lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 16 Oct 2020 12:05:27 +0300
From:   Vladimir Oltean <>
To:     Christian Eggers <>
Cc:     Kurt Kanzenbach <>,
        Woojung Huh <>,
        Andrew Lunn <>,
        Vivien Didelot <>,
        Florian Fainelli <>,
        Microchip Linux Driver Support <>,
        "David S . Miller" <>,
        Jakub Kicinski <>,,
Subject: Re: [PATCH net] net: dsa: ksz: fix padding size of skb

On Fri, Oct 16, 2020 at 11:00:20AM +0200, Christian Eggers wrote:
> On Friday, 16 October 2020, 09:45:42 CEST, Kurt Kanzenbach wrote:
> > On Thu Oct 15 2020, Christian Eggers wrote:
> > > On Wednesday, 14 October 2020, 19:31:03 CEST, Vladimir Oltean wrote:
> > >> What problem are you actually trying to solve?
> > >
> > > After (hopefully) understanding the important bits, I would like to solve
> > > the problem that after calling __skb_put_padto() there may be no tailroom
> > > for the tail tag.
> > >
> > > The conditions where this can happen are quite special. You need a
> > > skb->len < ETH_ZLEN and the skb must be marked as cloned. One condition
> > > where this happens in practice is when the skb has been selected for TX
> > > time stamping in dsa_skb_tx_timestamp() [cloned] and L2 is used as
> > > transport for PTP [size < ETH_ZLEN]. But maybe cloned sk_buffs can also
> > > happen for other reasons.
> > Hmm. I've never observed any problems using DSA with L2 PTP time
> > stamping with this tail tag code. What's the impact exactly? Memory
> > corruption?
> It looks like skb_put_padto() is only used by the tag_ksz driver. So it's
> unlikely that other drivers are affected by the same problem.
> If I remember correctly, I got a skb_panic in skb_put() when adding the tail
> tag. But with the current kernel I didn't manage to create packets where the
> skb allocated by __skb_put_padto has not enough spare room for the tag tag.
> Either I am trying with wrong packets, or something else has been changed in
> between.
> I just sent a new patch which should solve the problem correctly here:

Kurt is asking, and rightfully so, because his tag_hellcreek.c driver
(for a 1588 switch with tail tags) is copied from tag_ksz.c.
I have also attempted to replicate your issue at my end and failed to do
so. In principle, it is indeed true that a cloned skb should not be
modified without calling skb_unshare() first. The DSA core
(dsa_slave_xmit) should do that. But that doesn't explain the symptoms
you're seeing, which is why I asked for skb_dump.

Powered by blists - more mailing lists