneta_set_rx_mode,
 	.ndo_set_mac_address = mvneta_set_mac_addr,
-- 
2.53.0.1213.gd9a14994de-goog

[PATCH net-next 3/9] net: thunderx: use tso_features_check()

[Eric Dumazet]

We must fallback to GSO if a TSO packet has too big headers,
or risk corruptions.

Fixes: 4863dea3fab0 ("net: Adding support for Cavium ThunderX network controller")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Sunil Goutham <sgoutham@marvell.com>
---
 drivers/net/ethernet/cavium/thunder/nicvf_main.c   | 2 ++
 drivers/net/ethernet/cavium/thunder/nicvf_queues.c | 1 +
 2 files changed, 3 insertions(+)

diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_main.c b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
index 1c183827cb9ea1a628433972cb6cb808a5f1cd69..e953b8e00ecbbc30d2b011ee24522445407fc7ab 100644
--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c
+++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
@@ -19,6 +19,7 @@
 #include <linux/filter.h>
 #include <linux/net_tstamp.h>
 #include <linux/workqueue.h>
+#include <net/tso.h>
 
 #include "nic_reg.h"
 #include "nic.h"
@@ -2077,6 +2078,7 @@ static void nicvf_set_rx_mode(struct net_device *netdev)
 static const struct net_device_ops nicvf_netdev_ops = {
 	.ndo_open		= nicvf_open,
 	.ndo_stop		= nicvf_stop,
+	.ndo_features_check	= tso_features_check,
 	.ndo_start_xmit		= nicvf_xmit,
 	.ndo_change_mtu		= nicvf_change_mtu,
 	.ndo_set_mac_address	= nicvf_set_mac_address,
diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
index 062ac4a5fa12d83d7c83f854996950a7a501f1ae..22f147cc5afb54b19f0fa2e507b28b91b2ffbb0c 100644
--- a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
+++ b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
@@ -1492,6 +1492,7 @@ static int nicvf_sq_append_tso(struct nicvf *nic, struct snd_queue *sq,
 	int hdr_len;
 
 	hdr_len = tso_start(skb, &tso);
+	DEBUG_NET_WARN_ON_ONCE(hdr_len > TSO_HEADER_SIZE);
 
 	total_len = skb->len - hdr_len;
 	while (total_len > 0) {
-- 
2.53.0.1213.gd9a14994de-goog

[PATCH net-next 4/9] dpaa2-eth: use tso_features_check()

[Eric Dumazet]

We must fallback to GSO if a TSO packet has too big headers,
or risk corruptions.

Fixes: 3dc709e0cd47 ("dpaa2-eth: add support for software TSO")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ioana Ciornei <ioana.ciornei@nxp.com>
---
 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
index 9335703768a9b66ca771c7f4a710cc6eb714bc61..47a25e0fa1d04d96bdffe27ce5beea0b3104a30a 100644
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
@@ -1270,6 +1270,7 @@ static int dpaa2_eth_build_gso_fd(struct dpaa2_eth_priv *priv,
 
 	/* Initialize the TSO handler, and prepare the first payload */
 	hdr_len = tso_start(skb, &tso);
+	DEBUG_NET_WARN_ON_ONCE(hdr_len > TSO_HEADER_SIZE);
 	*total_fds_len = 0;
 
 	total_len = skb->len - hdr_len;
@@ -3029,6 +3030,7 @@ static int dpaa2_eth_setup_tc(struct net_device *net_dev,
 
 static const struct net_device_ops dpaa2_eth_ops = {
 	.ndo_open = dpaa2_eth_open,
+	.ndo_features_check = tso_features_check,
 	.ndo_start_xmit = dpaa2_eth_tx,
 	.ndo_stop = dpaa2_eth_stop,
 	.ndo_set_mac_address = dpaa2_eth_set_addr,
-- 
2.53.0.1213.gd9a14994de-goog

[PATCH net-next 5/9] net: enetc: use tso_features_check()

[Eric Dumazet]

We must fallback to GSO if a TSO packet has too big headers,
or risk corruptions.

