From: Oliver Hartkopp <socketcan@hartkopp.net>

As CAN skbs don't use IP checksums the skb->csum_start variable was used to
store the can-gw CAN frame time-to-live counter together with
skb->ip_summed set to CHECKSUM_UNNECESSARY.

Remove the 'hack' using the skb->csum_start variable and move the content
to can_skb_ext::can_gw_hops of the CAN skb extensions.

The module parameter 'max_hops' has been reduced to a single byte to fit
can_skb_ext::can_gw_hops as the maximum value to be stored is 6.

Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 net/can/gw.c | 23 ++++++-----------------
 1 file changed, 6 insertions(+), 17 deletions(-)

diff --git a/net/can/gw.c b/net/can/gw.c
index ad89a1913b34..2c134c9e5159 100644
--- a/net/can/gw.c
+++ b/net/can/gw.c
@@ -71,8 +71,8 @@ MODULE_ALIAS(CAN_GW_NAME);
 #define CGW_MAX_HOPS 6
 #define CGW_DEFAULT_HOPS 1
 
-static unsigned int max_hops __read_mostly = CGW_DEFAULT_HOPS;
-module_param(max_hops, uint, 0444);
+static unsigned char max_hops __read_mostly = CGW_DEFAULT_HOPS;
+module_param(max_hops, byte, 0444);
 MODULE_PARM_DESC(max_hops,
 		 "maximum " CAN_GW_NAME " routing hops for CAN frames "
 		 "(valid values: " __stringify(CGW_MIN_HOPS) "-"
@@ -480,19 +480,8 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data)
 	/* Do not handle CAN frames routed more than 'max_hops' times.
 	 * In general we should never catch this delimiter which is intended
 	 * to cover a misconfiguration protection (e.g. circular CAN routes).
-	 *
-	 * The Controller Area Network controllers only accept CAN frames with
-	 * correct CRCs - which are not visible in the controller registers.
-	 * According to skbuff.h documentation the csum_start element for IP
-	 * checksums is undefined/unused when ip_summed == CHECKSUM_UNNECESSARY.
-	 * Only CAN skbs can be processed here which already have this property.
 	 */
-
-#define cgw_hops(skb) ((skb)->csum_start)
-
-	BUG_ON(skb->ip_summed != CHECKSUM_UNNECESSARY);
-
-	if (cgw_hops(skb) >= max_hops) {
+	if (csx->can_gw_hops >= max_hops) {
 		/* indicate deleted frames due to misconfiguration */
 		gwj->deleted_frames++;
 		return;
@@ -532,11 +521,11 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data)
 	}
 
 	/* put the incremented hop counter in the cloned skb */
-	cgw_hops(nskb) = cgw_hops(skb) + 1;
+	ncsx->can_gw_hops = csx->can_gw_hops + 1;
 
 	/* first processing of this CAN frame -> adjust to private hop limit */
-	if (gwj->limit_hops && cgw_hops(nskb) == 1)
-		cgw_hops(nskb) = max_hops - gwj->limit_hops + 1;
+	if (gwj->limit_hops && ncsx->can_gw_hops == 1)
+		ncsx->can_gw_hops = max_hops - gwj->limit_hops + 1;
 
 	nskb->dev = gwj->dst.dev;
 

-- 
2.51.0

This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.

For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
---
can: gw: use can_gw_hops instead of sk_buff::csum_start

This patch moves the hop counter storage from skb->csum_start to the CAN
skb extension field can_skb_ext::can_gw_hops.

> diff --git a/net/can/gw.c b/net/can/gw.c
> index ad89a1913b34..2c134c9e5159 100644
> --- a/net/can/gw.c
> +++ b/net/can/gw.c

[ ... ]

> @@ -480,19 +480,8 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data)
>  	/* Do not handle CAN frames routed more than 'max_hops' times.
>  	 * In general we should never catch this delimiter which is intended
>  	 * to cover a misconfiguration protection (e.g. circular CAN routes).
> -	 *
> -	 * The Controller Area Network controllers only accept CAN frames with
> -	 * correct CRCs - which are not visible in the controller registers.
> -	 * According to skbuff.h documentation the csum_start element for IP
> -	 * checksums is undefined/unused when ip_summed == CHECKSUM_UNNECESSARY.
> -	 * Only CAN skbs can be processed here which already have this property.
>  	 */
> -
> -#define cgw_hops(skb) ((skb)->csum_start)
> -
> -	BUG_ON(skb->ip_summed != CHECKSUM_UNNECESSARY);
> -
> -	if (cgw_hops(skb) >= max_hops) {
> +	if (csx->can_gw_hops >= max_hops) {
            ^^^^^^^^^^^^^^^^
Is csx->can_gw_hops initialized to zero for fresh CAN frames?

