* Re: unregister_netdevice: waiting for DEV to become free (2)
[not found] ` <0000000000007d22100573d66078@google.com>
@ 2019-10-11 10:14 ` Tetsuo Handa
2019-10-11 15:12 ` Alexei Starovoitov
0 siblings, 1 reply; 5+ messages in thread
From: Tetsuo Handa @ 2019-10-11 10:14 UTC (permalink / raw)
To: Alexei Starovoitov, Daniel Borkmann
Cc: syzbot, ddstreet, dvyukov, linux-kernel, netdev, syzkaller-bugs, bpf
Hello.
I noticed that syzbot is reporting that refcount incremented by bpf(BPF_MAP_UPDATE_ELEM)
syscall is not decremented when unregister_netdevice() is called. Is this a BPF bug?
Kernel: 9e208aa06c2109b45eec6be049a8e47034748c20 on linux.git
Config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=73c2aace7604ab7
Reproducer: https://syzkaller.appspot.com/text?tag=ReproC&x=1215afaf600000
Debug printk patch:
----------------------------------------
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 9eda1c31d1f7..542a47fe6998 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -3732,10 +3732,7 @@ void netdev_run_todo(void);
*
* Release reference to device to allow it to be freed.
*/
-static inline void dev_put(struct net_device *dev)
-{
- this_cpu_dec(*dev->pcpu_refcnt);
-}
+extern void dev_put(struct net_device *dev);
/**
* dev_hold - get reference to device
@@ -3743,10 +3740,7 @@ static inline void dev_put(struct net_device *dev)
*
* Hold reference to device to keep it from being freed.
*/
-static inline void dev_hold(struct net_device *dev)
-{
- this_cpu_inc(*dev->pcpu_refcnt);
-}
+extern void dev_hold(struct net_device *dev);
/* Carrier loss detection, dial on demand. The functions netif_carrier_on
* and _off may be called from IRQ context, but it is caller
diff --git a/net/core/dev.c b/net/core/dev.c
index bf3ed413abaf..21f82aa92fad 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -8968,8 +8968,8 @@ static void netdev_wait_allrefs(struct net_device *dev)
refcnt = netdev_refcnt_read(dev);
if (refcnt && time_after(jiffies, warning_time + 10 * HZ)) {
- pr_emerg("unregister_netdevice: waiting for %s to become free. Usage count = %d\n",
- dev->name, refcnt);
+ pr_emerg("unregister_netdevice: waiting for %s to become free. Usage count = %d %px\n",
+ dev->name, refcnt, dev);
warning_time = jiffies;
}
}
@@ -9930,3 +9930,24 @@ static int __init net_dev_init(void)
}
subsys_initcall(net_dev_init);
+
+
+void dev_put(struct net_device *dev)
+{
+ this_cpu_dec(*dev->pcpu_refcnt);
+ if (!strcmp(dev->name, "bridge_slave_0")) {
+ printk("dev_put: %px %d", dev, netdev_refcnt_read(dev));
+ dump_stack();
+ }
+}
