lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20250625012432.GA74285@system.software.com>
Date: Wed, 25 Jun 2025 10:24:32 +0900
From: Byungchul Park <byungchul@...com>
To: David Hildenbrand <david@...hat.com>
Cc: Toke Høiland-Jørgensen <toke@...hat.com>,
	Zi Yan <ziy@...dia.com>, willy@...radead.org,
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
	linux-mm@...ck.org, kernel_team@...ynix.com, kuba@...nel.org,
	almasrymina@...gle.com, ilias.apalodimas@...aro.org,
	harry.yoo@...cle.com, hawk@...nel.org, akpm@...ux-foundation.org,
	davem@...emloft.net, john.fastabend@...il.com,
	andrew+netdev@...n.ch, asml.silence@...il.com, tariqt@...dia.com,
	edumazet@...gle.com, pabeni@...hat.com, saeedm@...dia.com,
	leon@...nel.org, ast@...nel.org, daniel@...earbox.net,
	lorenzo.stoakes@...cle.com, Liam.Howlett@...cle.com, vbabka@...e.cz,
	rppt@...nel.org, surenb@...gle.com, mhocko@...e.com,
	horms@...nel.org, linux-rdma@...r.kernel.org, bpf@...r.kernel.org,
	vishal.moola@...il.com, hannes@...xchg.org, jackmanb@...gle.com,
	"jesper@...udflare.com" <jesper@...udflare.com>
Subject: Re: [PATCH net-next v6 9/9] page_pool: access ->pp_magic through
 struct netmem_desc in page_pool_page_is_pp()