The old code used skb->csum_start which was zeroed by skbuff_clear() during
skb allocation. The new code reads from can_skb_ext::can_gw_hops, but looking
at alloc_can_skb() in drivers/net/can/dev/skb.c, only can_iif is initialized:

    csx = can_skb_ext_add(skb);
    ...
    csx->can_iif = dev->ifindex;

The skb extension memory comes from kmem_cache_alloc() without __GFP_ZERO in
__skb_ext_alloc(), so can_gw_hops will contain garbage from the slab.

With default max_hops=1, if the garbage value is >= 1 (probability ~99.6%),
the frame will be dropped at this check before any routing occurs.

Should alloc_can_skb(), alloc_canfd_skb(), and alloc_canxl_skb() initialize
csx->can_gw_hops = 0?

>  		/* indicate deleted frames due to misconfiguration */
>  		gwj->deleted_frames++;
>  		return;

[ ... ]
-- 
pw-bot: cr

On 28.01.26 17:12, Jakub Kicinski wrote:
> This is an AI-generated review of your patch. The human sending this
> email has considered the AI review valid, or at least plausible.
> 
> For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
> ---
> can: gw: use can_gw_hops instead of sk_buff::csum_start
> 
> This patch moves the hop counter storage from skb->csum_start to the CAN
> skb extension field can_skb_ext::can_gw_hops.
> 
>> diff --git a/net/can/gw.c b/net/can/gw.c
>> index ad89a1913b34..2c134c9e5159 100644
>> --- a/net/can/gw.c
>> +++ b/net/can/gw.c
> 
> [ ... ]
> 
>> @@ -480,19 +480,8 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data)
>>   	/* Do not handle CAN frames routed more than 'max_hops' times.
>>   	 * In general we should never catch this delimiter which is intended
>>   	 * to cover a misconfiguration protection (e.g. circular CAN routes).
>> -	 *
>> -	 * The Controller Area Network controllers only accept CAN frames with
>> -	 * correct CRCs - which are not visible in the controller registers.
>> -	 * According to skbuff.h documentation the csum_start element for IP
>> -	 * checksums is undefined/unused when ip_summed == CHECKSUM_UNNECESSARY.
>> -	 * Only CAN skbs can be processed here which already have this property.
>>   	 */
>> -
>> -#define cgw_hops(skb) ((skb)->csum_start)
>> -
>> -	BUG_ON(skb->ip_summed != CHECKSUM_UNNECESSARY);
>> -
>> -	if (cgw_hops(skb) >= max_hops) {
>> +	if (csx->can_gw_hops >= max_hops) {
>              ^^^^^^^^^^^^^^^^
> Is csx->can_gw_hops initialized to zero for fresh CAN frames?
> 
> The old code used skb->csum_start which was zeroed by skbuff_clear() during
> skb allocation. The new code reads from can_skb_ext::can_gw_hops, but looking
> at alloc_can_skb() in drivers/net/can/dev/skb.c, only can_iif is initialized:
> 
>      csx = can_skb_ext_add(skb);
>      ...
>      csx->can_iif = dev->ifindex;
> 
> The skb extension memory comes from kmem_cache_alloc() without __GFP_ZERO in
> __skb_ext_alloc(), so can_gw_hops will contain garbage from the slab.

Correct. It is not only a leftover of using csum_start but also of my 
first implementation attempt using another space in struct sk_buff which 
was also zero-initialized.

I'll add some initialization in can_skb_ext_add() for the next respin.

Excellent feedback!

Many thanks,
Oliver

> 
> With default max_hops=1, if the garbage value is >= 1 (probability ~99.6%),
> the frame will be dropped at this check before any routing occurs.
> 
> Should alloc_can_skb(), alloc_canfd_skb(), and alloc_canxl_skb() initialize
> csx->can_gw_hops = 0?
> 
>>   		/* indicate deleted frames due to misconfiguration */
>>   		gwj->deleted_frames++;
>>   		return;
> 
> [ ... ]