* [PATCH net v2] net: dsa: microchip: linearize skb for tail-tagging switches
@ 2025-05-12 14:44 Jakob Unterwurzacher
2025-05-13 8:43 ` Vladimir Oltean
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Jakob Unterwurzacher @ 2025-05-12 14:44 UTC (permalink / raw)
To: Woojung Huh, UNGLinuxDriver, Andrew Lunn, Vladimir Oltean,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, Marek Vasut, Tristram Ha, Florian Fainelli
Cc: jakob.unterwurzacher, stable, Woojung Huh, netdev, linux-kernel
The pointer arithmentic for accessing the tail tag only works
for linear skbs.
For nonlinear skbs, it reads uninitialized memory inside the
skb headroom, essentially randomizing the tag. I have observed
it gets set to 6 most of the time.
Example where ksz9477_rcv thinks that the packet from port 1 comes from port 6
(which does not exist for the ksz9896 that's in use), dropping the packet.
Debug prints added by me (not included in this patch):
[ 256.645337] ksz9477_rcv:323 tag0=6
[ 256.645349] skb len=47 headroom=78 headlen=0 tailroom=0
mac=(64,14) mac_len=14 net=(78,0) trans=78
shinfo(txflags=0 nr_frags=1 gso(size=0 type=0 segs=0))
csum(0x0 start=0 offset=0 ip_summed=0 complete_sw=0 valid=0 level=0)
hash(0x0 sw=0 l4=0) proto=0x00f8 pkttype=1 iif=3
priority=0x0 mark=0x0 alloc_cpu=0 vlan_all=0x0
encapsulation=0 inner(proto=0x0000, mac=0, net=0, trans=0)
[ 256.645377] dev name=end1 feat=0x0002e10200114bb3
[ 256.645386] skb headroom: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 256.645395] skb headroom: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 256.645403] skb headroom: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 256.645411] skb headroom: 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 256.645420] skb headroom: 00000040: ff ff ff ff ff ff 00 1c 19 f2 e2 db 08 06
[ 256.645428] skb frag: 00000000: 00 01 08 00 06 04 00 01 00 1c 19 f2 e2 db 0a 02
[ 256.645436] skb frag: 00000010: 00 83 00 00 00 00 00 00 0a 02 a0 2f 00 00 00 00
[ 256.645444] skb frag: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
[ 256.645452] ksz_common_rcv:92 dsa_conduit_find_user returned NULL
Call skb_linearize before trying to access the tag.
This patch fixes ksz9477_rcv which is used by the ksz9896 I have at
hand, and also applies the same fix to ksz8795_rcv which seems to have
the same problem.
Signed-off-by: Jakob Unterwurzacher <jakob.unterwurzacher@cherry.de>
Cc: stable@vger.kernel.org
Fixes: 016e43a26bab ("net: dsa: ksz: Add KSZ8795 tag code")
Fixes: 8b8010fb7876 ("dsa: add support for Microchip KSZ tail tagging)
---
v1: https://lore.kernel.org/netdev/20250509071820.4100022-1-jakob.unterwurzacher@cherry.de/
v2: add Fixes tags, Cc stable, "[PATCH net]" prefix
net/dsa/tag_ksz.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/net/dsa/tag_ksz.c b/net/dsa/tag_ksz.c
index 281bbac5539d..55ef093fe66b 100644
--- a/net/dsa/tag_ksz.c
+++ b/net/dsa/tag_ksz.c
@@ -140,7 +140,12 @@ static struct sk_buff *ksz8795_xmit(struct sk_buff *skb, struct net_device *dev)
static struct sk_buff *ksz8795_rcv(struct sk_buff *skb, struct net_device *dev)
{
- u8 *tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN;
+ u8 *tag;
+
+ if (skb_linearize(skb))
+ return NULL;
+
+ tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN;
return ksz_common_rcv(skb, dev, tag[0] & KSZ8795_TAIL_TAG_EG_PORT_M,
KSZ_EGRESS_TAG_LEN);
@@ -311,8 +316,13 @@ static struct sk_buff *ksz9477_xmit(struct sk_buff *skb,
static struct sk_buff *ksz9477_rcv(struct sk_buff *skb, struct net_device *dev)
{
+ u8 *tag;
+
+ if (skb_linearize(skb))
+ return NULL;
+
/* Tag decoding */
- u8 *tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN;
+ tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN;
unsigned int port = tag[0] & KSZ9477_TAIL_TAG_EG_PORT_M;
unsigned int len = KSZ_EGRESS_TAG_LEN;
--
2.39.5
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH net v2] net: dsa: microchip: linearize skb for tail-tagging switches
2025-05-12 14:44 [PATCH net v2] net: dsa: microchip: linearize skb for tail-tagging switches Jakob Unterwurzacher
@ 2025-05-13 8:43 ` Vladimir Oltean
2025-05-13 23:37 ` Jakub Kicinski
2025-05-13 23:38 ` Jakub Kicinski
2 siblings, 0 replies; 4+ messages in thread
From: Vladimir Oltean @ 2025-05-13 8:43 UTC (permalink / raw)
To: Jakob Unterwurzacher
Cc: Woojung Huh, UNGLinuxDriver, Andrew Lunn, David S. Miller,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman,
Marek Vasut, Tristram Ha, Florian Fainelli, jakob.unterwurzacher,
stable, netdev, linux-kernel
On Mon, May 12, 2025 at 04:44:18PM +0200, Jakob Unterwurzacher wrote:
> The pointer arithmentic for accessing the tail tag only works
> for linear skbs.
