From: Jakub Kicinski <kuba@kernel.org>
To: Mina Almasry <almasrymina@google.com>
Cc: Dong Chenchen <dongchenchen2@huawei.com>,
hawk@kernel.org, ilias.apalodimas@linaro.org,
davem@davemloft.net, edumazet@google.com, pabeni@redhat.com,
horms@kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, zhangchangzhong@huawei.com
Subject: Re: [BUG Report] KASAN: slab-use-after-free in page_pool_recycle_in_ring
Date: Tue, 13 May 2025 14:21:50 -0700 [thread overview]
Message-ID: <20250513142150.3cb416e1@kernel.org> (raw)
In-Reply-To: <CAHS8izOio0bnLp3+Vzt44NVgoJpmPTJTACGjWvOXvxVqFKPSwQ@mail.gmail.com>
On Tue, 13 May 2025 13:06:38 -0700 Mina Almasry wrote:
> diff --git a/net/core/page_pool.c b/net/core/page_pool.c
> index 2b76848659418..8654608734773 100644
> --- a/net/core/page_pool.c
> +++ b/net/core/page_pool.c
> @@ -1146,10 +1146,17 @@ static void page_pool_scrub(struct page_pool *pool)
>
> static int page_pool_release(struct page_pool *pool)
> {
> + bool in_softirq;
> int inflight;
>
> +
> + /* Acquire producer lock to make sure we don't race with another thread
> + * returning a netmem to the ptr_ring.
> + */
> + in_softirq = page_pool_producer_lock(pool);
> page_pool_scrub(pool);
> inflight = page_pool_inflight(pool, true);
> + page_pool_producer_unlock(pool, in_softirq);
Makes sense! A couple minor notes.
Consumer lock should be outside, but really we only need to make
sure producer has "exited" right? So lock/unlock, no need to wrap
any code in it.
I'd add a helper to ptr_ring.h, a "producer barrier" which just
takes/releases the producer lock. We can't be in softirq context
here but doesn't matter, let's take the lock in "any" mode IOW
irqsave() ?
The barrier is only needed if we're proceeding to destruction.
If inflight returns != 0 we won't destroy the pool so no need
to touch producer lock.
next prev parent reply other threads:[~2025-05-13 21:21 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-13 8:31 [BUG Report] KASAN: slab-use-after-free in page_pool_recycle_in_ring Dong Chenchen
2025-05-13 20:06 ` Mina Almasry
2025-05-13 21:21 ` Jakub Kicinski [this message]
2025-05-14 3:10 ` dongchenchen (A)
2025-05-19 19:20 ` Mina Almasry
2025-05-19 22:47 ` Jakub Kicinski
2025-05-20 0:53 ` Mina Almasry
2025-05-20 18:06 ` Jakub Kicinski
2025-05-22 15:17 ` dongchenchen (A)
2025-05-22 15:47 ` Jakub Kicinski
2025-05-23 1:52 ` dongchenchen (A)
2025-05-22 15:04 ` dongchenchen (A)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250513142150.3cb416e1@kernel.org \
--to=kuba@kernel.org \
--cc=almasrymina@google.com \
--cc=davem@davemloft.net \
--cc=dongchenchen2@huawei.com \
--cc=edumazet@google.com \
--cc=hawk@kernel.org \
--cc=horms@kernel.org \
--cc=ilias.apalodimas@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=zhangchangzhong@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.