Re: [PATCH net-next 4/6] net: sparx5: move SKB consumption to xmit()

From: Eric Dumazet
Date: Thu Jan 09 2025 - 14:13:47 EST

Next message: Michael Chan: "Re: [PATCH V1 1/2] bnxt_en: Add TPH support in BNXT driver"
Previous message: Sean Christopherson: "Re: [PATCH 4/7] KVM: TDX: restore host xsave state when exit from the guest TD"
In reply to: Daniel Machon: "[PATCH net-next 4/6] net: sparx5: move SKB consumption to xmit()"
Next in thread: Daniel Machon: "Re: [PATCH net-next 4/6] net: sparx5: move SKB consumption to xmit()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jan 9, 2025 at 7:38 PM Daniel Machon
<daniel.machon@xxxxxxxxxxxxx> wrote:
>
> Currently, SKB's are consumed in sparx5_port_xmit_impl(), if the FDMA
> xmit() function returns NETDEV_TX_OK. In a following commit, we will ops
> out the xmit() function for lan969x support, and since lan969x is going
> to consume SKB's asynchronously, in the NAPI poll loop, we cannot
> consume SKB's in sparx5_port_xmit_impl() anymore. Therefore, move the
> call of dev_consume_skb_any() to the xmit() function.
>
> Reviewed-by: Steen Hegelund <Steen.Hegelund@xxxxxxxxxxxxx>
> Signed-off-by: Daniel Machon <daniel.machon@xxxxxxxxxxxxx>
> ---
> drivers/net/ethernet/microchip/sparx5/sparx5_fdma.c | 2 ++
> drivers/net/ethernet/microchip/sparx5/sparx5_packet.c | 1 -
> 2 files changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_fdma.c b/drivers/net/ethernet/microchip/sparx5/sparx5_fdma.c
> index fdae62f557ce..cb78acd356d2 100644
> --- a/drivers/net/ethernet/microchip/sparx5/sparx5_fdma.c
> +++ b/drivers/net/ethernet/microchip/sparx5/sparx5_fdma.c
> @@ -239,6 +239,8 @@ int sparx5_fdma_xmit(struct sparx5 *sparx5, u32 *ifh, struct sk_buff *skb)
>
> sparx5_fdma_reload(sparx5, fdma);
>
> + dev_consume_skb_any(skb);
> +
> return NETDEV_TX_OK;
> }
>
> diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c b/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c
> index b6f635d85820..e776fa0845c6 100644
> --- a/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c
> +++ b/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c
> @@ -272,7 +272,6 @@ netdev_tx_t sparx5_port_xmit_impl(struct sk_buff *skb, struct net_device *dev)
> SPARX5_SKB_CB(skb)->rew_op == IFH_REW_OP_TWO_STEP_PTP)
> return NETDEV_TX_OK;

If packet is freed earlier in sparx5_fdma_xmit(), you have UAF few
lines above here ..

stats->tx_bytes += skb->len; // UAF
...
if (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP && // UAF
SPARX5_SKB_CB(skb)->rew_op == IFH_REW_OP_TWO_STEP_PTP) // UAF

>
> - dev_consume_skb_any(skb);
> return NETDEV_TX_OK;
> drop:
> stats->tx_dropped++;
>
> --
> 2.34.1
>

Next message: Michael Chan: "Re: [PATCH V1 1/2] bnxt_en: Add TPH support in BNXT driver"
Previous message: Sean Christopherson: "Re: [PATCH 4/7] KVM: TDX: restore host xsave state when exit from the guest TD"
In reply to: Daniel Machon: "[PATCH net-next 4/6] net: sparx5: move SKB consumption to xmit()"
Next in thread: Daniel Machon: "Re: [PATCH net-next 4/6] net: sparx5: move SKB consumption to xmit()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]