>
> For nonlinear skbs, it reads uninitialized memory inside the
> skb headroom, essentially randomizing the tag. I have observed
> it gets set to 6 most of the time.
>
> Example where ksz9477_rcv thinks that the packet from port 1 comes from port 6
> (which does not exist for the ksz9896 that's in use), dropping the packet.
> Debug prints added by me (not included in this patch):
>
> [ 256.645337] ksz9477_rcv:323 tag0=6
> [ 256.645349] skb len=47 headroom=78 headlen=0 tailroom=0
> mac=(64,14) mac_len=14 net=(78,0) trans=78
> shinfo(txflags=0 nr_frags=1 gso(size=0 type=0 segs=0))
> csum(0x0 start=0 offset=0 ip_summed=0 complete_sw=0 valid=0 level=0)
> hash(0x0 sw=0 l4=0) proto=0x00f8 pkttype=1 iif=3
> priority=0x0 mark=0x0 alloc_cpu=0 vlan_all=0x0
> encapsulation=0 inner(proto=0x0000, mac=0, net=0, trans=0)
> [ 256.645377] dev name=end1 feat=0x0002e10200114bb3
> [ 256.645386] skb headroom: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 256.645395] skb headroom: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 256.645403] skb headroom: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 256.645411] skb headroom: 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 256.645420] skb headroom: 00000040: ff ff ff ff ff ff 00 1c 19 f2 e2 db 08 06
> [ 256.645428] skb frag: 00000000: 00 01 08 00 06 04 00 01 00 1c 19 f2 e2 db 0a 02
> [ 256.645436] skb frag: 00000010: 00 83 00 00 00 00 00 00 0a 02 a0 2f 00 00 00 00
> [ 256.645444] skb frag: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
> [ 256.645452] ksz_common_rcv:92 dsa_conduit_find_user returned NULL
>
> Call skb_linearize before trying to access the tag.
>
> This patch fixes ksz9477_rcv which is used by the ksz9896 I have at
> hand, and also applies the same fix to ksz8795_rcv which seems to have
> the same problem.
>
> Signed-off-by: Jakob Unterwurzacher <jakob.unterwurzacher@cherry.de>
> Cc: stable@vger.kernel.org
> Fixes: 016e43a26bab ("net: dsa: ksz: Add KSZ8795 tag code")
> Fixes: 8b8010fb7876 ("dsa: add support for Microchip KSZ tail tagging)
> ---
One of the blamed commits appeared in v4.13 and the other in v5.4.
I wondered whether separate patches should have been written, so that the
bug fix for the older commit could be independently backported further.
But then I looked at https://www.kernel.org/ and it seems that the
oldest supported LTS branch is 5.4, so that's irrelevant.
Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net v2] net: dsa: microchip: linearize skb for tail-tagging switches
2025-05-12 14:44 [PATCH net v2] net: dsa: microchip: linearize skb for tail-tagging switches Jakob Unterwurzacher
2025-05-13 8:43 ` Vladimir Oltean
@ 2025-05-13 23:37 ` Jakub Kicinski
2025-05-13 23:38 ` Jakub Kicinski
2 siblings, 0 replies; 4+ messages in thread
From: Jakub Kicinski @ 2025-05-13 23:37 UTC (permalink / raw)
To: Jakob Unterwurzacher
Cc: Woojung Huh, UNGLinuxDriver, Andrew Lunn, Vladimir Oltean,
David S. Miller, Eric Dumazet, Paolo Abeni, Simon Horman,
Marek Vasut, Tristram Ha, Florian Fainelli, jakob.unterwurzacher,
stable, netdev, linux-kernel
On Mon, 12 May 2025 16:44:18 +0200 Jakob Unterwurzacher wrote:
> static struct sk_buff *ksz9477_rcv(struct sk_buff *skb, struct net_device *dev)
> {
> + u8 *tag;
> +
> + if (skb_linearize(skb))
> + return NULL;
> +
> /* Tag decoding */
> - u8 *tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN;
> + tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN;
> unsigned int port = tag[0] & KSZ9477_TAIL_TAG_EG_PORT_M;
> unsigned int len = KSZ_EGRESS_TAG_LEN;
Please don't add code before variable declarations.
--
pw-bot: cr
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net v2] net: dsa: microchip: linearize skb for tail-tagging switches
2025-05-12 14:44 [PATCH net v2] net: dsa: microchip: linearize skb for tail-tagging switches Jakob Unterwurzacher
2025-05-13 8:43 ` Vladimir Oltean
2025-05-13 23:37 ` Jakub Kicinski
@ 2025-05-13 23:38 ` Jakub Kicinski
2 siblings, 0 replies; 4+ messages in thread
From: Jakub Kicinski @ 2025-05-13 23:38 UTC (permalink / raw)
To: Jakob Unterwurzacher
Cc: Woojung Huh, UNGLinuxDriver, Andrew Lunn, Vladimir Oltean,
David S. Miller, Eric Dumazet, Paolo Abeni, Simon Horman,
Marek Vasut, Tristram Ha, Florian Fainelli, jakob.unterwurzacher,
stable, netdev, linux-kernel
On Mon, 12 May 2025 16:44:18 +0200 Jakob Unterwurzacher wrote:
> Fixes: 8b8010fb7876 ("dsa: add support for Microchip KSZ tail tagging)
ps. also missing closing quotation marks on this tag
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-05-13 23:38 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-05-12 14:44 [PATCH net v2] net: dsa: microchip: linearize skb for tail-tagging switches Jakob Unterwurzacher
2025-05-13 8:43 ` Vladimir Oltean
2025-05-13 23:37 ` Jakub Kicinski
2025-05-13 23:38 ` Jakub Kicinski
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).