[sparx5] Use SKB reference counting for PTP tx path

There is a race condition in the TX path of PTP event packets.
When the packet is transmitted, DMA is kicked off and then SKB is freed.
However, in case of PTP packet, SKB is queued for timestamping, and is
freed in the interrupt handler.

If PTP IRQ arrives before the call to sparx5_consume_skb(), it will free
the packet, and then sparx5_consume_skb() will cause Oops, when testing
whether SKB is PTP or not.

This change uses SKB reference counting to ensure SKB is freed regardless
of order of events, and no crash occurs.

Author: ievenbach

drivers/net/ethernet/microchip/sparx5/sparx5_fdma.c

@@ -299,7 +299,7 @@ int sparx5_fdma_xmit(struct sparx5 *sparx5, u32 *ifh, struct sk_buff *skb)
 
 	sparx5_fdma_reload(sparx5, fdma);
 
-	sparx5_consume_skb(skb);
+	dev_consume_skb_any(skb);
 
 	return NETDEV_TX_OK;
 }

drivers/net/ethernet/microchip/sparx5/sparx5_main.h

@@ -1081,7 +1081,6 @@ u32 sparx5_mirror_monitor_get(struct sparx5 *sparx5, u32 idx);
 
 /* sparx5_packet.c */
 u32 sparx5_get_packet_pipeline_pt(enum sparx5_packet_pipeline_pt pt);
-void sparx5_consume_skb(struct sk_buff *skb);
 bool sparx5_skb_offloaded(struct sparx5 *sparx5, u32 port, struct sk_buff *skb);
 
 /* sparx5_afi.c */

drivers/net/ethernet/microchip/sparx5/sparx5_packet.c

@@ -276,7 +276,7 @@ static int sparx5_inject(struct sparx5 *sparx5,
 			      HRTIMER_MODE_REL);
 	}
 
-	sparx5_consume_skb(skb);
+	dev_consume_skb_any(skb);
 
 	return NETDEV_TX_OK;
 }
@@ -448,18 +448,6 @@ void sparx5_port_inj_timer_setup(struct sparx5_port *port)
 	port->inj_timer.function = sparx5_injection_timeout;
 }
 
-void sparx5_consume_skb(struct sk_buff *skb)
-{
-	bool ptp = false;
-
-	if (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP &&
-	    SPARX5_SKB_CB(skb)->rew_op == IFH_REW_OP_TWO_STEP_PTP)
-		ptp = true;
-
-	if (!ptp)
-		dev_consume_skb_any(skb);
-}
-
 bool sparx5_skb_offloaded(struct sparx5 *sparx5, u32 port, struct sk_buff *skb)
 {
 	u32 val;

drivers/net/ethernet/microchip/sparx5/sparx5_ptp.c

@@ -568,6 +568,13 @@ int sparx5_ptp_txtstamp_request(struct sparx5_port *port,
 	}
 
 	skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS;
+	/* Increase reference count, in order to prevent double-free,
+	   in case PTP IRQ happens after DMA is kicked off, but before
+	   dev_consume_skb_any is called.
+	   For PTP packets, skb is freed extra time by the PTP IRQ handler,
+	   so we need to increase the reference count here.
+	*/
+	skb_get(skb);
 
 	skb_queue_tail(&port->tx_skbs, skb);
 	SPARX5_SKB_CB(skb)->ts_id = port->ts_id;