Fw: [Bugme-new] [Bug 7962] New: oops in port_carrier_check

Fw: [Bugme-new] [Bug 7962] New: oops in port_carrier_check

[Andrew Morton]

Begin forwarded message:

Date: Wed, 7 Feb 2007 12:41:07 -0800
From: bugme-daemon@bugzilla.kernel.org
To: bugme-new@lists.osdl.org
Subject: [Bugme-new] [Bug 7962] New: oops in port_carrier_check


http://bugzilla.kernel.org/show_bug.cgi?id=7962

           Summary: oops in port_carrier_check
    Kernel Version: 2.6.20-rc7
            Status: NEW
          Severity: normal
             Owner: acme@conectiva.com.br
         Submitter: pterjan@gmail.com


While playing with qemu, I got a oops in bridge (and lost keyboard) :

Feb  7 21:20:18 plop kernel: BUG: unable to handle kernel paging request at
virtual address 6b6b6b6b
Feb  7 21:20:18 plop kernel:  printing eip:
Feb  7 21:20:18 plop kernel: *pde = 00000000
Feb  7 21:20:18 plop kernel: Oops: 0000 [#1]
Feb  7 21:20:18 plop kernel: CPU:    0
Feb  7 21:20:19 plop kernel: EIP:    0060:[pg0+814360305/1067136000]    Not
tainted VLI
Feb  7 21:20:19 plop kernel: EIP:    0060:[<f0eed6f1>]    Not tainted VLI
Feb  7 21:20:19 plop kernel: EFLAGS: 00010202   (2.6.20.0.rc7-1mdv #1)
Feb  7 21:20:19 plop kernel: EIP is at port_carrier_check+0x22/0x75 [bridge]
Feb  7 21:20:19 plop kernel: eax: 6b6b6b6b   ebx: 6b6b6b6b   ecx: 00000000  
edx: 00000001
Feb  7 21:20:19 plop kernel: esi: eb99b120   edi: 00000296   ebp: eff0bf58  
esp: eff0bf4c
Feb  7 21:20:19 plop kernel: ds: 007b   es: 007b   ss: 0068
Feb  7 21:20:19 plop kernel: Process events/0 (pid: 4, ti=eff0a000 task=eff09530
task.ti=eff0a000)
Feb  7 21:20:19 plop kernel: Stack: cd566744 eff4e86c 00000296 eff0bf84 c012534a
eff0bf70 00000296 eff0bfa0
Feb  7 21:20:19 plop kernel:        eff0bfac cd566740 f0eed6cf eff4e86c eff03ec8
eff0bfb4 eff0bfc4 c012590d
Feb  7 21:20:19 plop kernel:        00000001 00000000 00000001 00010000 00000000
00000000 eff09530 c0114770
Feb  7 21:20:19 plop kernel: Call Trace:
Feb  7 21:20:19 plop kernel:  [show_trace_log_lvl+26/47]
show_trace_log_lvl+0x1a/0x2f
Feb  7 21:20:19 plop kernel:  [<c010422c>] show_trace_log_lvl+0x1a/0x2f
Feb  7 21:20:19 plop kernel:  [show_stack_log_lvl+155/163]
show_stack_log_lvl+0x9b/0xa3
Feb  7 21:20:19 plop kernel:  [<c01042dc>] show_stack_log_lvl+0x9b/0xa3
Feb  7 21:20:19 plop kernel:  [show_registers+402/616] show_registers+0x192/0x268
Feb  7 21:20:19 plop kernel:  [<c0104476>] show_registers+0x192/0x268
Feb  7 21:20:19 plop kernel:  [die+234/511] die+0xea/0x1ff
Feb  7 21:20:19 plop kernel:  [<c0104636>] die+0xea/0x1ff
Feb  7 21:20:19 plop kernel:  [do_page_fault+1111/1334] do_page_fault+0x457/0x536
Feb  7 21:20:19 plop kernel:  [<c02c0c73>] do_page_fault+0x457/0x536
Feb  7 21:20:19 plop kernel:  [error_code+116/128] error_code+0x74/0x80
Feb  7 21:20:19 plop kernel:  [<c02bf624>] error_code+0x74/0x80
Feb  7 21:20:19 plop kernel:  [run_workqueue+142/333] run_workqueue+0x8e/0x14d
Feb  7 21:20:19 plop kernel:  [<c012534a>] run_workqueue+0x8e/0x14d
Feb  7 21:20:19 plop kernel:  [worker_thread+260/302] worker_thread+0x104/0x12e 
Feb  7 21:20:19 plop kernel:  [<c012590d>] worker_thread+0x104/0x12e
Feb  7 21:20:19 plop kernel:  [kthread+163/206] kthread+0xa3/0xce
Feb  7 21:20:19 plop kernel:  [<c0127e55>] kthread+0xa3/0xce
Feb  7 21:20:19 plop kernel:  [kernel_thread_helper+7/16]
kernel_thread_helper+0x7/0x10
Feb  7 21:20:19 plop kernel:  [<c0103ed7>] kernel_thread_helper+0x7/0x10
Feb  7 21:20:19 plop kernel:  ======================= 
Feb  7 21:20:19 plop kernel: Code: 38 cf 89 d8 5b 5e 5f 5d c3 55 89 e5 57 56 53
8b b0 24 ff ff ff 0f ba 30 00 e8 d3 20 38 cf 8b 9e 40 02 00 00 85 db 74 4c 8b 46
2c <8b> 3b a8 10 75 0a 89 f0 e8 e2 f9 ff ff 89 43 2c 8b 47 30 f6 40 
Feb  7 21:20:19 plop kernel: EIP: [pg0+814360305/1067136000]
port_carrier_check+0x22/0x75 [bridge] SS:ESP 0068:eff0bf4c
Feb  7 21:20:19 plop kernel: EIP: [<f0eed6f1>] port_carrier_check+0x22/0x75
[bridge] SS:ESP 0068:eff0bf4c