+EXPORT_SYMBOL(dev_put);
+
+void dev_hold(struct net_device *dev)
+{
+ if (!strcmp(dev->name, "bridge_slave_0")) {
+ printk("dev_hold: %px %d", dev, netdev_refcnt_read(dev));
+ dump_stack();
+ }
+ this_cpu_inc(*dev->pcpu_refcnt);
+}
+EXPORT_SYMBOL(dev_hold);
----------------------------------------
----------------------------------------
Oct 11 14:33:06 ubuntu kernel: [ 114.251175][ T8866] dev_hold: ffff888091fd2000 100
Oct 11 14:33:06 ubuntu kernel: [ 114.251185][ T8866] CPU: 3 PID: 8866 Comm: a.out Not tainted 5.4.0-rc2+ #217
Oct 11 14:33:06 ubuntu kernel: [ 114.251199][ T8866] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/13/2018
Oct 11 14:33:06 ubuntu kernel: [ 114.251208][ T8866] Call Trace:
Oct 11 14:33:06 ubuntu kernel: [ 114.251232][ T8866] dump_stack+0x154/0x1c5
Oct 11 14:33:06 ubuntu kernel: [ 114.251253][ T8866] dev_hold+0x73/0x80
Oct 11 14:33:06 ubuntu kernel: [ 114.251267][ T8866] dev_get_by_index+0x1b3/0x2d0
Oct 11 14:33:06 ubuntu kernel: [ 114.251280][ T8866] __dev_map_alloc_node+0x1c7/0x360
Oct 11 14:33:06 ubuntu kernel: [ 114.251299][ T8866] dev_map_hash_update_elem+0x485/0x670
Oct 11 14:33:06 ubuntu kernel: [ 114.251320][ T8866] __do_sys_bpf+0x35d6/0x38c0
Oct 11 14:33:06 ubuntu kernel: [ 114.251337][ T8866] ? bpf_prog_load+0x1470/0x1470
Oct 11 14:33:06 ubuntu kernel: [ 114.251351][ T8866] ? do_wp_page+0x3c8/0x1310
Oct 11 14:33:06 ubuntu kernel: [ 114.251364][ T8866] ? finish_mkwrite_fault+0x300/0x300
Oct 11 14:33:06 ubuntu kernel: [ 114.251381][ T8866] ? find_held_lock+0x35/0x1e0
Oct 11 14:33:06 ubuntu kernel: [ 114.251397][ T8866] ? __do_page_fault+0x504/0xb60
Oct 11 14:33:06 ubuntu kernel: [ 114.251413][ T8866] ? lock_downgrade+0x900/0x900
Oct 11 14:33:06 ubuntu kernel: [ 114.251426][ T8866] ? __pmd_alloc+0x410/0x410
Oct 11 14:33:06 ubuntu kernel: [ 114.251446][ T8866] ? __kasan_check_write+0x14/0x20
Oct 11 14:33:06 ubuntu kernel: [ 114.251457][ T8866] ? up_read+0x1b6/0x7a0
Oct 11 14:33:06 ubuntu kernel: [ 114.251471][ T8866] ? down_read_nested+0x480/0x480
Oct 11 14:33:06 ubuntu kernel: [ 114.251494][ T8866] ? do_syscall_64+0x26/0x6a0
Oct 11 14:33:06 ubuntu kernel: [ 114.251507][ T8866] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
Oct 11 14:33:06 ubuntu kernel: [ 114.251515][ T8866] ? do_syscall_64+0x26/0x6a0
Oct 11 14:33:06 ubuntu kernel: [ 114.251528][ T8866] __x64_sys_bpf+0x73/0xb0
Oct 11 14:33:06 ubuntu kernel: [ 114.251541][ T8866] do_syscall_64+0xde/0x6a0
Oct 11 14:33:06 ubuntu kernel: [ 114.251559][ T8866] entry_SYSCALL_64_after_hwframe+0x49/0xbe
(...snipped...)
