From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 32836C3600B
	for <linux-mm@archiver.kernel.org>; Thu, 27 Mar 2025 19:48:09 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 3BC3E280119; Thu, 27 Mar 2025 15:48:07 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 36BCC280117; Thu, 27 Mar 2025 15:48:07 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 2341B280119; Thu, 27 Mar 2025 15:48:07 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11])
	by kanga.kvack.org (Postfix) with ESMTP id EADDF280117
	for <linux-mm@kvack.org>; Thu, 27 Mar 2025 15:48:06 -0400 (EDT)
Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay04.hostedemail.com (Postfix) with ESMTP id 07FF21A1591
	for <linux-mm@kvack.org>; Thu, 27 Mar 2025 19:48:08 +0000 (UTC)
X-FDA: 83268367056.24.CCB4395
Received: from tor.source.kernel.org (tor.source.kernel.org [172.105.4.254])
	by imf28.hostedemail.com (Postfix) with ESMTP id 7115EC000C
	for <linux-mm@kvack.org>; Thu, 27 Mar 2025 19:48:06 +0000 (UTC)
Authentication-Results: imf28.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b=RyWbkIkQ;
	spf=pass (imf28.hostedemail.com: domain of kuba@kernel.org designates 172.105.4.254 as permitted sender) smtp.mailfrom=kuba@kernel.org;
	dmarc=pass (policy=quarantine) header.from=kernel.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1743104886;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=KeDfmQn3wwH3Qv7r++pe2LgVO/7WEI7UYX1TodPPRLo=;
	b=1SOx7fFot+AGJe5DNLgLJ0agzyxYwz3ZzBODGeUGTafCHOmiTKdAMdjbctHQeXWOPP4x74
	yLiwcfEft5DShZrjP8QP0F0wGAHktHUwGfnQfxIzaDYSfVKh5zpNbZaHNZp1M/Fvzd5LaE
	rYmVUok9S0CrLhzCXBuaGYgdfzvThJw=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1743104886; a=rsa-sha256;
	cv=none;
	b=7D63NjN9RNnXuVtaR5WtErcNZsubpoPCuDdQYZsdar3txC3aPfWVUZsrCnhjqAXdP8InqT
	yF6aE1oHehMu1BADDE9rIjn3hxua62osFQQ+D0AXTB8JXk12y9bzfe7cdc+Lt160a8mgNn
	zVbhb4lgvy4KNWfschCljtVl6799T18=
ARC-Authentication-Results: i=1;
	imf28.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b=RyWbkIkQ;
	spf=pass (imf28.hostedemail.com: domain of kuba@kernel.org designates 172.105.4.254 as permitted sender) smtp.mailfrom=kuba@kernel.org;
	dmarc=pass (policy=quarantine) header.from=kernel.org
Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58])
	by tor.source.kernel.org (Postfix) with ESMTP id 7FD9D6112D;
	Thu, 27 Mar 2025 19:48:00 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5C2F3C4CEDD;
	Thu, 27 Mar 2025 19:48:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1743104885;
	bh=28kjruSiqh684ht2B0qQ4T/a+5Cnx5UQ0hJSQyVknzo=;
	h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
	b=RyWbkIkQM8RAwAVFK4RbHDFEFMQsIbJPevb078oNZnIDEFifYjCkVsMDthJoXENhG
	 Opy3YFKZkoYtJGbr0DEs7XXQ1ZnlTSLc4pXES9XfrvR6xBYhMj6ANtWiTKVGrCrXv3
	 +I2eMGatCcfqurRShuyqkSvznsejJpOLdHNSgTa5qrqhMBI9Qw1LATVpkhZhbY2mZc
	 QemRCXM2nASmYcGxOlNUTnWAnBgKWmnOT8IMEC4/JMaXjKRBnUc8bvDcNN5W6alfLE
	 O9g6IqlNTcpyihbkFYUKXpXhEnI3f3FYGnImCZI3gNMIHS1SFk5SMRMbANvfsHx6CP
	 /Yk82fFB0z1yA==
Date: Thu, 27 Mar 2025 12:48:03 -0700
From: Jakub Kicinski <kuba@kernel.org>
To: Toke =?UTF-8?B?SMO4aWxhbmQtSsO4cmdlbnNlbg==?= <toke@redhat.com>
Cc: "David S. Miller" <davem@davemloft.net>, Jesper Dangaard Brouer
 <hawk@kernel.org>, Saeed Mahameed <saeedm@nvidia.com>, Leon Romanovsky
 <leon@kernel.org>, Tariq Toukan <tariqt@nvidia.com>, Andrew Lunn