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

Re: [Bugme-new] [Bug 7962] New: oops in port_carrier_check

[Stephen Hemminger]

On Wed, 7 Feb 2007 12:52:16 -0800
Andrew Morton <akpm@linux-foundation.org> wrote:

> 
> 
> Begin forwarded message:
> 
> Date: Wed, 7 Feb 2007 12:41:07 -0800
> From: bugme-daemon@bugzilla.kernel.org
> To: bugme-new@lists.osdl.org
> Subject: [Bugme-new] [Bug 7962] New: oops in port_carrier_check
> 
> 
> http://bugzilla.kernel.org/show_bug.cgi?id=7962
> 
>            Summary: oops in port_carrier_check
>     Kernel Version: 2.6.20-rc7
>             Status: NEW
>           Severity: normal
>              Owner: acme@conectiva.com.br
>          Submitter: pterjan@gmail.com
> 
> 
> While playing with qemu, I got a oops in bridge (and lost keyboard) :
> 
> Feb  7 21:20:18 plop kernel: BUG: unable to handle kernel paging request at
> virtual address 6b6b6b6b
> Feb  7 21:20:18 plop kernel:  printing eip:
> Feb  7 21:20:18 plop kernel: *pde = 00000000
> Feb  7 21:20:18 plop kernel: Oops: 0000 [#1]
> Feb  7 21:20:18 plop kernel: CPU:    0
> Feb  7 21:20:19 plop kernel: EIP:    0060:[pg0+814360305/1067136000]    Not
> tainted VLI
> Feb  7 21:20:19 plop kernel: EIP:    0060:[<f0eed6f1>]    Not tainted VLI
> Feb  7 21:20:19 plop kernel: EFLAGS: 00010202   (2.6.20.0.rc7-1mdv #1)
> Feb  7 21:20:19 plop kernel: EIP is at port_carrier_check+0x22/0x75 [bridge]
> Feb  7 21:20:19 plop kernel: eax: 6b6b6b6b   ebx: 6b6b6b6b   ecx: 00000000  
> edx: 00000001
> Feb  7 21:20:19 plop kernel: esi: eb99b120   edi: 00000296   ebp: eff0bf58  
> esp: eff0bf4c
> Feb  7 21:20:19 plop kernel: ds: 007b   es: 007b   ss: 0068
> Feb  7 21:20:19 plop kernel: Process events/0 (pid: 4, ti=eff0a000 task=eff09530
> task.ti=eff0a000)
> Feb  7 21:20:19 plop kernel: Stack: cd566744 eff4e86c 00000296 eff0bf84 c012534a
> eff0bf70 00000296 eff0bfa0
> Feb  7 21:20:19 plop kernel:        eff0bfac cd566740 f0eed6cf eff4e86c eff03ec8
> eff0bfb4 eff0bfc4 c012590d
> Feb  7 21:20:19 plop kernel:        00000001 00000000 00000001 00010000 00000000
> 00000000 eff09530 c0114770
> Feb  7 21:20:19 plop kernel: Call Trace:
> Feb  7 21:20:19 plop kernel:  [show_trace_log_lvl+26/47]
> show_trace_log_lvl+0x1a/0x2f
> Feb  7 21:20:19 plop kernel:  [<c010422c>] show_trace_log_lvl+0x1a/0x2f
> Feb  7 21:20:19 plop kernel:  [show_stack_log_lvl+155/163]
> show_stack_log_lvl+0x9b/0xa3
> Feb  7 21:20:19 plop kernel:  [<c01042dc>] show_stack_log_lvl+0x9b/0xa3
> Feb  7 21:20:19 plop kernel:  [show_registers+402/616] show_registers+0x192/0x268
> Feb  7 21:20:19 plop kernel:  [<c0104476>] show_registers+0x192/0x268
> Feb  7 21:20:19 plop kernel:  [die+234/511] die+0xea/0x1ff
> Feb  7 21:20:19 plop kernel:  [<c0104636>] die+0xea/0x1ff
> Feb  7 21:20:19 plop kernel:  [do_page_fault+1111/1334] do_page_fault+0x457/0x536
> Feb  7 21:20:19 plop kernel:  [<c02c0c73>] do_page_fault+0x457/0x536
> Feb  7 21:20:19 plop kernel:  [error_code+116/128] error_code+0x74/0x80
> Feb  7 21:20:19 plop kernel:  [<c02bf624>] error_code+0x74/0x80
> Feb  7 21:20:19 plop kernel:  [run_workqueue+142/333] run_workqueue+0x8e/0x14d
> Feb  7 21:20:19 plop kernel:  [<c012534a>] run_workqueue+0x8e/0x14d
> Feb  7 21:20:19 plop kernel:  [worker_thread+260/302] worker_thread+0x104/0x12e 
> Feb  7 21:20:19 plop kernel:  [<c012590d>] worker_thread+0x104/0x12e
> Feb  7 21:20:19 plop kernel:  [kthread+163/206] kthread+0xa3/0xce
> Feb  7 21:20:19 plop kernel:  [<c0127e55>] kthread+0xa3/0xce
> Feb  7 21:20:19 plop kernel:  [kernel_thread_helper+7/16]
> kernel_thread_helper+0x7/0x10
> Feb  7 21:20:19 plop kernel:  [<c0103ed7>] kernel_thread_helper+0x7/0x10
> Feb  7 21:20:19 plop kernel:  ======================= 
> Feb  7 21:20:19 plop kernel: Code: 38 cf 89 d8 5b 5e 5f 5d c3 55 89 e5 57 56 53
> 8b b0 24 ff ff ff 0f ba 30 00 e8 d3 20 38 cf 8b 9e 40 02 00 00 85 db 74 4c 8b 46
> 2c <8b> 3b a8 10 75 0a 89 f0 e8 e2 f9 ff ff 89 43 2c 8b 47 30 f6 40 
> Feb  7 21:20:19 plop kernel: EIP: [pg0+814360305/1067136000]
> port_carrier_check+0x22/0x75 [bridge] SS:ESP 0068:eff0bf4c
> Feb  7 21:20:19 plop kernel: EIP: [<f0eed6f1>] port_carrier_check+0x22/0x75
> [bridge] SS:ESP 0068:eff0bf4c
> 
> ------- You are receiving this mail because: -------
> You are on the CC list for the bug, or are watching someone who is.