On Tue, Jun 24, 2025 at 04:56:32PM +0200, David Hildenbrand wrote:
> 
> On 24.06.25 16:43, Toke Høiland-Jørgensen wrote:
> > Zi Yan <ziy@...dia.com> writes:
> > 
> > > On 23 Jun 2025, at 10:58, David Hildenbrand wrote:
> > > 
> > > > On 23.06.25 13:13, Zi Yan wrote:
> > > > > On 23 Jun 2025, at 6:16, Byungchul Park wrote:
> > > > > 
> > > > > > On Mon, Jun 23, 2025 at 11:16:43AM +0200, David Hildenbrand wrote:
> > > > > > > On 20.06.25 06:12, Byungchul Park wrote:
> > > > > > > > To simplify struct page, the effort to separate its own descriptor from
> > > > > > > > struct page is required and the work for page pool is on going.
> > > > > > > > 
> > > > > > > > To achieve that, all the code should avoid directly accessing page pool
> > > > > > > > members of struct page.
> > > > > > > > 
> > > > > > > > Access ->pp_magic through struct netmem_desc instead of directly
> > > > > > > > accessing it through struct page in page_pool_page_is_pp().  Plus, move
> > > > > > > > page_pool_page_is_pp() from mm.h to netmem.h to use struct netmem_desc
> > > > > > > > without header dependency issue.
> > > > > > > > 
> > > > > > > > Signed-off-by: Byungchul Park <byungchul@...com>
> > > > > > > > Reviewed-by: Toke Høiland-Jørgensen <toke@...hat.com>
> > > > > > > > Reviewed-by: Mina Almasry <almasrymina@...gle.com>
> > > > > > > > Reviewed-by: Pavel Begunkov <asml.silence@...il.com>
> > > > > > > > Reviewed-by: Vlastimil Babka <vbabka@...e.cz>
> > > > > > > > Acked-by: Harry Yoo <harry.yoo@...cle.com>
> > > > > > > > ---
> > > > > > > >     include/linux/mm.h   | 12 ------------
> > > > > > > >     include/net/netmem.h | 14 ++++++++++++++
> > > > > > > >     mm/page_alloc.c      |  1 +
> > > > > > > >     3 files changed, 15 insertions(+), 12 deletions(-)
> > > > > > > > 
> > > > > > > > diff --git a/include/linux/mm.h b/include/linux/mm.h
> > > > > > > > index 0ef2ba0c667a..0b7f7f998085 100644
> > > > > > > > --- a/include/linux/mm.h
> > > > > > > > +++ b/include/linux/mm.h
> > > > > > > > @@ -4172,16 +4172,4 @@ int arch_lock_shadow_stack_status(struct task_struct *t, unsigned long status);
> > > > > > > >      */
> > > > > > > >     #define PP_MAGIC_MASK ~(PP_DMA_INDEX_MASK | 0x3UL)
> > > > > > > > 
> > > > > > > > -#ifdef CONFIG_PAGE_POOL
> > > > > > > > -static inline bool page_pool_page_is_pp(struct page *page)
> > > > > > > > -{
> > > > > > > > -     return (page->pp_magic & PP_MAGIC_MASK) == PP_SIGNATURE;
> > > > > > > > -}
> > > > > > > > -#else
> > > > > > > > -static inline bool page_pool_page_is_pp(struct page *page)
> > > > > > > > -{
> > > > > > > > -     return false;
> > > > > > > > -}
> > > > > > > > -#endif
> > > > > > > > -
> > > > > > > >     #endif /* _LINUX_MM_H */
> > > > > > > > diff --git a/include/net/netmem.h b/include/net/netmem.h
> > > > > > > > index d49ed49d250b..3d1b1dfc9ba5 100644
> > > > > > > > --- a/include/net/netmem.h
> > > > > > > > +++ b/include/net/netmem.h
> > > > > > > > @@ -56,6 +56,20 @@ NETMEM_DESC_ASSERT_OFFSET(pp_ref_count, pp_ref_count);
> > > > > > > >      */
> > > > > > > >     static_assert(sizeof(struct netmem_desc) <= offsetof(struct page, _refcount));
> > > > > > > > 
> > > > > > > > +#ifdef CONFIG_PAGE_POOL
> > > > > > > > +static inline bool page_pool_page_is_pp(struct page *page)
> > > > > > > > +{
> > > > > > > > +     struct netmem_desc *desc = (struct netmem_desc *)page;
> > > > > > > > +
> > > > > > > > +     return (desc->pp_magic & PP_MAGIC_MASK) == PP_SIGNATURE;
> > > > > > > > +}
> > > > > > > > +#else
> > > > > > > > +static inline bool page_pool_page_is_pp(struct page *page)
> > > > > > > > +{
> > > > > > > > +     return false;
> > > > > > > > +}
> > > > > > > > +#endif
> > > > > > > 
> > > > > > > I wonder how helpful this cleanup is long-term.
> > > > > > > 
> > > > > > > page_pool_page_is_pp() is only called from mm/page_alloc.c, right?
> > > > > > 
> > > > > > Yes.
> > > > > > 
> > > > > > > There, we want to make sure that no pagepool page is ever returned to
> > > > > > > the buddy.
> > > > > > > 
> > > > > > > How reasonable is this sanity check to have long-term? Wouldn't we be
> > > > > > > able to check that on some higher-level freeing path?
> > > > > > > 
> > > > > > > The reason I am commenting is that once we decouple "struct page" from
> > > > > > > "struct netmem_desc", we'd have to lookup here the corresponding "struct
> > > > > > > netmem_desc".
> > > > > > > 
> > > > > > > ... but at that point here (when we free the actual pages), the "struct
> > > > > > > netmem_desc" would likely already have been freed separately (remember:
> > > > > > > it will be dynamically allocated).
> > > > > > > 
> > > > > > > With that in mind:
> > > > > > > 
> > > > > > > 1) Is there a higher level "struct netmem_desc" freeing path where we
> > > > > > > could check that instead, so we don't have to cast from pages to
> > > > > > > netmem_desc at all.
> > > > > > 
> > > > > > I also thought it's too paranoiac.  However, I thought it's other issue
> > > > > > than this work.  That's why I left the API as is for now, it can be gone
> > > > > > once we get convinced the check is unnecessary in deep buddy.  Wrong?
> > > > > > 
> > > > > > > 2) How valuable are these sanity checks deep in the buddy?
> > > > > > 
> > > > > > That was also what I felt weird on.
> > > > > 
> > > > > It seems very useful when I asked last time[1]:
> > > > > 
> > > > > |> We have actually used this at Cloudflare to catch some page_pool bugs.
> > > > 
> > > > My question is rather, whether there is some higher-level freeing path for netmem_desc where we could check that instead (IOW, earlier).
> > > > 
> > > > Or is it really arbitrary put_page() (IOW, we assume that many possible references can be held)?
> > > 
> > > +Toke, who I talked about this last time.
> > > 
> > > Maybe he can shed some light on it.
> > 
> > As others have pointed out, basically, AFAIU: Yes, pages are *supposed*
> > to go through a common freeing path where this check could reside, but
> > we've had bugs where they ended up leaking anyway, which is why this
> > check in MM was added in the first place.
> 
> Okay, thanks. If we could be using a page type instead to catch such
> leaks to the page allocator, we could implement it without any such
> pp-specific checks.
> 
> page types are stored in page->page_type and overlay page->_mapcount
> right now.
> 
> Looking at "struct netmem_desc", page->_mapcount should not be overlayed
> (good!).
> 
> 
> So, you could be setting the type when creating a "struct netmem_desc"
> page, and clearing the type when about to free the page. In the buddy,
> you can then check without any casts from page to whatever else if the
> type is still unexpectedly set. If still set, you know that there is
> unexpected freeing.

Yeah, this is what we all were looking forward to.  However, I decided
to use the pp field for the checking since it's not ready for now.

So.. Is the current approach okay *for now*, even though the approach
should be updated once the type can be checked inside mm later?

Or do you want me to wait for it to be ready before this netmem work to
remove the pp fields from struct page?

	Byungchul
> 
> I'll note that page types will be a building blocks of memdescs, to
> descibe "what we are pointing at". See
> 
> https://kernelnewbies.org/MatthewWilcox/Memdescs
> 
> Willy already planned for a "Bump" type; I assume this would now be
> "NMDesc" or sth like that IIUC.
> 
> --
> Cheers,
> 
> David / dhildenb

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