Oct 11 14:33:10 ubuntu kernel: [ 117.459637][ T9584] dev_hold: ffff888091fd2000 200
Oct 11 14:33:10 ubuntu kernel: [ 117.459644][ T9584] CPU: 4 PID: 9584 Comm: a.out Not tainted 5.4.0-rc2+ #217
Oct 11 14:33:10 ubuntu kernel: [ 117.459652][ T9584] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/13/2018
Oct 11 14:33:10 ubuntu kernel: [ 117.459656][ T9584] Call Trace:
Oct 11 14:33:10 ubuntu kernel: [ 117.459669][ T9584] dump_stack+0x154/0x1c5
Oct 11 14:33:10 ubuntu kernel: [ 117.459682][ T9584] dev_hold+0x73/0x80
Oct 11 14:33:10 ubuntu kernel: [ 117.459695][ T9584] dev_get_by_index+0x1b3/0x2d0
Oct 11 14:33:10 ubuntu kernel: [ 117.459706][ T9584] __dev_map_alloc_node+0x1c7/0x360
Oct 11 14:33:10 ubuntu kernel: [ 117.459720][ T9584] dev_map_hash_update_elem+0x485/0x670
Oct 11 14:33:10 ubuntu kernel: [ 117.459749][ T9584] __do_sys_bpf+0x35d6/0x38c0
Oct 11 14:33:10 ubuntu kernel: [ 117.459762][ T9584] ? bpf_prog_load+0x1470/0x1470
Oct 11 14:33:10 ubuntu kernel: [ 117.459769][ T9584] ? do_wp_page+0x3c8/0x1310
Oct 11 14:33:10 ubuntu kernel: [ 117.459778][ T9584] ? finish_mkwrite_fault+0x300/0x300
Oct 11 14:33:10 ubuntu kernel: [ 117.459787][ T9584] ? find_held_lock+0x35/0x1e0
Oct 11 14:33:10 ubuntu kernel: [ 117.459797][ T9584] ? __do_page_fault+0x504/0xb60
Oct 11 14:33:10 ubuntu kernel: [ 117.459807][ T9584] ? lock_downgrade+0x900/0x900
Oct 11 14:33:10 ubuntu kernel: [ 117.459814][ T9584] ? __pmd_alloc+0x410/0x410
Oct 11 14:33:10 ubuntu kernel: [ 117.459828][ T9584] ? __kasan_check_write+0x14/0x20
Oct 11 14:33:10 ubuntu kernel: [ 117.459835][ T9584] ? up_read+0x1b6/0x7a0
Oct 11 14:33:10 ubuntu kernel: [ 117.459846][ T9584] ? down_read_nested+0x480/0x480
Oct 11 14:33:10 ubuntu kernel: [ 117.459862][ T9584] ? do_syscall_64+0x26/0x6a0
Oct 11 14:33:10 ubuntu kernel: [ 117.459871][ T9584] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
Oct 11 14:33:10 ubuntu kernel: [ 117.459878][ T9584] ? do_syscall_64+0x26/0x6a0
Oct 11 14:33:10 ubuntu kernel: [ 117.459891][ T9584] __x64_sys_bpf+0x73/0xb0
Oct 11 14:33:10 ubuntu kernel: [ 117.459901][ T9584] do_syscall_64+0xde/0x6a0
Oct 11 14:33:10 ubuntu kernel: [ 117.459911][ T9584] entry_SYSCALL_64_after_hwframe+0x49/0xbe
(...snipped...)
Oct 11 14:33:26 ubuntu kernel: [ 134.146838][T13860] dev_hold: ffff888091fd2000 850
Oct 11 14:33:26 ubuntu kernel: [ 134.146847][T13860] CPU: 4 PID: 13860 Comm: a.out Not tainted 5.4.0-rc2+ #217
Oct 11 14:33:26 ubuntu kernel: [ 134.146853][T13860] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/13/2018
Oct 11 14:33:26 ubuntu kernel: [ 134.146859][T13860] Call Trace:
Oct 11 14:33:26 ubuntu kernel: [ 134.146872][T13860] dump_stack+0x154/0x1c5
Oct 11 14:33:26 ubuntu kernel: [ 134.146885][T13860] dev_hold+0x73/0x80
Oct 11 14:33:26 ubuntu kernel: [ 134.146893][T13860] dev_get_by_index+0x1b3/0x2d0
Oct 11 14:33:26 ubuntu kernel: [ 134.146903][T13860] __dev_map_alloc_node+0x1c7/0x360
Oct 11 14:33:26 ubuntu kernel: [ 134.146918][T13860] dev_map_hash_update_elem+0x485/0x670
Oct 11 14:33:26 ubuntu kernel: [ 134.146932][T13860] __do_sys_bpf+0x35d6/0x38c0
Oct 11 14:33:26 ubuntu kernel: [ 134.146944][T13860] ? bpf_prog_load+0x1470/0x1470
Oct 11 14:33:26 ubuntu kernel: [ 134.146953][T13860] ? do_wp_page+0x3c8/0x1310
