lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260128161248.40799-1-kuba@kernel.org>
Date: Wed, 28 Jan 2026 08:12:48 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: mkl@...gutronix.de
Cc: Jakub Kicinski <kuba@...nel.org>,
	pabeni@...hat.com,
	davem@...emloft.net,
	edumazet@...gle.com,
	horms@...nel.org,
	kernel@...gutronix.de,
	mailhol@...nel.org,
	socketcan@...tkopp.net,
	linux-can@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	netdev@...r.kernel.org,
	robin@...tonic.nl,
	o.rempel@...gutronix.de
Subject: Re: [can-next,v2,6/6] can: gw: use can_gw_hops instead of sk_buff::csum_start

This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.

For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
---
can: gw: use can_gw_hops instead of sk_buff::csum_start

This patch moves the hop counter storage from skb->csum_start to the CAN
skb extension field can_skb_ext::can_gw_hops.

> diff --git a/net/can/gw.c b/net/can/gw.c
> index ad89a1913b34..2c134c9e5159 100644
> --- a/net/can/gw.c
> +++ b/net/can/gw.c

[ ... ]

> @@ -480,19 +480,8 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data)
>  	/* Do not handle CAN frames routed more than 'max_hops' times.
>  	 * In general we should never catch this delimiter which is intended
>  	 * to cover a misconfiguration protection (e.g. circular CAN routes).
> -	 *
> -	 * The Controller Area Network controllers only accept CAN frames with
> -	 * correct CRCs - which are not visible in the controller registers.
> -	 * According to skbuff.h documentation the csum_start element for IP
> -	 * checksums is undefined/unused when ip_summed == CHECKSUM_UNNECESSARY.
> -	 * Only CAN skbs can be processed here which already have this property.
>  	 */
> -
> -#define cgw_hops(skb) ((skb)->csum_start)
> -
> -	BUG_ON(skb->ip_summed != CHECKSUM_UNNECESSARY);
> -
> -	if (cgw_hops(skb) >= max_hops) {
> +	if (csx->can_gw_hops >= max_hops) {
            ^^^^^^^^^^^^^^^^
Is csx->can_gw_hops initialized to zero for fresh CAN frames?

The old code used skb->csum_start which was zeroed by skbuff_clear() during
skb allocation. The new code reads from can_skb_ext::can_gw_hops, but looking
at alloc_can_skb() in drivers/net/can/dev/skb.c, only can_iif is initialized:

    csx = can_skb_ext_add(skb);
    ...
    csx->can_iif = dev->ifindex;

The skb extension memory comes from kmem_cache_alloc() without __GFP_ZERO in
__skb_ext_alloc(), so can_gw_hops will contain garbage from the slab.

With default max_hops=1, if the garbage value is >= 1 (probability ~99.6%),
the frame will be dropped at this check before any routing occurs.

Should alloc_can_skb(), alloc_canfd_skb(), and alloc_canxl_skb() initialize
csx->can_gw_hops = 0?

>  		/* indicate deleted frames due to misconfiguration */
>  		gwj->deleted_frames++;
>  		return;

[ ... ]
-- 
pw-bot: cr

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