From: "Toke Høiland-Jørgensen" <toke@redhat.com>
To: Jakub Kicinski <kuba@kernel.org>
Cc: "David S. Miller" <davem@davemloft.net>,
Jesper Dangaard Brouer <hawk@kernel.org>,
Saeed Mahameed <saeedm@nvidia.com>,
Leon Romanovsky <leon@kernel.org>,
Tariq Toukan <tariqt@nvidia.com>,
Andrew Lunn <andrew+netdev@lunn.ch>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
Ilias Apalodimas <ilias.apalodimas@linaro.org>,
Simon Horman <horms@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Mina Almasry <almasrymina@google.com>,
Yonglong Liu <liuyonglong@huawei.com>,
Yunsheng Lin <linyunsheng@huawei.com>,
Pavel Begunkov <asml.silence@gmail.com>,
Matthew Wilcox <willy@infradead.org>,
netdev@vger.kernel.org, bpf@vger.kernel.org,
linux-rdma@vger.kernel.org, linux-mm@kvack.org,
Qiuling Ren <qren@redhat.com>, Yuying Ma <yuma@redhat.com>
Subject: Re: [PATCH net-next v4 0/3] Fix late DMA unmap crash for page pool
Date: Fri, 28 Mar 2025 12:20:17 +0100 [thread overview]
Message-ID: <87bjtlpfke.fsf@toke.dk> (raw)
In-Reply-To: <20250327124803.41feffed@kernel.org>
Jakub Kicinski <kuba@kernel.org> writes:
> On Thu, 27 Mar 2025 11:44:10 +0100 Toke Høiland-Jørgensen wrote:
>> This series fixes the late dma_unmap crash for page pool first reported
>> by Yonglong Liu in [0]. It is an alternative approach to the one
>> submitted by Yunsheng Lin, most recently in [1]. The first two commits
>> are small refactors of the page pool code, in preparation of the main
>> change in patch 3. See the commit message of patch 3 for the details.
>
> We see a crash and an UAF on:
>
> [ 18.574787] RIP: 0010:page_pool_put_unrefed_netmem (net/core/page_pool.c:465 net/core/page_pool.c:808 net/core/page_pool.c:866)
> [ 18.575880] napi_pp_put_page (net/core/skbuff.c:998)
> [ 18.575912] skb_release_data (./include/linux/skbuff_ref.h:40 ./include/linux/skbuff_ref.h:56 net/core/skbuff.c:1079)
> [ 18.575944] consume_skb (net/core/skbuff.c:1165 net/core/skbuff.c:1396 net/core/skbuff.c:1390)
>
> You should be able to repro with ping test over netdevsim
Alright, I'll take a look, thanks for the pointer.
-Toke
prev parent reply other threads:[~2025-03-28 11:20 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-27 10:44 [PATCH net-next v4 0/3] Fix late DMA unmap crash for page pool Toke Høiland-Jørgensen
2025-03-27 10:44 ` [PATCH net-next v4 1/3] page_pool: Move pp_magic check into helper functions Toke Høiland-Jørgensen
2025-03-27 10:44 ` [PATCH net-next v4 2/3] page_pool: Turn dma_sync into a full-width bool field Toke Høiland-Jørgensen
2025-03-27 10:44 ` [PATCH net-next v4 3/3] page_pool: Track DMA-mapped pages and unmap them when destroying the pool Toke Høiland-Jørgensen
2025-03-27 19:48 ` [PATCH net-next v4 0/3] Fix late DMA unmap crash for page pool Jakub Kicinski
2025-03-28 11:20 ` Toke Høiland-Jørgensen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bjtlpfke.fsf@toke.dk \
--to=toke@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=almasrymina@google.com \
--cc=andrew+netdev@lunn.ch \
--cc=asml.silence@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=hawk@kernel.org \
--cc=horms@kernel.org \
--cc=ilias.apalodimas@linaro.org \
--cc=kuba@kernel.org \
--cc=leon@kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-rdma@vger.kernel.org \
--cc=linyunsheng@huawei.com \
--cc=liuyonglong@huawei.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=qren@redhat.com \
--cc=saeedm@nvidia.com \
--cc=tariqt@nvidia.com \
--cc=willy@infradead.org \
--cc=yuma@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.