Oct 11 14:33:26 ubuntu kernel: [ 134.146964][T13860] ? finish_mkwrite_fault+0x300/0x300
Oct 11 14:33:26 ubuntu kernel: [ 134.146975][T13860] ? find_held_lock+0x35/0x1e0
Oct 11 14:33:26 ubuntu kernel: [ 134.146985][T13860] ? __do_page_fault+0x504/0xb60
Oct 11 14:33:26 ubuntu kernel: [ 134.146994][T13860] ? lock_downgrade+0x900/0x900
Oct 11 14:33:26 ubuntu kernel: [ 134.147002][T13860] ? __pmd_alloc+0x410/0x410
Oct 11 14:33:26 ubuntu kernel: [ 134.147017][T13860] ? __kasan_check_write+0x14/0x20
Oct 11 14:33:26 ubuntu kernel: [ 134.147024][T13860] ? up_read+0x1b6/0x7a0
Oct 11 14:33:26 ubuntu kernel: [ 134.147033][T13860] ? down_read_nested+0x480/0x480
Oct 11 14:33:26 ubuntu kernel: [ 134.147048][T13860] ? do_syscall_64+0x26/0x6a0
Oct 11 14:33:26 ubuntu kernel: [ 134.147056][T13860] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
Oct 11 14:33:26 ubuntu kernel: [ 134.147063][T13860] ? do_syscall_64+0x26/0x6a0
Oct 11 14:33:26 ubuntu kernel: [ 134.147074][T13860] __x64_sys_bpf+0x73/0xb0
Oct 11 14:33:26 ubuntu kernel: [ 134.147084][T13860] do_syscall_64+0xde/0x6a0
Oct 11 14:33:26 ubuntu kernel: [ 134.147095][T13860] entry_SYSCALL_64_after_hwframe+0x49/0xbe
(...snipped...)
Oct 11 14:33:41 ubuntu kernel: [ 148.384539][ T4514] unregister_netdevice: waiting for bridge_slave_0 to become free. Usage count = 850 ffff888091fd2000
----------------------------------------
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: unregister_netdevice: waiting for DEV to become free (2)
2019-10-11 10:14 ` unregister_netdevice: waiting for DEV to become free (2) Tetsuo Handa
@ 2019-10-11 15:12 ` Alexei Starovoitov
2019-10-16 10:34 ` Toke Høiland-Jørgensen
0 siblings, 1 reply; 5+ messages in thread
From: Alexei Starovoitov @ 2019-10-11 15:12 UTC (permalink / raw)
To: Tetsuo Handa, Jesper Dangaard Brouer, Toke Høiland-Jørgensen
Cc: Alexei Starovoitov, Daniel Borkmann, syzbot, ddstreet,
Dmitry Vyukov, LKML, Network Development, syzkaller-bugs, bpf
On Fri, Oct 11, 2019 at 3:15 AM Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
>
> Hello.
>
> I noticed that syzbot is reporting that refcount incremented by bpf(BPF_MAP_UPDATE_ELEM)
> syscall is not decremented when unregister_netdevice() is called. Is this a BPF bug?
Jesper, Toke,
please take a look.
> Kernel: 9e208aa06c2109b45eec6be049a8e47034748c20 on linux.git
> Config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=73c2aace7604ab7
> Reproducer: https://syzkaller.appspot.com/text?tag=ReproC&x=1215afaf600000
> Debug printk patch:
> ----------------------------------------
> diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
> index 9eda1c31d1f7..542a47fe6998 100644
> --- a/include/linux/netdevice.h
> +++ b/include/linux/netdevice.h
> @@ -3732,10 +3732,7 @@ void netdev_run_todo(void);
> *
> * Release reference to device to allow it to be freed.
> */
> -static inline void dev_put(struct net_device *dev)
> -{
> - this_cpu_dec(*dev->pcpu_refcnt);
> -}
> +extern void dev_put(struct net_device *dev);
>
> /**
> * dev_hold - get reference to device
> @@ -3743,10 +3740,7 @@ static inline void dev_put(struct net_device *dev)
> *
> * Hold reference to device to keep it from being freed.
