Re: [BUG Report] KASAN: slab-use-after-free in page_pool_recycle_in_ring

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jakub Kicinski <kuba@kernel.org>
To: "dongchenchen (A)" <dongchenchen2@huawei.com>
Cc: Mina Almasry <almasrymina@google.com>, <hawk@kernel.org>,
	<ilias.apalodimas@linaro.org>, <davem@davemloft.net>,
	<edumazet@google.com>, <pabeni@redhat.com>, <horms@kernel.org>,
	<netdev@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
	<zhangchangzhong@huawei.com>
Subject: Re: [BUG Report] KASAN: slab-use-after-free in page_pool_recycle_in_ring
Date: Thu, 22 May 2025 08:47:59 -0700	[thread overview]
Message-ID: <20250522084759.6cfe3f6d@kernel.org> (raw)
In-Reply-To: <29d3e8fa-8cd0-4c93-a685-619758ab5af4@huawei.com>

On Thu, 22 May 2025 23:17:32 +0800 dongchenchen (A) wrote:
> Hi, Jakub
> Maybe we can fix the problem as follow:

Yes! a couple of minor nit picks below..

> diff --git a/net/core/page_pool.c b/net/core/page_pool.c
> index 7745ad924ae2..de3fa33d6775 100644
> --- a/net/core/page_pool.c
> +++ b/net/core/page_pool.c
> @@ -707,19 +707,18 @@ void page_pool_return_page(struct page_pool *pool, netmem_ref netmem)
>   
>   static bool page_pool_recycle_in_ring(struct page_pool *pool, netmem_ref netmem)
>   {
> +	bool in_softirq;
>   	int ret;
> -	/* BH protection not needed if current is softirq */
> -	if (in_softirq())
> -		ret = ptr_ring_produce(&pool->ring, (__force void *)netmem);
> -	else
> -		ret = ptr_ring_produce_bh(&pool->ring, (__force void *)netmem);
>   
> -	if (!ret) {
> +	/* BH protection not needed if current is softirq */
> +	in_softirq = page_pool_producer_lock(pool);
> +	ret = __ptr_ring_produce(&pool->ring, (__force void *)netmem);

Maybe we can flip the return value here we won't have to negate it below
and at return? Like this:

	ret = !__ptr_ring_produce(&pool->ring, (__force void *)netmem);

and adjust subsequent code

> +	if (!ret)
>   		recycle_stat_inc(pool, ring);
> -		return true;
> -	}
>   
> -	return false;
> +	page_pool_producer_unlock(pool, in_softirq);
> +
> +	return ret ? false : true;
>   }
>   
>   /* Only allow direct recycling in special circumstances, into the
> 
> @@ -1091,10 +1090,16 @@ static void page_pool_scrub(struct page_pool *pool)
>   
>   static int page_pool_release(struct page_pool *pool)
>   {
> +	bool in_softirq;
>   	int inflight;
>   
> +	/* Acquire producer lock to make sure we don't race with another thread
> +	 * returning a netmem to the ptr_ring.
> +	 */
> +	in_softirq = page_pool_producer_lock(pool);
>   	page_pool_scrub(pool);
>   	inflight = page_pool_inflight(pool, true);
> +	page_pool_producer_unlock(pool, in_softirq);

As I suggested earlier we don't have to lock the consumer, taking both
locks has lock ordering implications. My preference would be:

  	page_pool_scrub(pool);
  	inflight = page_pool_inflight(pool, true);
+	/* Acquire producer lock to make sure producers have exited. */
+	in_softirq = page_pool_producer_lock(pool);
+	page_pool_producer_unlock(pool, in_softirq);

next prev parent reply	other threads:[~2025-05-22 15:48 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-13  8:31 [BUG Report] KASAN: slab-use-after-free in page_pool_recycle_in_ring Dong Chenchen
2025-05-13 20:06 ` Mina Almasry
2025-05-13 21:21   ` Jakub Kicinski
2025-05-14  3:10   ` dongchenchen (A)
2025-05-19 19:20     ` Mina Almasry
2025-05-19 22:47       ` Jakub Kicinski
2025-05-20  0:53         ` Mina Almasry
2025-05-20 18:06           ` Jakub Kicinski
2025-05-22 15:17             ` dongchenchen (A)
2025-05-22 15:47               ` Jakub Kicinski [this message]
2025-05-23  1:52                 ` dongchenchen (A)
2025-05-22 15:04       ` dongchenchen (A)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250522084759.6cfe3f6d@kernel.org \
    --to=kuba@kernel.org \
    --cc=almasrymina@google.com \
    --cc=davem@davemloft.net \
    --cc=dongchenchen2@huawei.com \
    --cc=edumazet@google.com \
    --cc=hawk@kernel.org \
    --cc=horms@kernel.org \
    --cc=ilias.apalodimas@linaro.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=zhangchangzhong@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.