I wonder if this is work_queue API change fallout.

Re: [Bugme-new] [Bug 7962] New: oops in port_carrier_check

[Jarek Poplawski]

On 07-02-2007 23:09, Stephen Hemminger wrote:
> On Wed, 7 Feb 2007 12:52:16 -0800
> Andrew Morton <akpm@linux-foundation.org> wrote:
...
>> Feb  7 21:20:18 plop kernel: BUG: unable to handle kernel paging request at
>> virtual address 6b6b6b6b
>> Feb  7 21:20:18 plop kernel:  printing eip:
>> Feb  7 21:20:18 plop kernel: *pde = 00000000
>> Feb  7 21:20:18 plop kernel: Oops: 0000 [#1]
>> Feb  7 21:20:18 plop kernel: CPU:    0
>> Feb  7 21:20:19 plop kernel: EIP:    0060:[pg0+814360305/1067136000]    Not
>> tainted VLI
>> Feb  7 21:20:19 plop kernel: EIP:    0060:[<f0eed6f1>]    Not tainted VLI
>> Feb  7 21:20:19 plop kernel: EFLAGS: 00010202   (2.6.20.0.rc7-1mdv #1)
>> Feb  7 21:20:19 plop kernel: EIP is at port_carrier_check+0x22/0x75 [bridge]
>> Feb  7 21:20:19 plop kernel: eax: 6b6b6b6b   ebx: 6b6b6b6b   ecx: 00000000  

I think it's caused by pending delayed workqueue
trying to use dev after kfree (POISON_FREE in eax, ebx). 

> static void port_carrier_check(struct work_struct *work)
> {
>        struct net_bridge_port *p;
>        struct net_device *dev;
>        struct net_bridge *br;
>
>        dev = container_of(work, struct net_bridge_port,
>                           carrier_check.work)->dev;
>        work_release(work);
>
>        rtnl_lock();
>        p = dev->br_port;
>        if (!p)
>                goto done;
>        br = p->br;
>
>        if (netif_carrier_ok(dev))
>                p->path_cost = port_cost(dev);
>
>        if (br->dev->flags & IFF_UP) {

My investigation seems to point at this line (p == ebx
but not NULL because of mem debugging on, probably).

Regards,
Jarek P.

Re: [Bugme-new] [Bug 7962] New: oops in port_carrier_check

[Stephen Hemminger]

On Fri, 9 Feb 2007 08:42:11 +0100
Jarek Poplawski <jarkao2@o2.pl> wrote:

> On 07-02-2007 23:09, Stephen Hemminger wrote:
> > On Wed, 7 Feb 2007 12:52:16 -0800
> > Andrew Morton <akpm@linux-foundation.org> wrote:
> ...
> >> Feb  7 21:20:18 plop kernel: BUG: unable to handle kernel paging request at
> >> virtual address 6b6b6b6b
> >> Feb  7 21:20:18 plop kernel:  printing eip:
> >> Feb  7 21:20:18 plop kernel: *pde = 00000000
> >> Feb  7 21:20:18 plop kernel: Oops: 0000 [#1]
> >> Feb  7 21:20:18 plop kernel: CPU:    0
> >> Feb  7 21:20:19 plop kernel: EIP:    0060:[pg0+814360305/1067136000]    Not
> >> tainted VLI
> >> Feb  7 21:20:19 plop kernel: EIP:    0060:[<f0eed6f1>]    Not tainted VLI
> >> Feb  7 21:20:19 plop kernel: EFLAGS: 00010202   (2.6.20.0.rc7-1mdv #1)
> >> Feb  7 21:20:19 plop kernel: EIP is at port_carrier_check+0x22/0x75 [bridge]
> >> Feb  7 21:20:19 plop kernel: eax: 6b6b6b6b   ebx: 6b6b6b6b   ecx: 00000000  
> 
> I think it's caused by pending delayed workqueue
> trying to use dev after kfree (POISON_FREE in eax, ebx). 
> 
> > static void port_carrier_check(struct work_struct *work)
> > {
> >        struct net_bridge_port *p;
> >        struct net_device *dev;
> >        struct net_bridge *br;
> >
> >        dev = container_of(work, struct net_bridge_port,
> >                           carrier_check.work)->dev;
> >        work_release(work);
> >
> >        rtnl_lock();
> >        p = dev->br_port;
> >        if (!p)
> >                goto done;
> >        br = p->br;
> >
> >        if (netif_carrier_ok(dev))
> >                p->path_cost = port_cost(dev);
> >
> >        if (br->dev->flags & IFF_UP) {
> 
> My investigation seems to point at this line (p == ebx
> but not NULL because of mem debugging on, probably).
> 

The carrier_check is canceled by removal of port from bridge.
Perhaps there is something broken in rcu assumptions under Qemu

Re: [Bugme-new] [Bug 7962] New: oops in port_carrier_check

[Pascal Terjan]

2007/2/9, Stephen Hemminger <shemminger@linux-foundation.org>:
> The carrier_check is canceled by removal of port from bridge.
> Perhaps there is something broken in rcu assumptions under Qemu

If that can help:
I started /stopped qemu several times. Maybe I started /stopped qemu
several times as I was testing new PXE support in qemu with different
virtual nic. Each time, a tun device was created by qemu at startup
and added to the bridge, and destroyed on exit.

Re: [Bugme-new] [Bug 7962] New: oops in port_carrier_check

[Jarek Poplawski]

On Fri, Feb 09, 2007 at 09:52:04AM -0800, Stephen Hemminger wrote:
> On Fri, 9 Feb 2007 08:42:11 +0100
> Jarek Poplawski <jarkao2@o2.pl> wrote:
> 
> > On 07-02-2007 23:09, Stephen Hemminger wrote:
> > > On Wed, 7 Feb 2007 12:52:16 -0800
> > > Andrew Morton <akpm@linux-foundation.org> wrote:
> > ...
> > >> Feb  7 21:20:18 plop kernel: BUG: unable to handle kernel paging request at
> > >> virtual address 6b6b6b6b
> > >> Feb  7 21:20:18 plop kernel:  printing eip:
> > >> Feb  7 21:20:18 plop kernel: *pde = 00000000
> > >> Feb  7 21:20:18 plop kernel: Oops: 0000 [#1]
> > >> Feb  7 21:20:18 plop kernel: CPU:    0
> > >> Feb  7 21:20:19 plop kernel: EIP:    0060:[pg0+814360305/1067136000]    Not
> > >> tainted VLI
> > >> Feb  7 21:20:19 plop kernel: EIP:    0060:[<f0eed6f1>]    Not tainted VLI
> > >> Feb  7 21:20:19 plop kernel: EFLAGS: 00010202   (2.6.20.0.rc7-1mdv #1)
> > >> Feb  7 21:20:19 plop kernel: EIP is at port_carrier_check+0x22/0x75 [bridge]
> > >> Feb  7 21:20:19 plop kernel: eax: 6b6b6b6b   ebx: 6b6b6b6b   ecx: 00000000  
> > 
> > I think it's caused by pending delayed workqueue
> > trying to use dev after kfree (POISON_FREE in eax, ebx). 
> > 
> > > static void port_carrier_check(struct work_struct *work)
> > > {
> > >        struct net_bridge_port *p;
> > >        struct net_device *dev;
> > >        struct net_bridge *br;
> > >
> > >        dev = container_of(work, struct net_bridge_port,
> > >                           carrier_check.work)->dev;
> > >        work_release(work);
> > >
> > >        rtnl_lock();
> > >        p = dev->br_port;
> > >        if (!p)
> > >                goto done;
> > >        br = p->br;
> > >
> > >        if (netif_carrier_ok(dev))
> > >                p->path_cost = port_cost(dev);
> > >
> > >        if (br->dev->flags & IFF_UP) {
> > 
> > My investigation seems to point at this line (p == ebx
> > but not NULL because of mem debugging on, probably).

