lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 7 Feb 2022 10:54:40 +0800 From: Yunsheng Lin <linyunsheng@...wei.com> To: Jean-Philippe Brucker <jean-philippe@...aro.org> CC: <linuxarm@...neuler.org>, <ilias.apalodimas@...aro.org>, <salil.mehta@...wei.com>, <netdev@...r.kernel.org>, <moyufeng@...wei.com>, <alexanderduyck@...com>, <brouer@...hat.com>, <kuba@...nel.org> Subject: Re: [PATCH net-next v2 4/4] net: hns3: support skb's frag page recycling based on page pool On 2022/2/3 17:48, Jean-Philippe Brucker wrote: > On Sat, Jan 29, 2022 at 04:44:34PM +0800, Yunsheng Lin wrote: >>>> My initial thinking is to track if the reference counting or pp_frag_count of >>>> the page is manipulated correctly. >>> >>> It looks like pp_frag_count is dropped too many times: after (1), >>> pp_frag_count only has 1 ref, so (2) drops it to 0 and (3) results in >>> underflow. I turned page_pool_atomic_sub_frag_count_return() into >>> "atomic_long_sub_return(nr, &page->pp_frag_count)" to make sure (the >>> atomic_long_read() bit normally hides this). Wasn't entirely sure if this >>> is expected behavior, though. >> >> Are you true the above 1~3 step is happening for the same page? > > Yes they happen on the same page. What I did was save the backtrace of > each call to page_pool_atomic_sub_frag_count_return() and, when an > underflow error happens on a page, print out the history of that page > only. > > My report was not right, though, I forgot to save the backtrace for > pp_frag_count==0. There's actually two refs on the page. It goes like > this: > > (1) T-1535, drop BIAS_MAX - 2, pp_frag_count now 2 > page_pool_alloc_frag+0x128/0x240 > hns3_alloc_and_map_buffer+0x30/0x170 > hns3_nic_alloc_rx_buffers+0x9c/0x170 > hns3_clean_rx_ring+0x864/0x960 > hns3_nic_common_poll+0xa0/0x218 > __napi_poll+0x38/0x188 > net_rx_action+0xe8/0x248 > __do_softirq+0x120/0x284 > > (2) T-4, drop 1, pp_frag_count now 1 > page_pool_put_page+0x98/0x338 > page_pool_return_skb_page+0x48/0x60 > skb_release_data+0x170/0x190 > skb_release_all+0x28/0x38 > kfree_skb_reason+0x30/0x90 > packet_rcv+0x58/0x430 > __netif_receive_skb_list_core+0x1f4/0x218 > netif_receive_skb_list_internal+0x18c/0x2a8 > > (3) T-1, drop 1, pp_frag_count now 0 > page_pool_put_page+0x98/0x338 > page_pool_return_skb_page+0x48/0x60 > skb_release_data+0x170/0x190 > skb_release_all+0x28/0x38 > __kfree_skb+0x18/0x30 > __sk_defer_free_flush+0x44/0x58 > tcp_recvmsg+0x94/0x1b8 > inet_recvmsg+0x50/0x128 > > (4) T, drop 1, pp_frag_count now -1 (underflow) > page_pool_put_page+0x2d0/0x338 > hns3_clean_rx_ring+0x74c/0x960 > hns3_nic_common_poll+0xa0/0x218 > __napi_poll+0x38/0x188 > net_rx_action+0xe8/0x248 > >> If it is the same page, there must be something wrong here. >> >> Normally there are 1024 BD for a rx ring: >> >> BD_0 BD_1 BD_2 BD_3 BD_4 .... BD_1020 BD_1021 BD_1022 BD_1023 >> ^ ^ >> head tail >> >> Suppose head is manipulated by driver, and tail is manipulated by >> hw. >> >> driver allocates buffer for BD pointed by head, as the frag page >> recycling is introduced in this patch, the BD_0 and BD_1's buffer >> may point to the same pageļ¼4K page size, and each BD only need >> 2k Buffer. >> hw dma the data to the buffer pointed by tail when packet is received. >> >> so step 1 Normally happen for the BD pointed by head, >> and step 2 & 3 Normally happen for the BD pointed by tail. >> And Normally there are at least (1024 - RCB_NOF_ALLOC_RX_BUFF_ONCE) BD >> between head and tail, so it is unlikely that head and tail's BD buffer >> points to the same page. > > I think a new page is allocated at step 1, no? The driver calls > page_pool_alloc_frag() when refilling the rx ring, and since the current > pool->frag_page (P1) is still used by BD_0 and BD_1, then > page_pool_drain_frag() drops (BIAS_MAX - 2) references and > page_pool_alloc_frag() replaces frag_page with a new page, P2. Later, head > points to BD_1, the driver can drop the remaining 2 references to P1 in > steps 2 and 3, and P1 can be unmapped and freed/recycled Yes. For most of the case, there should be two steps of the 2/3/4 steps, when there is extra step in the above calltrace, it may mean the page_count() is 2 instead of 1, if that is the case, __skb_frag_ref() may be called for a page from page pool((page->pp_magic & ~0x3UL) == PP_SIGNATURE)), which is not supposed to happen. > > What I don't get is which of steps 2, 3 and 4 is the wrong one. Could be > 2 or 3 because the device is evidently still doing DMA to the page after > it's released, but it could also be that the driver doesn't properly clear > the BD in which case step 4 is wrong. I'll try to find out which fragment > gets dropped twice. When there are more than two steps for the freeing side, the only case I know about the skb cloning and expanding case, which is fixed by the below commit: 2cc3aeb5eccc (skbuff: Fix a potential race while recycling page_pool packets) Maybe there are other case we missed? > > Thanks, > Jean > > . >
Powered by blists - more mailing lists