Fixes: fb8629e2cbfc ("net: enetc: add support for software TSO")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ioana Ciornei <ioana.ciornei@nxp.com>
---
 drivers/net/ethernet/freescale/enetc/enetc.c     | 2 ++
 drivers/net/ethernet/freescale/enetc/enetc4_pf.c | 2 ++
 drivers/net/ethernet/freescale/enetc/enetc_pf.c  | 2 ++
 drivers/net/ethernet/freescale/enetc/enetc_vf.c  | 2 ++
 4 files changed, 8 insertions(+)

diff --git a/drivers/net/ethernet/freescale/enetc/enetc.c b/drivers/net/ethernet/freescale/enetc/enetc.c
index aa8a87124b103261348fe371ef158571d4c9000c..a39aaf2d2f5345f71027bc0b813a96eb36ac3e5d 100644
--- a/drivers/net/ethernet/freescale/enetc/enetc.c
+++ b/drivers/net/ethernet/freescale/enetc/enetc.c
@@ -887,6 +887,8 @@ static int enetc_map_tx_tso_buffs(struct enetc_bdr *tx_ring, struct sk_buff *skb
 
 	/* Initialize the TSO handler, and prepare the first payload */
 	hdr_len = tso_start(skb, &tso);
+	DEBUG_NET_WARN_ON_ONCE(hdr_len > TSO_HEADER_SIZE);
+
 	total_len = skb->len - hdr_len;
 	i = tx_ring->next_to_use;
 
diff --git a/drivers/net/ethernet/freescale/enetc/enetc4_pf.c b/drivers/net/ethernet/freescale/enetc/enetc4_pf.c
index 56899f2254aaa2d87a184bc9dbf09298186148cf..52393c42d45ea1a50abbc9ee4e8e8b2fa462f70e 100644
--- a/drivers/net/ethernet/freescale/enetc/enetc4_pf.c
+++ b/drivers/net/ethernet/freescale/enetc/enetc4_pf.c
@@ -6,6 +6,7 @@
 #include <linux/of_net.h>
 #include <linux/of_platform.h>
 #include <linux/unaligned.h>
+#include <net/tso.h>
 
 #include "enetc_pf_common.h"
 #include "enetc4_debugfs.h"
@@ -564,6 +565,7 @@ static int enetc4_pf_set_features(struct net_device *ndev,
 static const struct net_device_ops enetc4_ndev_ops = {
 	.ndo_open		= enetc_open,
 	.ndo_stop		= enetc_close,
+	.ndo_features_check	= tso_features_check,
 	.ndo_start_xmit		= enetc_xmit,
 	.ndo_get_stats		= enetc_get_stats,
 	.ndo_set_mac_address	= enetc_pf_set_mac_addr,
diff --git a/drivers/net/ethernet/freescale/enetc/enetc_pf.c b/drivers/net/ethernet/freescale/enetc/enetc_pf.c
index a12fd54a475f6cd0516185aa817f2d8c430a0a1d..6b5c3b1f43fc8f00cf0c58c28e5b5b035c0eec41 100644
--- a/drivers/net/ethernet/freescale/enetc/enetc_pf.c
+++ b/drivers/net/ethernet/freescale/enetc/enetc_pf.c
@@ -7,6 +7,7 @@
 #include <linux/of_platform.h>
 #include <linux/of_net.h>
 #include <linux/pcs-lynx.h>
+#include <net/tso.h>
 #include "enetc_ierb.h"
 #include "enetc_pf_common.h"
 
@@ -617,6 +618,7 @@ static int enetc_pf_setup_tc(struct net_device *ndev, enum tc_setup_type type,
 static const struct net_device_ops enetc_ndev_ops = {
 	.ndo_open		= enetc_open,
 	.ndo_stop		= enetc_close,
+	.ndo_features_check	= tso_features_check,
 	.ndo_start_xmit		= enetc_xmit,
 	.ndo_get_stats		= enetc_get_stats,
 	.ndo_set_mac_address	= enetc_pf_set_mac_addr,
diff --git a/drivers/net/ethernet/freescale/enetc/enetc_vf.c b/drivers/net/ethernet/freescale/enetc/enetc_vf.c
index 6c4b374bcb0ef14284d2ea153d8bd4112fe5309a..7c9f3c7e9a5685530bf203ced3514d6dac574099 100644
--- a/drivers/net/ethernet/freescale/enetc/enetc_vf.c
+++ b/drivers/net/ethernet/freescale/enetc/enetc_vf.c
@@ -3,6 +3,7 @@
 
 #include <linux/module.h>
 #include "enetc.h"
+#include <net/tso.h>
 
 #define ENETC_DRV_NAME_STR "ENETC VF driver"
 
@@ -115,6 +116,7 @@ static int enetc_vf_setup_tc(struct net_device *ndev, enum tc_setup_type type,
 static const struct net_device_ops enetc_ndev_ops = {
 	.ndo_open		= enetc_open,
 	.ndo_stop		= enetc_close,
+	.ndo_features_check	= tso_features_check,
 	.ndo_start_xmit		= enetc_xmit,
 	.ndo_get_stats		= enetc_get_stats,
 	.ndo_set_mac_address	= enetc_vf_set_mac_addr,
-- 
2.53.0.1213.gd9a14994de-goog

[PATCH net-next 6/9] net: fec: use tso_features_check()

[Eric Dumazet]

We must fallback to GSO if a TSO packet has too big headers,
or risk corruptions.