> */
> -static inline void dev_hold(struct net_device *dev)
> -{
> - this_cpu_inc(*dev->pcpu_refcnt);
> -}
> +extern void dev_hold(struct net_device *dev);
>
> /* Carrier loss detection, dial on demand. The functions netif_carrier_on
> * and _off may be called from IRQ context, but it is caller
> diff --git a/net/core/dev.c b/net/core/dev.c
> index bf3ed413abaf..21f82aa92fad 100644
> --- a/net/core/dev.c
> +++ b/net/core/dev.c
> @@ -8968,8 +8968,8 @@ static void netdev_wait_allrefs(struct net_device *dev)
> refcnt = netdev_refcnt_read(dev);
>
> if (refcnt && time_after(jiffies, warning_time + 10 * HZ)) {
> - pr_emerg("unregister_netdevice: waiting for %s to become free. Usage count = %d\n",
> - dev->name, refcnt);
> + pr_emerg("unregister_netdevice: waiting for %s to become free. Usage count = %d %px\n",
> + dev->name, refcnt, dev);
> warning_time = jiffies;
> }
> }
> @@ -9930,3 +9930,24 @@ static int __init net_dev_init(void)
> }
>
> subsys_initcall(net_dev_init);
> +
> +
> +void dev_put(struct net_device *dev)
> +{
> + this_cpu_dec(*dev->pcpu_refcnt);
> + if (!strcmp(dev->name, "bridge_slave_0")) {
> + printk("dev_put: %px %d", dev, netdev_refcnt_read(dev));
> + dump_stack();
> + }
> +}
> +EXPORT_SYMBOL(dev_put);
> +
> +void dev_hold(struct net_device *dev)
> +{
> + if (!strcmp(dev->name, "bridge_slave_0")) {
> + printk("dev_hold: %px %d", dev, netdev_refcnt_read(dev));
> + dump_stack();
> + }
> + this_cpu_inc(*dev->pcpu_refcnt);
> +}
> +EXPORT_SYMBOL(dev_hold);
> ----------------------------------------
>
> ----------------------------------------
> Oct 11 14:33:06 ubuntu kernel: [ 114.251175][ T8866] dev_hold: ffff888091fd2000 100
> Oct 11 14:33:06 ubuntu kernel: [ 114.251185][ T8866] CPU: 3 PID: 8866 Comm: a.out Not tainted 5.4.0-rc2+ #217
> Oct 11 14:33:06 ubuntu kernel: [ 114.251199][ T8866] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/13/2018
> Oct 11 14:33:06 ubuntu kernel: [ 114.251208][ T8866] Call Trace:
> Oct 11 14:33:06 ubuntu kernel: [ 114.251232][ T8866] dump_stack+0x154/0x1c5
> Oct 11 14:33:06 ubuntu kernel: [ 114.251253][ T8866] dev_hold+0x73/0x80
> Oct 11 14:33:06 ubuntu kernel: [ 114.251267][ T8866] dev_get_by_index+0x1b3/0x2d0
> Oct 11 14:33:06 ubuntu kernel: [ 114.251280][ T8866] __dev_map_alloc_node+0x1c7/0x360
> Oct 11 14:33:06 ubuntu kernel: [ 114.251299][ T8866] dev_map_hash_update_elem+0x485/0x670
> Oct 11 14:33:06 ubuntu kernel: [ 114.251320][ T8866] __do_sys_bpf+0x35d6/0x38c0
> Oct 11 14:33:06 ubuntu kernel: [ 114.251337][ T8866] ? bpf_prog_load+0x1470/0x1470
> Oct 11 14:33:06 ubuntu kernel: [ 114.251351][ T8866] ? do_wp_page+0x3c8/0x1310
