Re: [PATCH net] net: dsa: ksz: fix padding size of skb
From: Vladimir Oltean
Date: Fri Oct 16 2020 - 05:05:33 EST
On Fri, Oct 16, 2020 at 11:00:20AM +0200, Christian Eggers wrote:
> On Friday, 16 October 2020, 09:45:42 CEST, Kurt Kanzenbach wrote:
> > On Thu Oct 15 2020, Christian Eggers wrote:
> > > On Wednesday, 14 October 2020, 19:31:03 CEST, Vladimir Oltean wrote:
> > >> What problem are you actually trying to solve?
> > >
> > > After (hopefully) understanding the important bits, I would like to solve
> > > the problem that after calling __skb_put_padto() there may be no tailroom
> > > for the tail tag.
> > >
> > > The conditions where this can happen are quite special. You need a
> > > skb->len < ETH_ZLEN and the skb must be marked as cloned. One condition
> > > where this happens in practice is when the skb has been selected for TX
> > > time stamping in dsa_skb_tx_timestamp() [cloned] and L2 is used as
> > > transport for PTP [size < ETH_ZLEN]. But maybe cloned sk_buffs can also
> > > happen for other reasons.
> > Hmm. I've never observed any problems using DSA with L2 PTP time
> > stamping with this tail tag code. What's the impact exactly? Memory
> > corruption?
> It looks like skb_put_padto() is only used by the tag_ksz driver. So it's
> unlikely that other drivers are affected by the same problem.
>
> If I remember correctly, I got a skb_panic in skb_put() when adding the tail
> tag. But with the current kernel I didn't manage to create packets where the
> skb allocated by __skb_put_padto has not enough spare room for the tag tag.
> Either I am trying with wrong packets, or something else has been changed in
> between.
>
> I just sent a new patch which should solve the problem correctly here:
> https://patchwork.ozlabs.org/project/netdev/list/?series=208269
Kurt is asking, and rightfully so, because his tag_hellcreek.c driver
(for a 1588 switch with tail tags) is copied from tag_ksz.c.
I have also attempted to replicate your issue at my end and failed to do
so. In principle, it is indeed true that a cloned skb should not be
modified without calling skb_unshare() first. The DSA core
(dsa_slave_xmit) should do that. But that doesn't explain the symptoms
you're seeing, which is why I asked for skb_dump.