From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id AA021C36010 for ; Fri, 28 Mar 2025 11:20:29 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 41C3C280135; Fri, 28 Mar 2025 07:20:28 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 3A55C280130; Fri, 28 Mar 2025 07:20:28 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 22060280135; Fri, 28 Mar 2025 07:20:28 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 02EF3280130 for ; Fri, 28 Mar 2025 07:20:27 -0400 (EDT) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id F22B61CE245 for ; Fri, 28 Mar 2025 11:20:27 +0000 (UTC) X-FDA: 83270716494.05.6AB0274 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by imf16.hostedemail.com (Postfix) with ESMTP id 9F4F0180007 for ; Fri, 28 Mar 2025 11:20:25 +0000 (UTC) Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b="ZMMm/QNi"; dmarc=pass (policy=quarantine) header.from=redhat.com; spf=pass (imf16.hostedemail.com: domain of toke@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=toke@redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1743160825; a=rsa-sha256; cv=none; b=7tuO6lxfpdTAPNZExvdqxhQs5RlleP/6MRUPu0UhAonb5RkbVOd3gU+6l6xusVuKnP5aq8 eBOA20MD/cBiqgcW5RpWxc1bDW/J+EaCjoX14FMhoRYLQqE9yCwD1i4AAxd2TzyqaQflWo UUUvoKxBsvTFpk8ZG+pW34gk8aqaVMA= ARC-Authentication-Results: i=1; imf16.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b="ZMMm/QNi"; dmarc=pass (policy=quarantine) header.from=redhat.com; spf=pass (imf16.hostedemail.com: domain of toke@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=toke@redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1743160825; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=IreJLELQ4/V5TRIJHLucmuWAARoBIYlSFo2+N3tbmXs=; b=7B8P8hfWGarWpL1KM/FPW7sMmF/AMrJf9Ir6yc5iFsk1wqI7d9g0XhigQDzthFAKmHGrTd o4PvujoFcXVzkyqfxbHosbS0KgpKzkDKuPPCYt38t7SiFthpk5Jkop1+7Xcbpv/lLoejs9 m+iMZcms6bFolAOfOFV6cEXS7RY7E1U= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1743160825; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=IreJLELQ4/V5TRIJHLucmuWAARoBIYlSFo2+N3tbmXs=; b=ZMMm/QNiTwErpMMm8GoSUBM9R0HqMnVeLl1L1f3LC5lh4yY816NEZfMVpBMsJ+b12asYD0 kUCEuotWhJmfP1tcES2jVdGVX5x1D55jnQ0QucoG8Mf8hsJ1j3VXEtH4pe4dIP3PdQ3gwF RKE4CgCwiGIULzR2lyV+5cSrQUYlbqU= Received: from mail-ed1-f72.google.com (mail-ed1-f72.google.com [209.85.208.