Fixes: 79f339125ea3 ("net: fec: Add software TSO support")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Nimrod Andy <B38611@freescale.com>
Cc: Wei Fang <wei.fang@nxp.com>
Cc: Frank Li <frank.li@nxp.com>
Cc: Shenwei Wang <shenwei.wang@nxp.com>
---
 drivers/net/ethernet/freescale/fec_main.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
index f89aa94ce0202d5f28f37362ce70e0943aa14025..846fdd51cf8b6c5ef9fffcd5688ad54cb8def919 100644
--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -860,6 +860,7 @@ static int fec_enet_txq_submit_tso(struct fec_enet_priv_tx_q *txq,
 
 	/* Initialize the TSO handler, and prepare the first payload */
 	hdr_len = tso_start(skb, &tso);
+	DEBUG_NET_WARN_ON_ONCE(hdr_len > TSO_HEADER_SIZE);
 
 	total_len = skb->len - hdr_len;
 	while (total_len > 0) {
@@ -4887,6 +4888,7 @@ static int fec_change_mtu(struct net_device *ndev, int new_mtu)
 static const struct net_device_ops fec_netdev_ops = {
 	.ndo_open		= fec_enet_open,
 	.ndo_stop		= fec_enet_close,
+	.ndo_features_check	= tso_features_check,
 	.ndo_start_xmit		= fec_enet_start_xmit,
 	.ndo_select_queue       = fec_enet_select_queue,
 	.ndo_set_rx_mode	= set_multicast_list,
-- 
2.53.0.1213.gd9a14994de-goog

[PATCH net-next 7/9] net: mv643xx_eth: use tso_features_check()

[Eric Dumazet]

We must fallback to GSO if a TSO packet has too big headers,
or risk corruptions.

Fixes: 3ae8f4e0b98b ("net: mv643xx_eth: Implement software TSO")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ezequiel Garcia <ezequiel.garcia@free-electrons.com>
Cc: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
---
 drivers/net/ethernet/marvell/mv643xx_eth.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/ethernet/marvell/mv643xx_eth.c b/drivers/net/ethernet/marvell/mv643xx_eth.c
index f9055b3d6fb102ebc695dce9c6c8321889a78dfa..95781e1f42dd69404ca60f0cb383bd783f7e5322 100644
--- a/drivers/net/ethernet/marvell/mv643xx_eth.c
+++ b/drivers/net/ethernet/marvell/mv643xx_eth.c
@@ -835,6 +835,7 @@ static int txq_submit_tso(struct tx_queue *txq, struct sk_buff *skb,
 
 	/* Initialize the TSO handler, and prepare the first payload */
 	hdr_len = tso_start(skb, &tso);
+	DEBUG_NET_WARN_ON_ONCE(hdr_len > TSO_HEADER_SIZE);
 
 	total_len = skb->len - hdr_len;
 	while (total_len > 0) {
@@ -3066,6 +3067,7 @@ static void init_pscr(struct mv643xx_eth_private *mp, int speed, int duplex)
 static const struct net_device_ops mv643xx_eth_netdev_ops = {
 	.ndo_open		= mv643xx_eth_open,
 	.ndo_stop		= mv643xx_eth_stop,
+	.ndo_features_check	= tso_features_check,
 	.ndo_start_xmit		= mv643xx_eth_xmit,
 	.ndo_set_rx_mode	= mv643xx_eth_set_rx_mode,
 	.ndo_set_mac_address	= mv643xx_eth_set_mac_address,
-- 
2.53.0.1213.gd9a14994de-goog

[PATCH net-next 8/9] net: mvpp2: use tso_features_check()

[Eric Dumazet]

We must fallback to GSO if a TSO packet has too big headers,
or risk corruptions.

Fixes: 186cd4d4e414 ("net: mvpp2: software tso support")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Antoine Tenart <atenart@kernel.org>
Cc: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
---
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
index f442b874bb5933b298773bee7e6140e753bce013..6a065402f62605a9333c9050cdbb793ce547e74a 100644
--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
@@ -4318,6 +4318,7 @@ static int mvpp2_tx_tso(struct sk_buff *skb, struct net_device *dev,
 		return 0;
 
 	hdr_sz = tso_start(skb, &tso);
+	DEBUG_NET_WARN_ON_ONCE(hdr_sz > TSO_HEADER_SIZE);
 
 	len = skb->len - hdr_sz;
 	while (len > 0) {
@@ -5795,6 +5796,7 @@ static int mvpp2_ethtool_set_eee(struct net_device *dev,
 static const struct net_device_ops mvpp2_netdev_ops = {
 	.ndo_open		= mvpp2_open,
 	.ndo_stop		= mvpp2_stop,
+	.ndo_features_check	= tso_features_check,
 	.ndo_start_xmit		= mvpp2_tx,
 	.ndo_set_rx_mode	= mvpp2_set_rx_mode,
 	.ndo_set_mac_address	= mvpp2_set_mac_address,
-- 
2.53.0.1213.gd9a14994de-goog

[PATCH net-next 9/9] octeontx2-pf: use tso_features_check()

[Eric Dumazet]

We must fallback to GSO if a TSO packet has too big headers,
or risk corruptions.

