lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <35886d135459121fdf1e7cdec9d0f18801d99ddb.camel@nvidia.com>
Date: Wed, 1 May 2024 07:58:03 +0000
From: Dragos Tatulea <dtatulea@...dia.com>
To: "almasrymina@...gle.com" <almasrymina@...gle.com>
CC: "davem@...emloft.net" <davem@...emloft.net>, "ilias.apalodimas@...aro.org"
	<ilias.apalodimas@...aro.org>, "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>, "jacob.e.keller@...el.com"
	<jacob.e.keller@...el.com>, "netdev@...r.kernel.org"
	<netdev@...r.kernel.org>, Jianbo Liu <jianbol@...dia.com>,
	"pabeni@...hat.com" <pabeni@...hat.com>, "edumazet@...gle.com"
	<edumazet@...gle.com>, "kuba@...nel.org" <kuba@...nel.org>
Subject: Re: [RFC PATCH] net: Fix one page_pool page leak from skb_frag_unref

On Wed, 2024-05-01 at 00:48 -0700, Mina Almasry wrote:
> On Tue, Apr 30, 2024 at 11:20 PM Dragos Tatulea <dtatulea@...dia.com> wrote:
> > 
> > On Mon, 2024-04-29 at 09:39 +0200, Dragos Tatulea wrote:
> > > On Fri, 2024-04-26 at 16:05 -0700, Jakub Kicinski wrote:
> > > > On Thu, 25 Apr 2024 08:17:28 +0000 Dragos Tatulea wrote:
> > > > > >  The unref path always dropped a regular page
> > > > > > ref, thanks to this commit as you point out:
> > > > > > 
> > > > > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2cc3aeb5ecccec0d266813172fcd82b4b5fa5803
> > > > > > 
> > > > > > AFAICT the correct fix is to actually revert commit 2cc3aeb5eccc
> > > > > > ("skbuff: Fix a potential race while recycling page_pool packets").
> > > > > > The reason is that now that skb_frag_ref() can grab page-pool refs, we
> > > > > > don't need to make sure there is only 1 SKB that triggers the recycle
> > > > > > path anymore. All the skb and its clones can obtain page-pool refs,
> > > > > > and in the unref path we drop the page-pool refs. page_pool_put_page()
> > > > > > detects correctly that the last page-pool ref is put and recycles the
> > > > > > page only then.
> > > > > > 
> > > > > I don't think this is a good way forward. For example, skb->pp_recycle is used
> > > > > as a hint in skb_gro_receive to avoid coalescing skbs with different pp_recycle
> > > > > flag states. This could interfere with that.
> > > > 
> > > > That's a bit speculative, right? The simple invariant we are trying to
> > > > hold is that if skb->pp_recycle && skb_frag_is_pp(skb, i) then the
> > > > reference skb is holding on that frag is a pp reference, not page
> > > > reference.
> > > > 
> > > Yes, it was a speculative statement. After re-reading it and the code of
> > > skb_gro_receive() it makes less sense now.
> > > 
> > > Mina's suggestion to revert commit 2cc3aeb5eccc ("skbuff: Fix a potential race
> > > while recycling page_pool packets") seems less scary now. I just hope we don't
> > > bump into too many scenarios similar to the ipsec one...
> > > 
> > > > skb_gro_receive() needs to maintain that invariant, if it doesn't
> > > > we need to fix it..
> > > > 
> > > 
> > Gentle ping. Not sure how to proceed with this:
> > 
> > 1) Revert commit 2cc3aeb5eccc
> > ("skbuff: Fix a potential race while recycling page_pool packets"). I tested
> > this btw and it works (for this specific scenario).
> > 
> > 2) Revert Mina's commit a580ea994fd3 ("net: mirror skb frag ref/unref helpers")
> > for now.
> > 
> 
> I vote for #1, and IIUC Jakub's feedback, he seems to prefer this as
> well. If we continue to run into edge cases after the revert of #1, I
> think we may want to do #2 and I can look to reland it with the kunit
> tests that Jakub suggested that reproduce these edge cases.
> 
> I can upload #1 in the morning if there are no objections. I don't see
> any regressions with #1 but I was never able to repo this issue.
> 
Yes please. And once you post it we can also take it internally to check all the
other tests that were failing in the same place.

Thanks,
Dragos

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