Sorry, I overpasted. This is the line:

-->        br = p->br;

> The carrier_check is canceled by removal of port from bridge.
> Perhaps there is something broken in rcu assumptions under Qemu

If you mean this:

> static void del_nbp(struct net_bridge_port *p)
> {
> ...
>        cancel_delayed_work(&p->carrier_check);

it's not sufficient. According to workqueue.h:

> /*
>  * Kill off a pending schedule_delayed_work().  Note that the work callback
>  * function may still be running on return from cancel_delayed_work().  Run
>  * flush_scheduled_work() to wait on it.
>  */
> static inline int cancel_delayed_work(struct delayed_work *work)

I can't see how rcu could help here with this pointer
to dev passed on to delayed_work (out of any rcu block).

IMHO dev_hold/dev_put (or something alike) is needed here.

Regards,
Jarek P.

[PATCH][NET][BRIDGE] br_if: oops in port_carrier_check

[Jarek Poplawski]

Here is my patch proposal for testing.
If it doesn't work - forget about it.
(Prepared with 2.6.20-git6 but could
be applied to 2.6.20 also.)

Jarek P.


dev_hold/dev_put added to prevent dev kfree
during port_carrier_check runnig, while dev
and port are removed.

Submitted and tested by: Pascal Terjan <pterjan@gmail.com>

Signed-off-by: Jarek Poplawski <jarkao2@o2.pl>

---

diff -Nurp linux-2.6.20-git6-/net/bridge/br_if.c linux-2.6.20-git6/net/bridge/br_if.c
--- linux-2.6.20-git6-/net/bridge/br_if.c	2007-02-12 10:20:14.000000000 +0100
+++ linux-2.6.20-git6/net/bridge/br_if.c	2007-02-12 10:36:58.000000000 +0100
@@ -108,6 +108,7 @@ static void port_carrier_check(struct wo
 		spin_unlock_bh(&br->lock);
 	}
 done:
+	dev_put(dev);
 	rtnl_unlock();
 }
 
@@ -161,7 +162,8 @@ static void del_nbp(struct net_bridge_po
 
 	dev_set_promiscuity(dev, -1);
 
-	cancel_delayed_work(&p->carrier_check);
+	if (cancel_delayed_work(&p->carrier_check))
+		dev_put(dev);
 
 	spin_lock_bh(&br->lock);
 	br_stp_disable_port(p);
@@ -444,7 +446,9 @@ int br_add_if(struct net_bridge *br, str
 	spin_lock_bh(&br->lock);
 	br_stp_recalculate_bridge_id(br);
 	br_features_recompute(br);
-	schedule_delayed_work(&p->carrier_check, BR_PORT_DEBOUNCE);
+	if (schedule_delayed_work(&p->carrier_check, BR_PORT_DEBOUNCE))
+		dev_hold(dev);
+
 	spin_unlock_bh(&br->lock);
 
 	dev_set_mtu(br->dev, br_min_mtu(br));

Re: [PATCH][NET][BRIDGE] br_if: oops in port_carrier_check

[Stephen Hemminger]

On Mon, 12 Feb 2007 11:28:48 +0100
Jarek Poplawski <jarkao2@o2.pl> wrote:

> Here is my patch proposal for testing.
> If it doesn't work - forget about it.
> (Prepared with 2.6.20-git6 but could
> be applied to 2.6.20 also.)
> 
> Jarek P.
> 
> 
> dev_hold/dev_put added to prevent dev kfree
> during port_carrier_check runnig, while dev
> and port are removed.

