Re: [PATCH net] net: dsa: microchip: Added the condition for scheduling ksz_mib_read_work

From: <Arun.Ramadoss@microchip.com>
To: <kuba@kernel.org>, <andrew@lunn.ch>
Cc: <olteanv@gmail.com>, <linux-kernel@vger.kernel.org>,
	<george.mccollister@gmail.com>, <vivien.didelot@gmail.com>,
	<UNGLinuxDriver@microchip.com>, <f.fainelli@gmail.com>,
	<netdev@vger.kernel.org>, <Woojung.Huh@microchip.com>,
	<davem@davemloft.net>
Subject: Re: [PATCH net] net: dsa: microchip: Added the condition for scheduling ksz_mib_read_work
Date: Mon, 11 Oct 2021 09:41:55 +0000	[thread overview]
Message-ID: <601a427d9d73ef7aa85e50770cce38ecd6e84463.camel@microchip.com> (raw)
In-Reply-To: <20211008113402.0aed1d2b@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>

On Fri, 2021-10-08 at 11:34 -0700, Jakub Kicinski wrote:
> EXTERNAL EMAIL: Do not click links or open attachments unless you
> know the content is safe
> 
> On Fri, 8 Oct 2021 15:58:16 +0200 Andrew Lunn wrote:
> > On Fri, Oct 08, 2021 at 02:13:48PM +0530, Arun Ramadoss wrote:
> > > When the ksz module is installed and removed using rmmod, kernel
> > > crashes
> > > with null pointer dereferrence error. During rmmod,
> > > ksz_switch_remove
> > > function tries to cancel the mib_read_workqueue using
> > > cancel_delayed_work_sync routine.
> > > 
> > > At the end of  mib_read_workqueue execution, it again reschedule
> > > the
> > > workqueue unconditionally. Due to which queue rescheduled after
> > > mib_interval, during this execution it tries to access dp->slave. 
> > > But
> > > the slave is unregistered in the ksz_switch_remove function.
> > > Hence
> > > kernel crashes.
> > 
> > Something not correct here.
> > 
> > 
https://www.kernel.org/doc/html/latest/core-api/workqueue.html?highlight=delayed_work#c.cancel_delayed_work_sync
> > 
> > This is cancel_work_sync() for delayed works.
> > 
> > and
> > 
> > 
https://www.kernel.org/doc/html/latest/core-api/workqueue.html?highlight=delayed_work#c.cancel_work_sync
> > 
> > This function can be used even if the work re-queues itself or
> > migrates to another workqueue.
> > 
> > Maybe the real problem is a missing call to destroy_worker()?
> 
> Also the cancel_delayed_work_sync() is suspiciously early in the
> remove
> flow. There is a schedule_work call in ksz_mac_link_down() which may
> schedule the work back in. That'd also explain why the patch helps
> since
> ksz_mac_link_down() only schedules if (dev->mib_read_interval).
In this patch, I did two things. Added the if condition for
rescheduling the queue and other is resetted the mib_read_interval to
zero.
As per the cancel_delayed_queue_sync() functionality, Now I tried rmod
after removing the if condition for resheduling the queue,kernel didn't
crash. So, concluded that it is not rearm in ksz_mib_read_work  is
causing the problem but it is due to scheduling in the
ksz_mac_link_down function. This function is called due to the
dsa_unregister_switch. Due to resetting of the mib_read_interval to
zero in switch_remove, the queue is not scheduled in mac_link_down, so
kernel didn't crash.

And also, as per suggestion on cancel_delayed_work_sync() is
suspiciously placed in switch_remove. I undo this patch, and tried just
by moving the canceling of delayed_work after the dsa_unregister_switch
function. As expected dsa_unregister_switch calls the
ksz_mac_link_down, which schedules the mib_read_work. Now, when
cancel_delayed_work_sync is called, it cancels all the workqueue. As a
result, module is removed successfully without kernel crash.

Can I send the updated patch as v1 or new patch with updated commit
message and description.