> Oct 11 14:33:06 ubuntu kernel: [ 114.251364][ T8866] ? finish_mkwrite_fault+0x300/0x300
> Oct 11 14:33:06 ubuntu kernel: [ 114.251381][ T8866] ? find_held_lock+0x35/0x1e0
> Oct 11 14:33:06 ubuntu kernel: [ 114.251397][ T8866] ? __do_page_fault+0x504/0xb60
> Oct 11 14:33:06 ubuntu kernel: [ 114.251413][ T8866] ? lock_downgrade+0x900/0x900
> Oct 11 14:33:06 ubuntu kernel: [ 114.251426][ T8866] ? __pmd_alloc+0x410/0x410
> Oct 11 14:33:06 ubuntu kernel: [ 114.251446][ T8866] ? __kasan_check_write+0x14/0x20
> Oct 11 14:33:06 ubuntu kernel: [ 114.251457][ T8866] ? up_read+0x1b6/0x7a0
> Oct 11 14:33:06 ubuntu kernel: [ 114.251471][ T8866] ? down_read_nested+0x480/0x480
> Oct 11 14:33:06 ubuntu kernel: [ 114.251494][ T8866] ? do_syscall_64+0x26/0x6a0
> Oct 11 14:33:06 ubuntu kernel: [ 114.251507][ T8866] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
> Oct 11 14:33:06 ubuntu kernel: [ 114.251515][ T8866] ? do_syscall_64+0x26/0x6a0
> Oct 11 14:33:06 ubuntu kernel: [ 114.251528][ T8866] __x64_sys_bpf+0x73/0xb0
> Oct 11 14:33:06 ubuntu kernel: [ 114.251541][ T8866] do_syscall_64+0xde/0x6a0
> Oct 11 14:33:06 ubuntu kernel: [ 114.251559][ T8866] entry_SYSCALL_64_after_hwframe+0x49/0xbe
> (...snipped...)
> Oct 11 14:33:10 ubuntu kernel: [ 117.459637][ T9584] dev_hold: ffff888091fd2000 200
> Oct 11 14:33:10 ubuntu kernel: [ 117.459644][ T9584] CPU: 4 PID: 9584 Comm: a.out Not tainted 5.4.0-rc2+ #217
> Oct 11 14:33:10 ubuntu kernel: [ 117.459652][ T9584] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/13/2018
> Oct 11 14:33:10 ubuntu kernel: [ 117.459656][ T9584] Call Trace:
> Oct 11 14:33:10 ubuntu kernel: [ 117.459669][ T9584] dump_stack+0x154/0x1c5
> Oct 11 14:33:10 ubuntu kernel: [ 117.459682][ T9584] dev_hold+0x73/0x80
> Oct 11 14:33:10 ubuntu kernel: [ 117.459695][ T9584] dev_get_by_index+0x1b3/0x2d0
> Oct 11 14:33:10 ubuntu kernel: [ 117.459706][ T9584] __dev_map_alloc_node+0x1c7/0x360
> Oct 11 14:33:10 ubuntu kernel: [ 117.459720][ T9584] dev_map_hash_update_elem+0x485/0x670
> Oct 11 14:33:10 ubuntu kernel: [ 117.459749][ T9584] __do_sys_bpf+0x35d6/0x38c0
> Oct 11 14:33:10 ubuntu kernel: [ 117.459762][ T9584] ? bpf_prog_load+0x1470/0x1470
> Oct 11 14:33:10 ubuntu kernel: [ 117.459769][ T9584] ? do_wp_page+0x3c8/0x1310
> Oct 11 14:33:10 ubuntu kernel: [ 117.459778][ T9584] ? finish_mkwrite_fault+0x300/0x300
> Oct 11 14:33:10 ubuntu kernel: [ 117.459787][ T9584] ? find_held_lock+0x35/0x1e0
> Oct 11 14:33:10 ubuntu kernel: [ 117.459797][ T9584] ? __do_page_fault+0x504/0xb60
> Oct 11 14:33:10 ubuntu kernel: [ 117.459807][ T9584] ? lock_downgrade+0x900/0x900