Fixes: 86d7476078b8 ("octeontx2-pf: TCP segmentation offload support")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Sunil Goutham <sgoutham@marvell.com>
Cc: Geetha sowjanya <gakula@marvell.com>
Cc: Subbaraya Sundeep <sbhatta@marvell.com>
Cc: hariprasad <hkelam@marvell.com>
Cc: Bharat Bhushan <bbhushan2@marvell.com>
---
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c   | 2 ++
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c | 1 +
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c   | 2 ++
 drivers/net/ethernet/marvell/octeontx2/nic/rep.c       | 2 ++
 4 files changed, 7 insertions(+)

diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c
index ee623476e5ff1ad10a4149a065773fcd7050d970..a6cb0058603a530a11637c054f43cf0c8d129b32 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c
@@ -17,6 +17,7 @@
 #include <linux/bpf_trace.h>
 #include <linux/bitfield.h>
 #include <net/page_pool/types.h>
+#include <net/tso.h>
 
 #include "otx2_reg.h"
 #include "otx2_common.h"
@@ -2924,6 +2925,7 @@ static int otx2_ndo_set_vf_trust(struct net_device *netdev, int vf,
 static const struct net_device_ops otx2_netdev_ops = {
 	.ndo_open		= otx2_open,
 	.ndo_stop		= otx2_stop,
+	.ndo_features_check	= tso_features_check,
 	.ndo_start_xmit		= otx2_xmit,
 	.ndo_select_queue	= otx2_select_queue,
 	.ndo_fix_features	= otx2_fix_features,
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c
index 625bb5a05344c0b6521c28fc28e7390553bc8f84..52cc122bf519589ad0d1f6b079bc3da03063b2f5 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c
@@ -936,6 +936,7 @@ static void otx2_sq_append_tso(struct otx2_nic *pfvf, struct otx2_snd_queue *sq,
 	struct tso_t tso;
 
 	hdr_len = tso_start(skb, &tso);
+	DEBUG_NET_WARN_ON_ONCE(hdr_len > TSO_HEADER_SIZE);
 
 	/* Map SKB's fragments to DMA.
 	 * It's done here to avoid mapping for every TSO segment's packet.
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c
index f4fdbfba866764477d7c72f4f71da9beb0f61f5c..44ba038964e8e4b0843ac38ce9428bf249c0af47 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c
@@ -9,6 +9,7 @@
 #include <linux/module.h>
 #include <linux/pci.h>
 #include <linux/net_tstamp.h>
+#include <net/tso.h>
 
 #include "otx2_common.h"
 #include "otx2_reg.h"
@@ -526,6 +527,7 @@ static int otx2vf_set_features(struct net_device *netdev,
 static const struct net_device_ops otx2vf_netdev_ops = {
 	.ndo_open = otx2vf_open,
 	.ndo_stop = otx2vf_stop,
+	.ndo_features_check = tso_features_check,
 	.ndo_start_xmit = otx2vf_xmit,
 	.ndo_select_queue = otx2_select_queue,
 	.ndo_set_rx_mode = otx2vf_set_rx_mode,
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/rep.c b/drivers/net/ethernet/marvell/octeontx2/nic/rep.c
index 94f155ffb17f0060e1d1fbba3916948e5578e3a1..75f688013b75cda12522b1e3d708dbcc960502cb 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/rep.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/rep.c
@@ -10,6 +10,7 @@
 #include <linux/pci.h>
 #include <linux/net_tstamp.h>
 #include <linux/sort.h>
+#include <net/tso.h>
 
 #include "otx2_common.h"
 #include "cn10k.h"
@@ -487,6 +488,7 @@ static int rvu_rep_stop(struct net_device *dev)
 static const struct net_device_ops rvu_rep_netdev_ops = {
 	.ndo_open		= rvu_rep_open,
 	.ndo_stop		= rvu_rep_stop,
+	.ndo_features_check	= tso_features_check,
 	.ndo_start_xmit		= rvu_rep_xmit,
 	.ndo_get_stats64	= rvu_rep_get_stats64,
 	.ndo_change_mtu		= rvu_rep_change_mtu,
-- 
2.53.0.1213.gd9a14994de-goog