Re: [RFC PATCH v7 00/16] Add support for qca8k mdio rw in Ethernet packet

From: Vladimir Oltean
Date: Thu Feb 03 2022 - 16:26:04 EST

Next message: Kees Cook: "Re: [PATCH v6 4/4] fortify: Add Clang support"
Previous message: John Hubbard: "Re: [PATCH v3 1/4] mm: Fix invalid page pointer returned with FOLL_PIN gups"
In reply to: Ansuel Smith: "Re: [RFC PATCH v7 00/16] Add support for qca8k mdio rw in Ethernet packet"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Feb 03, 2022 at 12:10:27PM -0800, Jakub Kicinski wrote:
> On Thu, 3 Feb 2022 20:21:28 +0200 Vladimir Oltean wrote:
> > To my knowledge, when you call dev_queue_xmit(), the skb is no longer
> > yours, end of story, it doesn't matter whether you increase the refcount
> > on it or not. The DSA master may choose to do whatever it wishes with
> > that buffer after its TX completion interrupt fires: it may not call
> > napi_consume_skb() but directly recycle that buffer in its pool of RX
> > buffers, as part of some weird buffer recycling scheme. So you'll think
> > that the buffer is yours, but it isn't, because the driver hasn't
> > returned it to the allocator, and your writes for the next packet may be
> > concurrent with some RX DMA transactions. I don't have a mainline
> > example to give you, but I've seen the pattern, and I don't think it's
> > illegal (although of course, I stand to be corrected if necessary).
>
> Are we talking about holding onto the Tx skb here or also recycling
> the Rx one? Sorry for another out of context comment in advance..

We're talking about the possibility that the DSA master holds onto the
TX skb, for the purpose of saving a netdev_alloc_skb() call later in the
RX path.

> AFAIK in theory shared skbs are supposed to be untouched or unshared
> explicitly by the driver on Tx. pktgen takes advantage of it.
> We have IFF_TX_SKB_SHARING.
>
> In practice everyone gets opted into SKB_SHARING because ether_setup()
> sets the flag. A lot of drivers are not aware of the requirement and
> will assume full ownership (and for example use skb->cb[]) :/
>
> I don't think there is any Tx completion -> Rx pool recycling scheme
> inside the drivers (if that's what you described).

You made me go look again at commit acb600def211 ("net: remove skb
recycling"), a revert of which is still carried in some vendor kernels.
So there was a skb_is_recycleable() function with this check:

if (skb_shared(skb))
return false;

which means that yes, my argument is basically invalid, skb_get() in DSA
will protect against skb recycling.

I know Ansuel is using OpenWRT, so not a stranger to vendor kernels &
network drivers. My comment wasn't as much a hard NACK as it was a word
of caution. DSA allows pairing any switch driver to any host controller
driver. If somebody hits the jackpot (probably won't be me, won't be
Ansuel), it won't be exactly fun for them until they figure out what's
going on, with the symptoms being random data corruption during switch
register access. But after I revisited the exact situation, I don't have
an example that proves to be problematic.

Next message: Kees Cook: "Re: [PATCH v6 4/4] fortify: Add Clang support"
Previous message: John Hubbard: "Re: [PATCH v3 1/4] mm: Fix invalid page pointer returned with FOLL_PIN gups"
In reply to: Ansuel Smith: "Re: [RFC PATCH v7 00/16] Add support for qca8k mdio rw in Ethernet packet"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]