No, holding the reference just stops the kfree, it doesn't
stop the device from being removed from the port.

[PATCH][NET][BRIDGE] br_if: oops in port_carrier_check

[Jarek Poplawski]

On Mon, Feb 12, 2007 at 09:47:38AM -0800, Stephen Hemminger wrote:
> On Mon, 12 Feb 2007 11:28:48 +0100
> Jarek Poplawski <jarkao2@o2.pl> wrote:
> 
> > Here is my patch proposal for testing.
> > If it doesn't work - forget about it.
> > (Prepared with 2.6.20-git6 but could
> > be applied to 2.6.20 also.)
> > 
> > Jarek P.
> > 
> > 
> > dev_hold/dev_put added to prevent dev kfree
> > during port_carrier_check runnig, while dev
> > and port are removed.
> 
> No, holding the reference just stops the kfree, it doesn't
> stop the device from being removed from the port.

But I wrote above it is only to prevent the kfree.

>        p = dev->br_port;
>        if (!p)
>                goto done;
>        br = p->br;

Then p is NULL here and we goto done.

Sorry, but the first version was wrong (incomplete).
Below I attach a new proposal.


Signed-off-by: Jarek Poplawski <jarkao2@o2.pl>

---

diff -Nurp linux-2.6.20-git7-/net/bridge/br_if.c linux-2.6.20-git7/net/bridge/br_if.c
--- linux-2.6.20-git7-/net/bridge/br_if.c	2007-02-12 20:27:49.000000000 +0100
+++ linux-2.6.20-git7/net/bridge/br_if.c	2007-02-12 20:53:27.000000000 +0100
@@ -108,6 +108,7 @@ static void port_carrier_check(struct wo
 		spin_unlock_bh(&br->lock);
 	}
 done:
+	dev_put(dev);
 	rtnl_unlock();
 }
 
@@ -161,7 +162,8 @@ static void del_nbp(struct net_bridge_po
 
 	dev_set_promiscuity(dev, -1);
 
-	cancel_delayed_work(&p->carrier_check);
+	if (cancel_delayed_work(&p->carrier_check))
+		dev_put(dev);
 
 	spin_lock_bh(&br->lock);
 	br_stp_disable_port(p);
@@ -444,7 +446,9 @@ int br_add_if(struct net_bridge *br, str
 	spin_lock_bh(&br->lock);
 	br_stp_recalculate_bridge_id(br);
 	br_features_recompute(br);
-	schedule_delayed_work(&p->carrier_check, BR_PORT_DEBOUNCE);
+	if (schedule_delayed_work(&p->carrier_check, BR_PORT_DEBOUNCE))
+		dev_hold(dev);
+
 	spin_unlock_bh(&br->lock);
 
 	dev_set_mtu(br->dev, br_min_mtu(br));
diff -Nurp linux-2.6.20-git7-/net/bridge/br_notify.c linux-2.6.20-git7/net/bridge/br_notify.c
--- linux-2.6.20-git7-/net/bridge/br_notify.c	2007-02-12 20:27:49.000000000 +0100
+++ linux-2.6.20-git7/net/bridge/br_notify.c	2007-02-12 20:50:50.000000000 +0100
@@ -56,7 +56,9 @@ static int br_device_event(struct notifi
 
 	case NETDEV_CHANGE:
 		if (br->dev->flags & IFF_UP)
-			schedule_delayed_work(&p->carrier_check, BR_PORT_DEBOUNCE);
+			if (schedule_delayed_work(&p->carrier_check,
+						BR_PORT_DEBOUNCE))
+				dev_hold(dev);
 		break;
 
 	case NETDEV_FEAT_CHANGE:

Re: [PATCH][NET][BRIDGE] br_if: oops in port_carrier_check

[Stephen Hemminger]

On Tue, 13 Feb 2007 07:26:51 +0100
Jarek Poplawski <jarkao2@o2.pl> wrote:

