lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 7 Feb 2022 10:54:40 +0800
From:   Yunsheng Lin <linyunsheng@...wei.com>
To:     Jean-Philippe Brucker <jean-philippe@...aro.org>
CC:     <linuxarm@...neuler.org>, <ilias.apalodimas@...aro.org>,
        <salil.mehta@...wei.com>, <netdev@...r.kernel.org>,
        <moyufeng@...wei.com>, <alexanderduyck@...com>,
        <brouer@...hat.com>, <kuba@...nel.org>
Subject: Re: [PATCH net-next v2 4/4] net: hns3: support skb's frag page
 recycling based on page pool

On 2022/2/3 17:48, Jean-Philippe Brucker wrote:
> On Sat, Jan 29, 2022 at 04:44:34PM +0800, Yunsheng Lin wrote:
>>>> My initial thinking is to track if the reference counting or pp_frag_count of
>>>> the page is manipulated correctly.
>>>
>>> It looks like pp_frag_count is dropped too many times: after (1),
>>> pp_frag_count only has 1 ref, so (2) drops it to 0 and (3) results in
>>> underflow. I turned page_pool_atomic_sub_frag_count_return() into
>>> "atomic_long_sub_return(nr, &page->pp_frag_count)" to make sure (the
>>> atomic_long_read() bit normally hides this). Wasn't entirely sure if this
>>> is expected behavior, though.
>>
>> Are you true the above 1~3 step is happening for the same page?
> 
> Yes they happen on the same page. What I did was save the backtrace of
> each call to page_pool_atomic_sub_frag_count_return() and, when an
> underflow error happens on a page, print out the history of that page
> only.
> 
> My report was not right, though, I forgot to save the backtrace for
> pp_frag_count==0. There's actually two refs on the page. It goes like
> this:
> 
>   (1) T-1535, drop BIAS_MAX - 2, pp_frag_count now 2
>      page_pool_alloc_frag+0x128/0x240
>      hns3_alloc_and_map_buffer+0x30/0x170
>      hns3_nic_alloc_rx_buffers+0x9c/0x170
>      hns3_clean_rx_ring+0x864/0x960
>      hns3_nic_common_poll+0xa0/0x218
>      __napi_poll+0x38/0x188
>      net_rx_action+0xe8/0x248
>      __do_softirq+0x120/0x284
> 
>   (2) T-4, drop 1, pp_frag_count now 1
>      page_pool_put_page+0x98/0x338
>      page_pool_return_skb_page+0x48/0x60
>      skb_release_data+0x170/0x190
>      skb_release_all+0x28/0x38
>      kfree_skb_reason+0x30/0x90
>      packet_rcv+0x58/0x430
>      __netif_receive_skb_list_core+0x1f4/0x218
>      netif_receive_skb_list_internal+0x18c/0x2a8
>   
>   (3) T-1, drop 1, pp_frag_count now 0
>      page_pool_put_page+0x98/0x338
>      page_pool_return_skb_page+0x48/0x60
>      skb_release_data+0x170/0x190
>      skb_release_all+0x28/0x38
>      __kfree_skb+0x18/0x30
>      __sk_defer_free_flush+0x44/0x58
>      tcp_recvmsg+0x94/0x1b8
>      inet_recvmsg+0x50/0x128
>   
>   (4) T, drop 1, pp_frag_count now -1 (underflow)
>      page_pool_put_page+0x2d0/0x338
>      hns3_clean_rx_ring+0x74c/0x960
>      hns3_nic_common_poll+0xa0/0x218
>      __napi_poll+0x38/0x188
>      net_rx_action+0xe8/0x248
> 
>> If it is the same page, there must be something wrong here.
>>
>> Normally there are 1024 BD for a rx ring:
>>
>> BD_0 BD_1 BD_2 BD_3 BD_4 .... BD_1020 BD_1021  BD_1022  BD_1023
>>            ^         ^
>>          head       tail
>>
>> Suppose head is manipulated by driver, and tail is manipulated by
>> hw.
>>
>> driver allocates buffer for BD pointed by head, as the frag page
>> recycling is introduced in this patch, the BD_0 and BD_1's buffer
>> may point to the same pageļ¼ˆ4K page size, and each BD only need
>> 2k Buffer.
>> hw dma the data to the buffer pointed by tail when packet is received.
>>
>> so step 1 Normally happen for the BD pointed by head,
>> and step 2 & 3 Normally happen for the BD pointed by tail.
>> And Normally there are at least (1024 - RCB_NOF_ALLOC_RX_BUFF_ONCE) BD
>> between head and tail, so it is unlikely that head and tail's BD buffer
>> points to the same page.
> 
> I think a new page is allocated at step 1, no?  The driver calls
> page_pool_alloc_frag() when refilling the rx ring, and since the current
> pool->frag_page (P1) is still used by BD_0 and BD_1, then
> page_pool_drain_frag() drops (BIAS_MAX - 2) references and
> page_pool_alloc_frag() replaces frag_page with a new page, P2. Later, head
> points to BD_1, the driver can drop the remaining 2 references to P1 in
> steps 2 and 3, and P1 can be unmapped and freed/recycled

Yes.
For most of the case, there should be two steps of the 2/3/4 steps, when
there is extra step in the above calltrace, it may mean the page_count()
is 2 instead of 1, if that is the case, __skb_frag_ref() may be called
for a page from page pool((page->pp_magic & ~0x3UL) == PP_SIGNATURE)),
which is not supposed to happen.

> 
> What I don't get is which of steps 2, 3 and 4 is the wrong one. Could be
> 2 or 3 because the device is evidently still doing DMA to the page after
> it's released, but it could also be that the driver doesn't properly clear
> the BD in which case step 4 is wrong. I'll try to find out which fragment
> gets dropped twice.

When there are more than two steps for the freeing side, the only case I know
about the skb cloning and expanding case, which is fixed by the below commit:
2cc3aeb5eccc (skbuff: Fix a potential race while recycling page_pool packets)

Maybe there are other case we missed?


> 
> Thanks,
> Jean
> 
> .
> 

Powered by blists - more mailing lists