From: Jakub Kicinski <kuba@kernel.org>
To: Mina Almasry <almasrymina@google.com>
Cc: Dong Chenchen <dongchenchen2@huawei.com>,
hawk@kernel.org, ilias.apalodimas@linaro.org,
davem@davemloft.net, edumazet@google.com, pabeni@redhat.com,
horms@kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, zhangchangzhong@huawei.com
Subject: Re: [BUG Report] KASAN: slab-use-after-free in page_pool_recycle_in_ring
Date: Tue, 13 May 2025 14:21:50 -0700 [thread overview]
Message-ID: <20250513142150.3cb416e1@kernel.org> (raw)
In-Reply-To: <CAHS8izOio0bnLp3+Vzt44NVgoJpmPTJTACGjWvOXvxVqFKPSwQ@mail.gmail.com>
On Tue, 13 May 2025 13:06:38 -0700 Mina Almasry wrote:
> diff --git a/net/core/page_pool.c b/net/core/page_pool.c
> index 2b76848659418..8654608734773 100644
> --- a/net/core/page_pool.c
> +++ b/net/core/page_pool.c
> @@ -1146,10 +1146,17 @@ static void page_pool_scrub(struct page_pool *pool)
>
> static int page_pool_release(struct page_pool *pool)
> {
> + bool in_softirq;
> int inflight;
>
> +
> + /* Acquire producer lock to make sure we don't race with another thread
> + * returning a netmem to the ptr_ring.
> + */
> + in_softirq = page_pool_producer_lock(pool);
> page_pool_scrub(pool);
> inflight = page_pool_inflight(pool, true);
> + page_pool_producer_unlock(pool, in_softirq);
Makes sense! A couple minor notes.
Consumer lock should be outside, but really we only need to make
sure producer has "exited" right? So lock/unlock, no need to wrap
any code in it.
I'd add a helper to ptr_ring.h, a "producer barrier" which just
takes/releases the producer lock. We can't be in softirq context
here but doesn't matter, let's take the lock in "any" mode IOW
irqsave() ?
The barrier is only needed if we're proceeding to destruction.
If inflight returns != 0 we won't destroy the pool so no need
to touch producer lock.
next prev parent reply other threads:[~2025-05-13 21:21 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-13 8:31 [BUG Report] KASAN: slab-use-after-free in page_pool_recycle_in_ring Dong Chenchen
2025-05-13 20:06 ` Mina Almasry
2025-05-13 21:21 ` Jakub Kicinski [this message]
2025-05-14 3:10 ` dongchenchen (A)
2025-05-19 19:20 ` Mina Almasry
2025-05-19 22:47 ` Jakub Kicinski
2025-05-20 0:53 ` Mina Almasry
2025-05-20 18:06 ` Jakub Kicinski
2025-05-22 15:17 ` dongchenchen (A)
2025-05-22 15:47 ` Jakub Kicinski
2025-05-23 1:52 ` dongchenchen (A)
2025-05-22 15:04 ` dongchenchen (A)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250513142150.3cb416e1@kernel.org \
--to=kuba@kernel.org \
--cc=almasrymina@google.com \
--cc=davem@davemloft.net \
--cc=dongchenchen2@huawei.com \
--cc=edumazet@google.com \
--cc=hawk@kernel.org \
--cc=horms@kernel.org \
--cc=ilias.apalodimas@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=zhangchangzhong@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).