[sparx5] Use SKB reference counting for PTP tx path #16
Conversation
|
@HoratiuVultur This one is actually hard to reproduce bug. I was seeing it with gPTP and preemptible kernel every once in a blue moon. |
|
Hi @ievenbach , Thanks for the patch. I think I understand what is the problem and how you try to fix it. From what I see, this would break the lan969x implementation. Because in that driver, the skb is free only in the PTP handle interrupt. So, now with this change that you increase the ref count of the skb then the skb will never be freed. (I have not tried it yet, I just look at the code, so I might be wrong). Thanks, |
|
@HoratiuVultur I see napi_consume_skb() call at linux/drivers/net/ethernet/microchip/sparx5/lan969x/lan969x_fdma.c Lines 80 to 81 in e0e964b My guess we'd have to remove if(!db->ptp) check there I think ref-counting way is a cleaner solution then trying to special-case PTP packets everywhere (and it reduces amount of code!) I don't have lan969x hw to test though. I could update my patch to include those cleanups, of course. |
|
Eh. I just went ahead and added those changes :) |
ievenbach
force-pushed
the
vendor/microchip/bsp-6.12-2025/upstream/ptp-tx-oops
branch
from
7c079e6 to
895c0f6
Compare
And forgot to push them. LOL |
|
Hi @ievenbach, Sorry for late reply and thanks for the new version I will have a close look at it later this week and I will try your changes also on lan969x. Thanks, |
|
There is a special case there that cleans out skb from timestamp waiting queue, if it was waiting for too long. Currently wr actually have this problem in our setup - some ptp packets fail to be transmitted. But i didn't observe any memory leaks. |
|
Hi @ievenbach That is true, but that is the case when the HW says that it can transmit the frame but something goes totally wrong and the frame is not transmitted or timestamp. And that is not a problem because the frame gets freed. Thanks, |
I will look at this on monday. I have a feeling this might be a problem in current code as well. |
|
Hi @ievenbach , Did you have the time too look at this? Thanks, |
|
Oops. Forgot tp write my findings. I don't have files and lines handy, but my reading of the code is that current version also has the problem you described for all non-ptp packets. |
|
Hi @ievenbach, Hm.. I had tried to look at the code but I can't find the problem with non-ptp frames. When you have the time please let me know. Thanks, |
If, as you say, sparx5_fdma_xmit returns an error before starting DMA. e.g. skb_padto() or fdma_db_is_done or fdma_db_get fail ( linux/drivers/net/ethernet/microchip/sparx5/sparx5_fdma.c Lines 283 to 287 in e0e964b If in that case skb isn't freed, it's not going to be freed for NON-PTP packets in current implementation (PTP event packets will be freed by timeout handler) |
|
Hi @ievenbach, With the current code, will not be a problem if the function 'sparx5_fdma_xmit' will return NETDEV_TX_BUSY because then the frame will be transmitted again. And if the frame was supposed to be timestamped then when the function 'sparx5_fdma_xmit' it would release the timestamp. With your changes (if I read them correctly, so please correct me if I am wrong). If the function 'sparx5_fdma_xmit' returns NETDEV_TX_OK because of 'skb_put_padto', it would behave the same as before. And that is fine because we are not trying to fix this issue in this PR. Thanks, |
|
Shall retry of the transfer cause additional request to timestamp the skb?
|
|
I will need to double check the code but I would say so. |
|
Actually, now that I think about it, if that is the case, the skb will end up on the queue twice, and will be freed by timeout thread twice, this bringing ref count to zero, so it's still ok |
|
But if we return NETDEV_TX_BUSY then we remove the skb from the queue and release the id. |
There is a race condition in the TX path of PTP event packets. When the packet is transmitted, DMA is kicked off and then SKB is freed. However, in case of PTP packet, SKB is queued for timestamping, and is freed in the interrupt handler. If PTP IRQ arrives before the call to sparx5_consume_skb(), it will free the packet, and then sparx5_consume_skb() will cause Oops, when testing whether SKB is PTP or not. This change uses SKB reference counting to ensure SKB is freed regardless of order of events, and no crash occurs.
ievenbach
force-pushed
the
vendor/microchip/bsp-6.12-2025/upstream/ptp-tx-oops
branch
from
895c0f6 to
1b6fd11
Compare
Ah! I missed that goto! That should do the trick. |
|
Hi @ievenbach, Thanks for updating this, I had a look and it seems to look OK. I will give it a try later this week and I will let you know. Thanks, |
|
Hi @ievenbach, I have tried this on lan969x and it seems to be working fine. I have picked this commit and add it in our internal kernel tree. This will be part of 2025.09 release. Thanks, |
|
Hi @ievenbach, Unfortunately, I need to reopen this because I found a case on lan969x that it stopped working. |
|
Hmm. Why is it caused by two instances on the same interface? |
|
Hi @ievenbach, Apparently when two instances are running on the same interface then the function 'skb_header_cloned' returns true and because this is true then the function 'lan969x_fdma_xmit' will call 'pskb_expand_head' and this function doesn't allow to be called when the skb ref is different than 1. Thanks, |
Reproduced this locally on my Sparx5 HW. Will get back to you with a fix. |
For PTP event packets, sparx5_ptp_txtstamp_request increases reference count, which makes skb_put_padto BUG() - reference count should be exactly one for that one.
|
I reproduced this on sparx5. Here the code path was ->fdma_xmit -> skb_put_padto-> pskb_expand_head However, I see other code paths on lanXXX that lead to another call to pskb_expand_head. I am not sure if these paths are taken in the PTP case or not. If you could test it on actual HW, it'd be great. In any case, with this patch applied, I can't repro it on sparx5 any more |
There is a race condition in the TX path of PTP event packets. When the packet is transmitted, DMA is kicked off and then SKB is freed. However, in case of PTP packet, SKB is queued for timestamping, and is freed in the interrupt handler.
If PTP IRQ arrives before the call to sparx5_consume_skb(), it will free the packet, and then sparx5_consume_skb() will cause Oops, when testing whether SKB is PTP or not.
This change uses SKB reference counting to ensure SKB is freed regardless of order of events, and no crash occurs.