Re: [PATCH] skbuff: Fix a potential race while recycling page_pool packets

From: Alexander Duyck <alexander.duyck@gmail.com>
To: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Networking <netdev@vger.kernel.org>,
	"David S. Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>,
	Alexander Lobakin <alobakin@pm.me>,
	Jonathan Lemon <jonathan.lemon@gmail.com>,
	Willem de Bruijn <willemb@google.com>,
	Miaohe Lin <linmiaohe@huawei.com>,
	Guillaume Nault <gnault@redhat.com>,
	Cong Wang <cong.wang@bytedance.com>,
	Jesper Dangaard Brouer <brouer@redhat.com>,
	Matteo Croce <mcroce@microsoft.com>,
	open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] skbuff: Fix a potential race while recycling page_pool packets
Date: Thu, 8 Jul 2021 09:32:41 -0700	[thread overview]
Message-ID: <CAKgT0Ue5De_iG4SBTm-DxzZir-2UfXpq7CohayNtWXqh=0Qq=Q@mail.gmail.com> (raw)
In-Reply-To: <CAC_iWjLsd-hJs1gk3CknJFXb2H4aAeEUUUskzPEugeRHjRuWLg@mail.gmail.com>

On Thu, Jul 8, 2021 at 9:31 AM Ilias Apalodimas
<ilias.apalodimas@linaro.org> wrote:
>
> +cc Alexander on his gmail address since the Intel one bounced.
>
> Alexander want me to respin it with you gmail address on the Reported-by?
>
> Sorry for the noise
> /Ilias
>
> On Thu, 8 Jul 2021 at 19:24, Ilias Apalodimas
> <ilias.apalodimas@linaro.org> wrote:
> >
> > As Alexander points out, when we are trying to recycle a cloned/expanded
> > SKB we might trigger a race.  The recycling code relies on the
> > pp_recycle bit to trigger,  which we carry that over to cloned SKBs.
> > When that cloned SKB gets expanded,  we are creating 2 separate instances
> > accessing the page frags.  Since the skb_release_data() will first try to
> > recycle the frags,  there's a potential race between the original and
> > cloned SKB.
> >
> > Fix this by explicitly making the cloned/expanded SKB not recyclable.
> > If the original SKB is freed first the pages are released.
> > If it is released after the clone/expended skb then it can still be
> > recycled.
> >
> > Fixes: 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling")
> > Reported-by: Alexander Duyck <alexander.h.duyck@linux.intel.com>
> > Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> > ---
> >  net/core/skbuff.c | 7 +++++++
> >  1 file changed, 7 insertions(+)
> >
> > diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> > index 12aabcda6db2..0cb53c05ed76 100644
> > --- a/net/core/skbuff.c
> > +++ b/net/core/skbuff.c
> > @@ -1718,6 +1718,13 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
> >         }
> >         off = (data + nhead) - skb->head;
> >
> > +       /* If it's a cloned skb we expand with frags attached we must prohibit
> > +        * the recycling code from running, otherwise we might trigger a race
> > +        * while trying to recycle the fragments from the original and cloned
> > +        * skb
> > +        */
> > +       if (skb_cloned(skb))
> > +               skb->pp_recycle = 0;
> >         skb->head     = data;
> >         skb->head_frag = 0;
> >         skb->data    += off;

Yeah, I would recommend a respin.

Also I would move this line up to the skb_cloned block just a few
lines before this spot just to avoid a second check.