From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
To: netdev@vger.kernel.org
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>,
Alexander Duyck <alexander.h.duyck@linux.intel.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Alexander Lobakin <alobakin@pm.me>,
Jonathan Lemon <jonathan.lemon@gmail.com>,
Willem de Bruijn <willemb@google.com>,
Miaohe Lin <linmiaohe@huawei.com>,
Guillaume Nault <gnault@redhat.com>,
Cong Wang <cong.wang@bytedance.com>,
Jesper Dangaard Brouer <brouer@redhat.com>,
Matteo Croce <mcroce@microsoft.com>,
linux-kernel@vger.kernel.org
Subject: [PATCH] skbuff: Fix a potential race while recycling page_pool packets
Date: Thu, 8 Jul 2021 19:24:45 +0300 [thread overview]
Message-ID: <20210708162449.98764-1-ilias.apalodimas@linaro.org> (raw)
As Alexander points out, when we are trying to recycle a cloned/expanded
SKB we might trigger a race. The recycling code relies on the
pp_recycle bit to trigger, which we carry that over to cloned SKBs.
When that cloned SKB gets expanded, we are creating 2 separate instances
accessing the page frags. Since the skb_release_data() will first try to
recycle the frags, there's a potential race between the original and
cloned SKB.
Fix this by explicitly making the cloned/expanded SKB not recyclable.
If the original SKB is freed first the pages are released.
If it is released after the clone/expended skb then it can still be
recycled.
Fixes: 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling")
Reported-by: Alexander Duyck <alexander.h.duyck@linux.intel.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
net/core/skbuff.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 12aabcda6db2..0cb53c05ed76 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -1718,6 +1718,13 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
}
off = (data + nhead) - skb->head;
+ /* If it's a cloned skb we expand with frags attached we must prohibit
+ * the recycling code from running, otherwise we might trigger a race
+ * while trying to recycle the fragments from the original and cloned
+ * skb
+ */
+ if (skb_cloned(skb))
+ skb->pp_recycle = 0;
skb->head = data;
skb->head_frag = 0;
skb->data += off;
--
2.32.0.rc0
next reply other threads:[~2021-07-08 16:24 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-08 16:24 Ilias Apalodimas [this message]
2021-07-08 16:30 ` [PATCH] skbuff: Fix a potential race while recycling page_pool packets Ilias Apalodimas
2021-07-08 16:32 ` Alexander Duyck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210708162449.98764-1-ilias.apalodimas@linaro.org \
--to=ilias.apalodimas@linaro.org \
--cc=alexander.h.duyck@linux.intel.com \
--cc=alobakin@pm.me \
--cc=brouer@redhat.com \
--cc=cong.wang@bytedance.com \
--cc=davem@davemloft.net \
--cc=gnault@redhat.com \
--cc=jonathan.lemon@gmail.com \
--cc=kuba@kernel.org \
--cc=linmiaohe@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mcroce@microsoft.com \
--cc=netdev@vger.kernel.org \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.