Message ID | 20210708162449.98764-1-ilias.apalodimas@linaro.org |
---|---|
State | New |
Headers | show |
Series | skbuff: Fix a potential race while recycling page_pool packets | expand |
+cc Alexander on his gmail address since the Intel one bounced. Alexander want me to respin it with you gmail address on the Reported-by? Sorry for the noise /Ilias On Thu, 8 Jul 2021 at 19:24, Ilias Apalodimas <ilias.apalodimas@linaro.org> wrote: > > As Alexander points out, when we are trying to recycle a cloned/expanded > SKB we might trigger a race. The recycling code relies on the > pp_recycle bit to trigger, which we carry that over to cloned SKBs. > When that cloned SKB gets expanded, we are creating 2 separate instances > accessing the page frags. Since the skb_release_data() will first try to > recycle the frags, there's a potential race between the original and > cloned SKB. > > Fix this by explicitly making the cloned/expanded SKB not recyclable. > If the original SKB is freed first the pages are released. > If it is released after the clone/expended skb then it can still be > recycled. > > Fixes: 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling") > Reported-by: Alexander Duyck <alexander.h.duyck@linux.intel.com> > Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> > --- > net/core/skbuff.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/net/core/skbuff.c b/net/core/skbuff.c > index 12aabcda6db2..0cb53c05ed76 100644 > --- a/net/core/skbuff.c > +++ b/net/core/skbuff.c > @@ -1718,6 +1718,13 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail, > } > off = (data + nhead) - skb->head; > > + /* If it's a cloned skb we expand with frags attached we must prohibit > + * the recycling code from running, otherwise we might trigger a race > + * while trying to recycle the fragments from the original and cloned > + * skb > + */ > + if (skb_cloned(skb)) > + skb->pp_recycle = 0; > skb->head = data; > skb->head_frag = 0; > skb->data += off; > -- > 2.32.0.rc0 >
On Thu, Jul 8, 2021 at 9:31 AM Ilias Apalodimas <ilias.apalodimas@linaro.org> wrote: > > +cc Alexander on his gmail address since the Intel one bounced. > > Alexander want me to respin it with you gmail address on the Reported-by? > > Sorry for the noise > /Ilias > > On Thu, 8 Jul 2021 at 19:24, Ilias Apalodimas > <ilias.apalodimas@linaro.org> wrote: > > > > As Alexander points out, when we are trying to recycle a cloned/expanded > > SKB we might trigger a race. The recycling code relies on the > > pp_recycle bit to trigger, which we carry that over to cloned SKBs. > > When that cloned SKB gets expanded, we are creating 2 separate instances > > accessing the page frags. Since the skb_release_data() will first try to > > recycle the frags, there's a potential race between the original and > > cloned SKB. > > > > Fix this by explicitly making the cloned/expanded SKB not recyclable. > > If the original SKB is freed first the pages are released. > > If it is released after the clone/expended skb then it can still be > > recycled. > > > > Fixes: 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling") > > Reported-by: Alexander Duyck <alexander.h.duyck@linux.intel.com> > > Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> > > --- > > net/core/skbuff.c | 7 +++++++ > > 1 file changed, 7 insertions(+) > > > > diff --git a/net/core/skbuff.c b/net/core/skbuff.c > > index 12aabcda6db2..0cb53c05ed76 100644 > > --- a/net/core/skbuff.c > > +++ b/net/core/skbuff.c > > @@ -1718,6 +1718,13 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail, > > } > > off = (data + nhead) - skb->head; > > > > + /* If it's a cloned skb we expand with frags attached we must prohibit > > + * the recycling code from running, otherwise we might trigger a race > > + * while trying to recycle the fragments from the original and cloned > > + * skb > > + */ > > + if (skb_cloned(skb)) > > + skb->pp_recycle = 0; > > skb->head = data; > > skb->head_frag = 0; > > skb->data += off; Yeah, I would recommend a respin. Also I would move this line up to the skb_cloned block just a few lines before this spot just to avoid a second check.
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 12aabcda6db2..0cb53c05ed76 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -1718,6 +1718,13 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail, } off = (data + nhead) - skb->head; + /* If it's a cloned skb we expand with frags attached we must prohibit + * the recycling code from running, otherwise we might trigger a race + * while trying to recycle the fragments from the original and cloned + * skb + */ + if (skb_cloned(skb)) + skb->pp_recycle = 0; skb->head = data; skb->head_frag = 0; skb->data += off;
As Alexander points out, when we are trying to recycle a cloned/expanded SKB we might trigger a race. The recycling code relies on the pp_recycle bit to trigger, which we carry that over to cloned SKBs. When that cloned SKB gets expanded, we are creating 2 separate instances accessing the page frags. Since the skb_release_data() will first try to recycle the frags, there's a potential race between the original and cloned SKB. Fix this by explicitly making the cloned/expanded SKB not recyclable. If the original SKB is freed first the pages are released. If it is released after the clone/expended skb then it can still be recycled. Fixes: 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling") Reported-by: Alexander Duyck <alexander.h.duyck@linux.intel.com> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> --- net/core/skbuff.c | 7 +++++++ 1 file changed, 7 insertions(+) -- 2.32.0.rc0