From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7545FC07E9C for ; Wed, 7 Jul 2021 21:49:45 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5E26061C3C for ; Wed, 7 Jul 2021 21:49:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233133AbhGGVwY (ORCPT ); Wed, 7 Jul 2021 17:52:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54658 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230378AbhGGVwY (ORCPT ); Wed, 7 Jul 2021 17:52:24 -0400 Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2BEEAC061574; Wed, 7 Jul 2021 14:49:43 -0700 (PDT) Received: by mail-ed1-x52b.google.com with SMTP id x12so5407200eds.5; Wed, 07 Jul 2021 14:49:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EC7Oxd/vO2OVP/AyHel/8QwWNlF+f8KQWxcNn5v/QIg=; b=bf08DKO7WidCKLhtYEXmq9hkS+bWYFYTaN2cR0BuzAsUE3HZRGnbAvkhBStB/2dEOT zFqphAiqGKr1391YXtObX/le70QGoIHxoGX8b6L1oFQLp3DUD8dw2H0q7zPVIDZCxN1o 0htDi3ynruDbd3ydFFJQOtYUN15LulASv3aOSAQcx5AXZ0oDRfOS03XYWM1lOe2wyjml 99gPCEvCVPIWymioY9Fn412OkqDyHgc7/KAxtCAdfrG1LuO7NBvk9yU8XDvaAwAqCOoo Truv0kgDSX3eTVAv+Tfr34Ax+UHRFXTyNhRXqtpDbSxzwx6P0wgYSQpjmg1KPBhc5CzY o3CQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EC7Oxd/vO2OVP/AyHel/8QwWNlF+f8KQWxcNn5v/QIg=; b=tFDZLWN4u4xbUNcFhEf1yG+B8eRIXycujC2gzJJFeHcNttX73dsMcvYFLrf4ZfC8A1 6L2niVWIPc9TSdzvHWTDdz4E9/qiGleZYEC58zTTHh4RGUcx9NVzLZqGGQdzVB31YtK8 62uqi0qYoXlczYDnhplwRzCZzXrlYejRMSv0LU7fKAPM7aj/CEVn/0JoJR2Q2346/Ob4 iZwjRZKhTMIcTdx/7HFzNkwtHS7suRMLgvsB1h4pA1bdyGxi71Be7EtNF+AQy9XVMRcN neW9FOJo2Fqp6ECcpL3L9jovTM7gADo3ITEIMt2+4ZaPZ6L3D2SAWKBItZS0Ah1b2EuX WiDQ== X-Gm-Message-State: AOAM533DZTbUfsjnc2vmu0r+QwYAF65PHDqNyACb2XTDbhFppiWrt3aO 3b7N4svtw0hEkM2e3Hils4EygZGdMXZW/PajoeY= X-Google-Smtp-Source: ABdhPJz0LiNNZrV+3ai0Fy2+Z6dmL3EBrWrl6GZcDSdTMVXxGtN7BNLXcShNlewnvCgiI1BLrSDRypHGrz6srfGFkJo= X-Received: by 2002:aa7:d483:: with SMTP id b3mr33423329edr.282.1625694581635; Wed, 07 Jul 2021 14:49:41 -0700 (PDT) MIME-Version: 1.0 References: <1625044676-12441-1-git-send-email-linyunsheng@huawei.com> <1625044676-12441-2-git-send-email-linyunsheng@huawei.com> <29403911-bc26-dd86-83b8-da3c1784d087@huawei.com> In-Reply-To: From: Alexander Duyck Date: Wed, 7 Jul 2021 14:49:30 -0700 Message-ID: Subject: Re: [PATCH net-next RFC 1/2] page_pool: add page recycling support based on elevated refcnt To: Ilias Apalodimas Cc: Yunsheng Lin , David Miller , Jakub Kicinski , linuxarm@openeuler.org, yisen.zhuang@huawei.com, Salil Mehta , thomas.petazzoni@bootlin.com, Marcin Wojtas , Russell King - ARM Linux , hawk@kernel.org, Alexei Starovoitov , Daniel Borkmann , John Fastabend , Andrew Morton , Peter Zijlstra , Will Deacon , Matthew Wilcox , Vlastimil Babka , fenghua.yu@intel.com, guro@fb.com, peterx@redhat.com, Feng Tang , Jason Gunthorpe , mcroce@microsoft.com, Hugh Dickins , Jonathan Lemon , Alexander Lobakin , Willem de Bruijn , wenxu@ucloud.cn, cong.wang@bytedance.com, Kevin Hao , nogikh@google.com, Marco Elver , Netdev , LKML , bpf Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Wed, Jul 7, 2021 at 12:03 PM Ilias Apalodimas wrote: > > > > Hi, Alexander > > > > > > Thanks for detailed reviewing. > > > > > Likewise! > I'll have a look on the entire conversation in a few days... > > > > > > > > > So this isn't going to work with the current recycling logic. The > > > > expectation there is that we can safely unmap the entire page as soon > > > > as the reference count is greater than 1. > > > > > > Yes, the expectation is changed to we can always recycle the page > > > when the last user has dropped the refcnt that has given to it when > > > the page is not pfmemalloced. > > > > > > The above expectation is based on that the last user will always > > > call page_pool_put_full_page() in order to do the recycling or do > > > the resource cleanup(dma unmaping..etc). > > > > > > As the skb_free_head() and skb_release_data() have both checked the > > > skb->pp_recycle to call the page_pool_put_full_page() if needed, I > > > think we are safe for most case, the one case I am not so sure above > > > is the rx zero copy, which seems to also bump up the refcnt before > > > mapping the page to user space, we might need to ensure rx zero copy > > > is not the last user of the page or if it is the last user, make sure > > > it calls page_pool_put_full_page() too. > > > > Yes, but the skb->pp_recycle value is per skb, not per page. So my > > concern is that carrying around that value can be problematic as there > > are a number of possible cases where the pages might be > > unintentionally recycled. All it would take is for a packet to get > > cloned a few times and then somebody starts using pskb_expand_head and > > you would have multiple cases, possibly simultaneously, of entities > > trying to free the page. I just worry it opens us up to a number of > > possible races. > > Maybe I missde something, but I thought the cloned SKBs would never trigger > the recycling path, since they are protected by the atomic dataref check in > skb_release_data(). What am I missing? Are you talking about the head frag? So normally a clone wouldn't cause an issue because the head isn't changed. In the case of the head_frag we should be safe since pskb_expand_head will just kmalloc the new head and clears head_frag so it won't trigger page_pool_return_skb_page on the head_frag since the dataref just goes from 2 to 1. The problem is that pskb_expand_head memcopies the page frags over and takes a reference on the pages. At that point you would have two skbs both pointing to the same set of pages and each one ready to call page_pool_return_skb_page on the pages at any time and possibly racing with the other. I suspect if they both called it at roughly the same time one of them would trigger a NULL pointer dereference since they would both check pp_magic first, and then both set pp to NULL. If run on a system where dma_unmap_page_attrs takes a while it would be very likely to race since pp_magic doesn't get cleared until after the page is unmapped.