tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

atm: Preserve value of skb->truesize when accounting to vcc

ATM accounts for in-flight TX packets in sk_wmem_alloc of the VCC on
which they are to be sent. But it doesn't take ownership of those
packets from the sock (if any) which originally owned them. They should
remain owned by their actual sender until they've left the box.

There's a hack in pskb_expand_head() to avoid adjusting skb->truesize
for certain skbs, precisely to avoid messing up sk_wmem_alloc
accounting. Ideally that hack would cover the ATM use case too, but it
doesn't — skbs which aren't owned by any sock, for example PPP control
frames, still get their truesize adjusted when the low-level ATM driver
adds headroom.

This has always been an issue, it seems. The truesize of a packet
increases, and sk_wmem_alloc on the VCC goes negative. But this wasn't
for normal traffic, only for control frames. So I think we just got away
with it, and we probably needed to send 2GiB of LCP echo frames before
the misaccounting would ever have caused a problem and caused
atm_may_send() to start refusing packets.

Commit 14afee4b609 ("net: convert sock.sk_wmem_alloc from atomic_t to
refcount_t") did exactly what it was intended to do, and turned this
mostly-theoretical problem into a real one, causing PPPoATM to fail
immediately as sk_wmem_alloc underflows and atm_may_send() *immediately*
starts refusing to allow new packets.

The least intrusive solution to this problem is to stash the value of
skb->truesize that was accounted to the VCC, in a new member of the
ATM_SKB(skb) structure. Then in atm_pop_raw() subtract precisely that
value instead of the then-current value of skb->truesize.

Fixes: 158f323b9868 ("net: adjust skb->truesize in pskb_expand_head()")
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Tested-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

David Woodhouse and committed by
David S. Miller 9bbe60a6 0841d986

+23 -14
+15
include/linux/atmdev.h
··· 214 214 struct atm_skb_data { 215 215 struct atm_vcc *vcc; /* ATM VCC */ 216 216 unsigned long atm_options; /* ATM layer options */ 217 + unsigned int acct_truesize; /* truesize accounted to vcc */ 217 218 }; 218 219 219 220 #define VCC_HTABLE_SIZE 32 ··· 242 241 243 242 void atm_dev_release_vccs(struct atm_dev *dev); 244 243 244 + static inline void atm_account_tx(struct atm_vcc *vcc, struct sk_buff *skb) 245 + { 246 + /* 247 + * Because ATM skbs may not belong to a sock (and we don't 248 + * necessarily want to), skb->truesize may be adjusted, 249 + * escaping the hack in pskb_expand_head() which avoids 250 + * doing so for some cases. So stash the value of truesize 251 + * at the time we accounted it, and atm_pop_raw() can use 252 + * that value later, in case it changes. 253 + */ 254 + refcount_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc); 255 + ATM_SKB(skb)->acct_truesize = skb->truesize; 256 + ATM_SKB(skb)->atm_options = vcc->atm_options; 257 + } 245 258 246 259 static inline void atm_force_charge(struct atm_vcc *vcc,int truesize) 247 260 {
+1 -2
net/atm/br2684.c
··· 252 252 253 253 ATM_SKB(skb)->vcc = atmvcc = brvcc->atmvcc; 254 254 pr_debug("atm_skb(%p)->vcc(%p)->dev(%p)\n", skb, atmvcc, atmvcc->dev); 255 - refcount_add(skb->truesize, &sk_atm(atmvcc)->sk_wmem_alloc); 256 - ATM_SKB(skb)->atm_options = atmvcc->atm_options; 255 + atm_account_tx(atmvcc, skb); 257 256 dev->stats.tx_packets++; 258 257 dev->stats.tx_bytes += skb->len; 259 258
+1 -2
net/atm/clip.c
··· 381 381 memcpy(here, llc_oui, sizeof(llc_oui)); 382 382 ((__be16 *) here)[3] = skb->protocol; 383 383 } 384 - refcount_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc); 385 - ATM_SKB(skb)->atm_options = vcc->atm_options; 384 + atm_account_tx(vcc, skb); 386 385 entry->vccs->last_use = jiffies; 387 386 pr_debug("atm_skb(%p)->vcc(%p)->dev(%p)\n", skb, vcc, vcc->dev); 388 387 old = xchg(&entry->vccs->xoff, 1); /* assume XOFF ... */
+1 -2
net/atm/common.c
··· 630 630 goto out; 631 631 } 632 632 pr_debug("%d += %d\n", sk_wmem_alloc_get(sk), skb->truesize); 633 - refcount_add(skb->truesize, &sk->sk_wmem_alloc); 633 + atm_account_tx(vcc, skb); 634 634 635 635 skb->dev = NULL; /* for paths shared with net_device interfaces */ 636 - ATM_SKB(skb)->atm_options = vcc->atm_options; 637 636 if (!copy_from_iter_full(skb_put(skb, size), size, &m->msg_iter)) { 638 637 kfree_skb(skb); 639 638 error = -EFAULT;
+1 -2
net/atm/lec.c
··· 182 182 struct net_device *dev = skb->dev; 183 183 184 184 ATM_SKB(skb)->vcc = vcc; 185 - ATM_SKB(skb)->atm_options = vcc->atm_options; 185 + atm_account_tx(vcc, skb); 186 186 187 - refcount_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc); 188 187 if (vcc->send(vcc, skb) < 0) { 189 188 dev->stats.tx_dropped++; 190 189 return;
+1 -2
net/atm/mpc.c
··· 555 555 sizeof(struct llc_snap_hdr)); 556 556 } 557 557 558 - refcount_add(skb->truesize, &sk_atm(entry->shortcut)->sk_wmem_alloc); 559 - ATM_SKB(skb)->atm_options = entry->shortcut->atm_options; 558 + atm_account_tx(entry->shortcut, skb); 560 559 entry->shortcut->send(entry->shortcut, skb); 561 560 entry->packets_fwded++; 562 561 mpc->in_ops->put(entry);
+1 -2
net/atm/pppoatm.c
··· 350 350 return 1; 351 351 } 352 352 353 - refcount_add(skb->truesize, &sk_atm(ATM_SKB(skb)->vcc)->sk_wmem_alloc); 354 - ATM_SKB(skb)->atm_options = ATM_SKB(skb)->vcc->atm_options; 353 + atm_account_tx(vcc, skb); 355 354 pr_debug("atm_skb(%p)->vcc(%p)->dev(%p)\n", 356 355 skb, ATM_SKB(skb)->vcc, ATM_SKB(skb)->vcc->dev); 357 356 ret = ATM_SKB(skb)->vcc->send(ATM_SKB(skb)->vcc, skb)
+2 -2
net/atm/raw.c
··· 35 35 struct sock *sk = sk_atm(vcc); 36 36 37 37 pr_debug("(%d) %d -= %d\n", 38 - vcc->vci, sk_wmem_alloc_get(sk), skb->truesize); 39 - WARN_ON(refcount_sub_and_test(skb->truesize, &sk->sk_wmem_alloc)); 38 + vcc->vci, sk_wmem_alloc_get(sk), ATM_SKB(skb)->acct_truesize); 39 + WARN_ON(refcount_sub_and_test(ATM_SKB(skb)->acct_truesize, &sk->sk_wmem_alloc)); 40 40 dev_kfree_skb_any(skb); 41 41 sk->sk_write_space(sk); 42 42 }