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-270-F3WchyXvMM-4mkW5SR7lhw-1; Fri, 28 Mar 2025 07:20:21 -0400 X-MC-Unique: F3WchyXvMM-4mkW5SR7lhw-1 X-Mimecast-MFC-AGG-ID: F3WchyXvMM-4mkW5SR7lhw_1743160820 Received: by mail-ed1-f72.google.com with SMTP id 4fb4d7f45d1cf-5e5d9682f1fso1864211a12.1 for ; Fri, 28 Mar 2025 04:20:21 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1743160820; x=1743765620; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xADjDk9zc1bw1YBgWMpS4QPMZR6DTQ8CJRDpLqIGwyc=; b=kSDH6dbNbAoVPGagNxETPCOE3H0S5JSIHVQRpBILlb/yaZPjStWgg6pYJDatybEBGM Kpo3PV1VFQzuH1Shmsrw7eg+1j1Qhz2bvaaWyXGA590SfafM7Lqd862Xetkp8WzG+zjY 5ixAjGM09AX5Mj6OAe7lLpa1b5RZt6ygIBUAXCNxKnthYJwiGjvLYkIBI/FrvXFEdf9c 83+67u7FSLm7afS0k5F1JeBMB9TuMhs18HX6/j4YlQUlOCtFsKbv2/WI21O4XgrEvy4w WPkIaHOWIqtmMKAq2HHZl2K0AUwDQhrxSxjUTaphxgycbBvcxZtYoMgeVDjfQGliW+zO hDcQ== X-Forwarded-Encrypted: i=1; AJvYcCUeF+0QayAyFTmE1MW7mn6DZgCDeOyAejtb9EMCTouR8S1IpfY95AXaQtjFVZrB4tIyOLAgKnjJwg==@kvack.org X-Gm-Message-State: AOJu0YxAMgFKaTpfOD0FKsJ+zQOAEjeU6pKFIlldcmhJ6keyavVJNxif EB9hcBMFvrd11BWc9KiY94GOjF1XVz/WQwKWkJWlBvllyewNgxrcR/9Y1i3HOxLTJNpOmVEF0U7 FZZKQF2bR9DyzzeolpqYFEfd1NarQbFSgF0LFV63v2N/q8XLS X-Gm-Gg: ASbGncugia7DDm4pcHS1MoHU9Qo+vtVCVdmKAcZ6znA5drIAqGZ8LKlmzPSgjJsOIiQ KmcWDDVqjf25B/MiPQpH8Ec3p+s3Q4CaQLun8AlZqNC0LHQq4NcThbi2Qvp4ar2Gcx6D465IL0h HzTcuOX8XMBkHBta96FT9WOOo5DtV03fEdMGw8UiuzfKmNTncoVuneZzcaTJDSqZ+YicZjunfn7 MDFtzMR2rYuqxtLwQKa+hAo3bBHoXI6FEAD6cQ43R9E0wg99BdIxVC38Rkt1E+zGgZvrO3eqYMx NzURwg/8jd5KJTh0yTPwtrlBb19LJO+j0Sgsri3M X-Received: by 2002:a05:6402:1ed4:b0:5ed:837:e3db with SMTP id 4fb4d7f45d1cf-5ed8f2099b0mr5968658a12.32.1743160820363; Fri, 28 Mar 2025 04:20:20 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEZK5Nv8BYjsY2nT5mHNKK8N9+Tgsi5w7rURbNEpTt3wAIOPFbmvEnvl96t0hGLvCjO+tk/7A== X-Received: by 2002:a05:6402:1ed4:b0:5ed:837:e3db with SMTP id 4fb4d7f45d1cf-5ed8f2099b0mr5968629a12.32.1743160819905; Fri, 28 Mar 2025 04:20:19 -0700 (PDT) Received: from alrua-x1.borgediget.toke.dk ([45.145.92.2]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-5edc16d3629sm1220781a12.23.2025.03.28.04.20.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Mar 2025 04:20:18 -0700 (PDT) Received: by alrua-x1.borgediget.toke.dk (Postfix, from userid 1000) id 4DF8C18FCDB5; Fri, 28 Mar 2025 12:20:17 +0100 (CET) From: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= To: Jakub Kicinski Cc: "David S. Miller" , Jesper Dangaard Brouer , Saeed Mahameed , Leon Romanovsky , Tariq Toukan , Andrew Lunn , Eric Dumazet , Paolo Abeni , Ilias Apalodimas , Simon Horman , Andrew Morton , Mina Almasry , Yonglong Liu , Yunsheng Lin , Pavel Begunkov , Matthew Wilcox , netdev@vger.kernel.org, bpf@vger.kernel.org, linux-rdma@vger.kernel.org, linux-mm@kvack.org, Qiuling Ren , Yuying Ma Subject: Re: [PATCH net-next v4 0/3] Fix late DMA unmap crash for page pool In-Reply-To: <20250327124803.41feffed@kernel.org> References: <20250327-page-pool-track-dma-v4-0-b380dc6706d0@redhat.com> <20250327124803.41feffed@kernel.org> X-Clacks-Overhead: GNU Terry Pratchett Date: Fri, 28 Mar 2025 12:20:17 +0100 Message-ID: <87bjtlpfke.fsf@toke.dk> MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: VsvTN5XGLso6s5VWDmUk8CbDpoyyPN-Nvira02yFfP4_1743160820 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 9F4F0180007 X-Stat-Signature: 194xdxqzxgbdaaa88wwjwd4nax9amyf3 X-Rspam-User: X-HE-Tag: 1743160825-107385 X-HE-Meta: U2FsdGVkX19Sfy9cTAlC86WDdOveCo7n/iw7kwaXzg7LR4PpRrEYoq2HR17TP9//0/fQ+g45KFPLjr71A4gzznC7xPMcDrPk9QSsxs9IqJuFnPRFkPnI4xZiuvWfKQ966oqHQ3J10L7tY0yL7oCgxg4ZR/bku+j3ewIBcmzDWGAFr5I4wlXvPd2PSgHbJ9SULJBhJff6xZ8nfjhgiqkfrq/l7yeRTUsbIGeE6qiXvjKiJdQ0xqydTTzC2fdFbprMvp9peCKotdT4u/YJEMr+iNRz/9w6jpaMfQgrCv3ANMqnGA5NMhm8w7pUS/PNwVWuJV2r7493NpcVkpv0dOJc/j8H1YgIcSvaxp4pFWN2zJZEcVQtqNgn+NckAHz81O7Btw0gNevorpYeAuVyX0OlSZPgWIEQvRFgQSKUa8oijA0nQ5msUEWcxG01ljK8JYZlwm7RWelJpTf8LY6VwGz5RqJ1745+aZFADa8/xSXyr67eoD01ZlbX9HkSXf/ZvhBEcTksYknlnUpyHnA/ww5rm56/xujMp9aTFG6GTubyJMI51T5s5K+8ZNXplUfMHT0kdT8fXxtNI1STUxYBjKUkjkBBLC7mT15/M3VCZGyY69uXhfPHjGk3T/3VM8IjRy47Y7Lu2wOQa8MdViaVrAm8KYYhS81y0JL+Z6nJCuCfGWJ2XC5fq+8soTZolfHqC4p9cFqZM95l+mmHW7ISIFnOz6S0tGMbRTVA/pVMxHrf4sJAK4T+Jw0+nUU2Z0wln58n9BgrlpXM57XqZJGF8V8ynVWiJmlEWre+HV6rLHt88cVOx8T/vkEJF1uBtQIvqsg80H4VXfqbSBum6viPqs/wP2rcNA9EGZyoyiUJ50SgFVLwolWdm32qpLDg8BLY1W/r2hxaNPNB0Vl0XHfZt0WsKUbxUZVqzT1ZKqhc50msr57tyCLlYZRtOGOf1BBRNT/wWWSYmAfaJs2QJXTH00b TLpwyqx0 mE8D9D7xWLUZsm2x9EwaCUQCCz1/bCECTAbS5B+kVC+5y/+EJpWfemTMV95cne3dGB+FtLhkXLq3GDoF9a0UEjVU7t9oQ0fwoVFDqJbreDyYAqBHCWMsbGcCKng== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Jakub Kicinski writes: > On Thu, 27 Mar 2025 11:44:10 +0100 Toke H=C3=B8iland-J=C3=B8rgensen wrote= : >> This series fixes the late dma_unmap crash for page pool first reported >> by Yonglong Liu in [0]. It is an alternative approach to the one >> submitted by Yunsheng Lin, most recently in [1]. The first two commits >> are small refactors of the page pool code, in preparation of the main >> change in patch 3. See the commit message of patch 3 for the details. > > We see a crash and an UAF on: > > [ 18.574787] RIP: 0010:page_pool_put_unrefed_netmem (net/core/page_pool= .c:465 net/core/page_pool.c:808 net/core/page_pool.c:866)=20 > [ 18.575880] napi_pp_put_page (net/core/skbuff.c:998)=20 > [ 18.575912] skb_release_data (./include/linux/skbuff_ref.h:40 ./includ= e/linux/skbuff_ref.h:56 net/core/skbuff.c:1079)=20 > [ 18.575944] consume_skb (net/core/skbuff.c:1165 net/core/skbuff.c:1396= net/core/skbuff.c:1390)=20 > > You should be able to repro with ping test over netdevsim Alright, I'll take a look, thanks for the pointer. -Toke