On Fri, Feb 28, 2025 at 4:38 PM Jakub Kicinski kuba@kernel.org wrote:
On Thu, 27 Feb 2025 04:12:02 +0000 Mina Almasry wrote:
static inline void __skb_frag_ref(skb_frag_t *frag) {
get_page(skb_frag_page(frag));
get_netmem(skb_frag_netmem(frag));}
Silently handling types of memory the caller may not be expecting always worries me.
Sorry, I'm not following. What caller is not expecting netmem? Here we're making sure __skb_frag_ref() handles netmem correctly, i.e. we were not expecting netmem here before, and after this patch we'll handle it correctly.
Why do we need this?
The MSG_ZEROCOPY TX path takes a page reference on the passed memory in zerocopy_fill_skb_from_iter() that kfree_skb() later drops when the skb is sent. We need an equivalent for netmem, which only supports pp refs today. This is my attempt at implementing a page_ref equivalent to net_iov and generic netmem.
I think __skb_frag_[un]ref is used elsewhere in the TX path too, tcp_mtu_probe for example calls skb_frag_ref eventually.
In general, I'm surprised by the lack of bug reports for devmem.
I guess we did a good job making sure we don't regress the page paths.
The lack of support in any driver that qemu will run is an issue. I wonder if also the fact that devmem needs some setup is also an issue. We need headersplit enabled, udmabuf created, netlink API bound, and then a connection referring to created and we don't support loopback. I think maybe it all may make it difficult for syzbot to repro. I've had it on my todo list to investigate this more.
Can you think of any way we could expose this more to syzbot? First thing that comes to mind is a simple hack in netdevsim, to make it insert a netmem handle (allocated locally, not a real memory provider), every N packets (controllable via debugfs). Would that work?
Yes, great idea. I don't see why it wouldn't work.
We don't expect mixing of net_iovs and pages in the same skb, but netdevsim could create one net_iov skb every N skbs.
I guess I'm not totally sure something is discoverable to syzbot. Is a netdevsim hack toggleable via a debugfs sufficient for syzbot? I'll investigate and ask.
-- Thanks, Mina