1. Patchew
  2. linux
  3. View series

[PATCH] usbnet: limit max_mtu based on device's hard_mtu

Laurent Vivier posted 1 patch 3 weeks, 3 days ago
There is a newer version of this series
drivers/net/usb/usbnet.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
[PATCH] usbnet: limit max_mtu based on device's hard_mtu
Posted by Laurent Vivier 3 weeks, 3 days ago 
The usbnet driver initializes net->max_mtu to ETH_MAX_MTU before calling
the device's bind() callback. When the bind() callback sets
dev->hard_mtu based the device's actual capability (from CDC Ethernet's
wMaxSegmentSize descriptor), max_mtu is never updated to reflect this
hardware limitation).

This allows userspace (DHCP or IPv6 RA) to configure MTU larger than the
device can handle, leading to silent packet drops when the backend sends
packet exceeding the device's buffer size.

Fix this by limiting net->max_mtu to the device's hard_mtu after the
bind callback returns.

See https://gitlab.com/qemu-project/qemu/-/issues/3268 and
    https://bugs.passt.top/attachment.cgi?bugid=189

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
---
 drivers/net/usb/usbnet.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index 36742e64cff7..8dbbeb8ce3f8 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1821,9 +1821,14 @@ usbnet_probe(struct usb_interface *udev, const struct usb_device_id *prod)
 		if ((dev->driver_info->flags & FLAG_NOARP) != 0)
 			net->flags |= IFF_NOARP;
 
-		/* maybe the remote can't receive an Ethernet MTU */
-		if (net->mtu > (dev->hard_mtu - net->hard_header_len))
-			net->mtu = dev->hard_mtu - net->hard_header_len;
+		/* limit max_mtu to the device's hard_mtu */
+		if (net->max_mtu > (dev->hard_mtu - net->hard_header_len))
+			net->max_mtu = dev->hard_mtu - net->hard_header_len;
+
+		/* limit mtu to max_mtu */
+		if (net->mtu > net->max_mtu)
+			net->mtu = net->max_mtu;
+
 	} else if (!info->in || !info->out)
 		status = usbnet_get_endpoints(dev, udev);
 	else {
-- 
2.52.0
Re: [PATCH] usbnet: limit max_mtu based on device's hard_mtu
Posted by Jakub Kicinski 3 weeks ago 
On Wed, 14 Jan 2026 10:03:17 +0100 Laurent Vivier wrote:
> The usbnet driver initializes net->max_mtu to ETH_MAX_MTU before calling
> the device's bind() callback. When the bind() callback sets
> dev->hard_mtu based the device's actual capability (from CDC Ethernet's
> wMaxSegmentSize descriptor), max_mtu is never updated to reflect this
> hardware limitation).
> 
> This allows userspace (DHCP or IPv6 RA) to configure MTU larger than the
> device can handle, leading to silent packet drops when the backend sends
> packet exceeding the device's buffer size.
> 
> Fix this by limiting net->max_mtu to the device's hard_mtu after the
> bind callback returns.

Change looks good, please add Stefano's tags, a Fixes tag pointing at
the oldest commit in the git history where this user-visible issue can
be reproduced (use the first tag in git history if necessary), and
resend. Please mark the commit as [PATCH net v2] when resending.
Start a new thread (don't reply to this one). And one more thing..

> diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
> index 36742e64cff7..8dbbeb8ce3f8 100644
> --- a/drivers/net/usb/usbnet.c
> +++ b/drivers/net/usb/usbnet.c
> @@ -1821,9 +1821,14 @@ usbnet_probe(struct usb_interface *udev, const struct usb_device_id *prod)
>  		if ((dev->driver_info->flags & FLAG_NOARP) != 0)
>  			net->flags |= IFF_NOARP;
>  
> -		/* maybe the remote can't receive an Ethernet MTU */
> -		if (net->mtu > (dev->hard_mtu - net->hard_header_len))
> -			net->mtu = dev->hard_mtu - net->hard_header_len;
> +		/* limit max_mtu to the device's hard_mtu */

please remove these comments, we can read the code

> +		if (net->max_mtu > (dev->hard_mtu - net->hard_header_len))
> +			net->max_mtu = dev->hard_mtu - net->hard_header_len;
> +
> +		/* limit mtu to max_mtu */

and this one

> +		if (net->mtu > net->max_mtu)
> +			net->mtu = net->max_mtu;
-- 
pw-bot: cr
Re: [PATCH] usbnet: limit max_mtu based on device's hard_mtu
Posted by Stefano Brivio 3 weeks, 3 days ago 
On Wed, 14 Jan 2026 10:03:17 +0100
Laurent Vivier <lvivier@redhat.com> wrote:

> The usbnet driver initializes net->max_mtu to ETH_MAX_MTU before calling
> the device's bind() callback. When the bind() callback sets
> dev->hard_mtu based the device's actual capability (from CDC Ethernet's
> wMaxSegmentSize descriptor), max_mtu is never updated to reflect this
> hardware limitation).
> 
> This allows userspace (DHCP or IPv6 RA) to configure MTU larger than the
> device can handle, leading to silent packet drops when the backend sends
> packet exceeding the device's buffer size.
> 
> Fix this by limiting net->max_mtu to the device's hard_mtu after the
> bind callback returns.
> 
> See https://gitlab.com/qemu-project/qemu/-/issues/3268 and
>     https://bugs.passt.top/attachment.cgi?bugid=189
> 
> Signed-off-by: Laurent Vivier <lvivier@redhat.com>

Thanks for fixing this!

Link: https://bugs.passt.top/show_bug.cgi?id=189
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>

-- 
Stefano

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.