From: Erni Sri Satya Vennela Date: Thu, 26 Mar 2026 17:30:56 +0000 (-0700) Subject: net: mana: hardening: Validate adapter_mtu from MANA_QUERY_DEV_CONFIG X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d7709812e13d06132ddae3d21540472ea5cb11c5;p=thirdparty%2Fkernel%2Flinux.git net: mana: hardening: Validate adapter_mtu from MANA_QUERY_DEV_CONFIG As a part of MANA hardening for CVM, validate the adapter_mtu value returned from the MANA_QUERY_DEV_CONFIG HWC command. The adapter_mtu value is used to compute ndev->max_mtu via: gc->adapter_mtu - ETH_HLEN. If hardware returns a bogus adapter_mtu smaller than ETH_HLEN (e.g. 0), the unsigned subtraction wraps to a huge value, silently allowing oversized MTU settings. Add a validation check to reject adapter_mtu values below ETH_MIN_MTU + ETH_HLEN, returning -EPROTO to fail the device configuration early with a clear error message. Signed-off-by: Erni Sri Satya Vennela Link: https://patch.msgid.link/20260326173101.2010514-1-ernis@linux.microsoft.com Signed-off-by: Jakub Kicinski --- diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c index a9e0f99105aa..565375cc20d3 100644 --- a/drivers/net/ethernet/microsoft/mana/mana_en.c +++ b/drivers/net/ethernet/microsoft/mana/mana_en.c @@ -1207,10 +1207,16 @@ static int mana_query_device_cfg(struct mana_context *ac, u32 proto_major_ver, *max_num_vports = resp.max_num_vports; - if (resp.hdr.response.msg_version >= GDMA_MESSAGE_V2) + if (resp.hdr.response.msg_version >= GDMA_MESSAGE_V2) { + if (resp.adapter_mtu < ETH_MIN_MTU + ETH_HLEN) { + dev_err(dev, "Adapter MTU too small: %u\n", + resp.adapter_mtu); + return -EPROTO; + } gc->adapter_mtu = resp.adapter_mtu; - else + } else { gc->adapter_mtu = ETH_FRAME_LEN; + } if (resp.hdr.response.msg_version >= GDMA_MESSAGE_V3) *bm_hostmode = resp.bm_hostmode;