Thread (23 messages) 23 messages, 4 authors, 2d ago

Re: [PATCH net-next v9 2/9] net: Enable BIG TCP with partial GSO

From: Simon Horman <horms@kernel.org>
Date: 2026-07-16 14:47:39

This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
Full review at: https://sashiko.dev
---
--- Patch [2]: [PATCH net-next v9 2/9] net: Enable BIG TCP with partial GSO ---
commit b8199f77774400021642eb53bd60ec1a062a54ef
Author: Alice Mikityanska [off-list ref]

net: Enable BIG TCP with partial GSO
    
This commit removes the 65534-byte clamp on segment length in skb_segment
for partial GSO. It stores the gso_by_frags flag early to allow BIG TCP
packets to use larger lengths without accidental resegmentation.
quoted hunk ↗ jump to hunk
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 18dabb4e9cfa0..6ae4c2b205f2e 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
[ ... ]
quoted hunk ↗ jump to hunk
@@ -4852,9 +4853,8 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
 		/* GSO partial only requires that we trim off any excess that
 		 * doesn't fit into an MSS sized block, so take care of that
 		 * now.
-		 * Cap len to not accidentally hit GSO_BY_FRAGS.
 		 */
-		partial_segs = min(len, GSO_BY_FRAGS - 1) / mss;
+		partial_segs = len / mss;
[Severity: High]
When removing the clamp on partial GSO segments, mss is scaled up without any
upper bound. For BIG TCP packets, could this construct segments that exceed
MAX_SKB_FRAGS?

If a 512KB packet is passed to skb_segment() for partial GSO, mss is scaled
up to the full packet length. When attempting to build this single large
segment by flattening the frag_list into a new frags array, it appears it
would hit the fragment limit and abort:

net/core/skbuff.c:skb_segment() {
    ...
    if (unlikely(skb_shinfo(nskb)->nr_frags >=
                 MAX_SKB_FRAGS)) {
        net_warn_ratelimited(
            "skb_segment: too many frags: %u %u\n",
            pos, mss);
        err = -EINVAL;
        goto err;
    }
    ...
}

Does this deterministically drop BIG TCP traffic over tunnels that require
partial GSO?

[Severity: Medium]
Can the partial_segs calculation exceed 65535 for malicious inputs and cause
a 16-bit truncation?

If a crafted packet with a very small gso_size (for example, mss=1 via an
untrusted packet socket) and a large payload is segmented, len / mss could
produce a value greater than 65535.

When this 32-bit value is later assigned to the 16-bit field in skb_segment():

net/core/skbuff.c:skb_segment() {
    ...
    skb_shinfo(iter)->gso_segs = partial_segs;
    ...
}

Could this silent truncation corrupt hardware engine programming or Byte Queue
Limits?
 		if (partial_segs > 1)
 			mss *= partial_segs;
 		else
[ ... ]
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help