> On Mon, Feb 12, 2007 at 09:47:38AM -0800, Stephen Hemminger wrote:
> > On Mon, 12 Feb 2007 11:28:48 +0100
> > Jarek Poplawski <jarkao2@o2.pl> wrote:
> > 
> > > Here is my patch proposal for testing.
> > > If it doesn't work - forget about it.
> > > (Prepared with 2.6.20-git6 but could
> > > be applied to 2.6.20 also.)
> > > 
> > > Jarek P.
> > > 
> > > 
> > > dev_hold/dev_put added to prevent dev kfree
> > > during port_carrier_check runnig, while dev
> > > and port are removed.
> > 
> > No, holding the reference just stops the kfree, it doesn't
> > stop the device from being removed from the port.
> 
> But I wrote above it is only to prevent the kfree.
> 
> >        p = dev->br_port;
> >        if (!p)
> >                goto done;
> >        br = p->br;
> 
> Then p is NULL here and we goto done.
> 
> Sorry, but the first version was wrong (incomplete).
> Below I attach a new proposal.
> 
> 
> Signed-off-by: Jarek Poplawski <jarkao2@o2.pl>

Yes, this looks correct.  If carrier_check is pending the ref count
gets cleared by cancel. If carrier work is waiting for rtnl, then
it cleans itself up.
-- 
Stephen Hemminger <shemminger@linux-foundation.org>

Re: [PATCH][NET][BRIDGE] br_if: oops in port_carrier_check

[David Miller]

From: Stephen Hemminger <shemminger@linux-foundation.org>
Date: Tue, 13 Feb 2007 11:55:29 -0800

> On Tue, 13 Feb 2007 07:26:51 +0100
> Jarek Poplawski <jarkao2@o2.pl> wrote:
> 
> > On Mon, Feb 12, 2007 at 09:47:38AM -0800, Stephen Hemminger wrote:
> > > On Mon, 12 Feb 2007 11:28:48 +0100
> > > Jarek Poplawski <jarkao2@o2.pl> wrote:
> > > 
> > > > Here is my patch proposal for testing.
> > > > If it doesn't work - forget about it.
> > > > (Prepared with 2.6.20-git6 but could
> > > > be applied to 2.6.20 also.)
> > > > 
> > > > Jarek P.
> > > > 
> > > > 
> > > > dev_hold/dev_put added to prevent dev kfree
> > > > during port_carrier_check runnig, while dev
> > > > and port are removed.
> > > 
> > > No, holding the reference just stops the kfree, it doesn't
> > > stop the device from being removed from the port.
> > 
> > But I wrote above it is only to prevent the kfree.
> > 
> > >        p = dev->br_port;
> > >        if (!p)
> > >                goto done;
> > >        br = p->br;
> > 
> > Then p is NULL here and we goto done.
> > 
> > Sorry, but the first version was wrong (incomplete).
> > Below I attach a new proposal.
> > 
> > 
> > Signed-off-by: Jarek Poplawski <jarkao2@o2.pl>
> 
> Yes, this looks correct.  If carrier_check is pending the ref count
> gets cleared by cancel. If carrier work is waiting for rtnl, then
> it cleans itself up.

I've applied this patch, thanks everyone.

Stephen, do we want this in -stable?

Re: [PATCH][NET][BRIDGE] br_if: oops in port_carrier_check

[Jarek Poplawski]

On Tue, Feb 13, 2007 at 12:35:53PM -0800, David Miller wrote:
...
> I've applied this patch, thanks everyone.
> 
> Stephen, do we want this in -stable?
 
I got this info it went trough -mm too:

...
> From: akpm@linux-foundation.org
> Subject: - br_if-oops-in-port_carrier_check.patch removed from -mm tree
> To: jarkao2@o2.pl, mm-commits@vger.kernel.org
...
> The patch titled
>     br_if: oops in port_carrier_check
> has been removed from the -mm tree.  Its filename was
>     br_if-oops-in-port_carrier_check.patch
>
> This patch was dropped because it was merged into mainline or a subsystem tree

Regards,
Jarek P.