 <andrew+netdev@lunn.ch>, Eric Dumazet <edumazet@google.com>, Paolo Abeni
 <pabeni@redhat.com>, Ilias Apalodimas <ilias.apalodimas@linaro.org>, Simon
 Horman <horms@kernel.org>, Andrew Morton <akpm@linux-foundation.org>, Mina
 Almasry <almasrymina@google.com>, Yonglong Liu <liuyonglong@huawei.com>,
 Yunsheng Lin <linyunsheng@huawei.com>, Pavel Begunkov
 <asml.silence@gmail.com>, Matthew Wilcox <willy@infradead.org>,
 netdev@vger.kernel.org, bpf@vger.kernel.org, linux-rdma@vger.kernel.org,
 linux-mm@kvack.org, Qiuling Ren <qren@redhat.com>, Yuying Ma
 <yuma@redhat.com>
Subject: Re: [PATCH net-next v4 0/3] Fix late DMA unmap crash for page pool
Message-ID: <20250327124803.41feffed@kernel.org>
In-Reply-To: <20250327-page-pool-track-dma-v4-0-b380dc6706d0@redhat.com>
References: <20250327-page-pool-track-dma-v4-0-b380dc6706d0@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Stat-Signature: jgd5w7pwjnhrqaad3gxzwrqof1zm8mdd
X-Rspam-User: 
X-Rspamd-Queue-Id: 7115EC000C
X-Rspamd-Server: rspam08
X-HE-Tag: 1743104886-271124
X-HE-Meta: U2FsdGVkX1/Rb5XErqxbyNu2FBbb75t7tAb2F1NlOAfTweoIdeJH2+Ptw5aEv13UN/Tc89EFahrjKVGL6H6pAefMm7Wj5nbFVI03UzSP+H29vHnEPy4SJB5/9dMpjp+WD0ebudBUarHIqyZRrp4uqgIMGjL9IKTK1FmYvF69LOESgL7MU/xOJKQjcUbfFwesYiB/PUqdDITa5upxf0iZXyi26VlVB9IXDiPHxGJE9yKagpjWH88MPeBntEBpw84l3j/IN+/jN8ZExqPEQ0eNFRW/c8hsSZJGEjrwNO3EMBruGo4vZktI3aYfOfsBMTvF3jnFO/YWgdNFS0dRQp4K+bPCG+GaNwfheCWZpN/Vc6MNwMOh2wuPNEIsvqiegvFgk9nlgRwtGVfOMq31QocYCc+LAzl9Ru6v7EOVZ19HKd4z+kfJbLT9+qcLNQ8YlbkDIJwCdwwxKO034fE6b783RiuPrclcVnJxJQ5CB8FHuLs0OnlN7d7V+YdXkXU1v/SCtFNrwSMDgIndZlDM1+8BTEIV2kfaPVQBlngGBzVY2HnLuuHD+jP7mOPYOAHtUEHFQ8AQSF4tKXqE41q520Dq7fNleOyVPnEyfkpQ9oUScSS9bA4pncmlo7RBB13xCr82hfx5ZldPNQ75Ji7UfwL4B2DDqxaxuqgEXMIfWYLQDKnzGMItstY+grufzMFg/9LX/XRkSuboHsIMyokRuYx93tG82KxBM2ocuH9+a5jvh555YLTM1zB2jG0vVBDhjRB2FMc4CHzetgrtyn7sopgWVNGOtFuzPv9Z0G7lvFw31PNUWnBggF6HpZlwe5DZ+gWR33/e/AvokptkE24Ok0sRNLsFOHZsn5BNY9XSQQE9Jp9Bf/kSuz7iHJypL5CTVKGGbziEQODWu/e+3sZR9Km01eMYPmNNMe5fzB0vGWeGoXzmYi6tZzCsLzb/uGr+sBR9u5acIU+/yu7SdaKzDUT
 7nQUch96
 qmtlsS1buPEj/D3H2UskXF3ABjtj9cn8GeO3+f/U9u4wxfOOoWGkZVbqfk1WLOZOIa9mTqZLc/LbPRH4u6LmCKuaNH4YN+KfMuOqDQloaC7EsVjztRWcQvqFlZUPLCOvltBY4ksrHIrJX2gd0mLhKr+fLRiJrllO8eczPyKKVVE3w+Vi43Ejr9nHayxN3qrmrU+vbBRQFTfImweCkFQNz33QChbRIXZ8qOsBf5nhABRNHLw74H3br5Sde6qOjbD/Vebs9vZK+rbI39ZX+zgwXJVEiJCvmwgw4VtjGyMwllYnb/98K8uH+P86mAiOfJ0Dm9DHRGXtJH8vbrUg=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Thu, 27 Mar 2025 11:44:10 +0100 Toke H=C3=B8iland-J=C3=B8rgensen wrote:
> This series fixes the late dma_unmap crash for page pool first reported
> by Yonglong Liu in [0]. It is an alternative approach to the one
> submitted by Yunsheng Lin, most recently in [1]. The first two commits
> are small refactors of the page pool code, in preparation of the main
> change in patch 3. See the commit message of patch 3 for the details.

We see a crash and an UAF on:

[   18.574787] RIP: 0010:page_pool_put_unrefed_netmem (net/core/page_pool.c=
:465 net/core/page_pool.c:808 net/core/page_pool.c:866)=20
[   18.575880] napi_pp_put_page (net/core/skbuff.c:998)=20
[   18.575912] skb_release_data (./include/linux/skbuff_ref.h:40 ./include/=
linux/skbuff_ref.h:56 net/core/skbuff.c:1079)=20
[   18.575944] consume_skb (net/core/skbuff.c:1165 net/core/skbuff.c:1396 n=
et/core/skbuff.c:1390)=20

You should be able to repro with ping test over netdevsim
--=20
pw-bot: cr