> Oct 11 14:33:10 ubuntu kernel: [ 117.459814][ T9584] ? __pmd_alloc+0x410/0x410
> Oct 11 14:33:10 ubuntu kernel: [ 117.459828][ T9584] ? __kasan_check_write+0x14/0x20
> Oct 11 14:33:10 ubuntu kernel: [ 117.459835][ T9584] ? up_read+0x1b6/0x7a0
> Oct 11 14:33:10 ubuntu kernel: [ 117.459846][ T9584] ? down_read_nested+0x480/0x480
> Oct 11 14:33:10 ubuntu kernel: [ 117.459862][ T9584] ? do_syscall_64+0x26/0x6a0
> Oct 11 14:33:10 ubuntu kernel: [ 117.459871][ T9584] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
> Oct 11 14:33:10 ubuntu kernel: [ 117.459878][ T9584] ? do_syscall_64+0x26/0x6a0
> Oct 11 14:33:10 ubuntu kernel: [ 117.459891][ T9584] __x64_sys_bpf+0x73/0xb0
> Oct 11 14:33:10 ubuntu kernel: [ 117.459901][ T9584] do_syscall_64+0xde/0x6a0
> Oct 11 14:33:10 ubuntu kernel: [ 117.459911][ T9584] entry_SYSCALL_64_after_hwframe+0x49/0xbe
> (...snipped...)
> Oct 11 14:33:26 ubuntu kernel: [ 134.146838][T13860] dev_hold: ffff888091fd2000 850
> Oct 11 14:33:26 ubuntu kernel: [ 134.146847][T13860] CPU: 4 PID: 13860 Comm: a.out Not tainted 5.4.0-rc2+ #217
> Oct 11 14:33:26 ubuntu kernel: [ 134.146853][T13860] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/13/2018
> Oct 11 14:33:26 ubuntu kernel: [ 134.146859][T13860] Call Trace:
> Oct 11 14:33:26 ubuntu kernel: [ 134.146872][T13860] dump_stack+0x154/0x1c5
> Oct 11 14:33:26 ubuntu kernel: [ 134.146885][T13860] dev_hold+0x73/0x80
> Oct 11 14:33:26 ubuntu kernel: [ 134.146893][T13860] dev_get_by_index+0x1b3/0x2d0
> Oct 11 14:33:26 ubuntu kernel: [ 134.146903][T13860] __dev_map_alloc_node+0x1c7/0x360
> Oct 11 14:33:26 ubuntu kernel: [ 134.146918][T13860] dev_map_hash_update_elem+0x485/0x670
> Oct 11 14:33:26 ubuntu kernel: [ 134.146932][T13860] __do_sys_bpf+0x35d6/0x38c0
> Oct 11 14:33:26 ubuntu kernel: [ 134.146944][T13860] ? bpf_prog_load+0x1470/0x1470
> Oct 11 14:33:26 ubuntu kernel: [ 134.146953][T13860] ? do_wp_page+0x3c8/0x1310
> Oct 11 14:33:26 ubuntu kernel: [ 134.146964][T13860] ? finish_mkwrite_fault+0x300/0x300
> Oct 11 14:33:26 ubuntu kernel: [ 134.146975][T13860] ? find_held_lock+0x35/0x1e0
> Oct 11 14:33:26 ubuntu kernel: [ 134.146985][T13860] ? __do_page_fault+0x504/0xb60
> Oct 11 14:33:26 ubuntu kernel: [ 134.146994][T13860] ? lock_downgrade+0x900/0x900
> Oct 11 14:33:26 ubuntu kernel: [ 134.147002][T13860] ? __pmd_alloc+0x410/0x410
> Oct 11 14:33:26 ubuntu kernel: [ 134.147017][T13860] ? __kasan_check_write+0x14/0x20
> Oct 11 14:33:26 ubuntu kernel: [ 134.147024][T13860] ? up_read+0x1b6/0x7a0
> Oct 11 14:33:26 ubuntu kernel: [ 134.147033][T13860] ? down_read_nested+0x480/0x480
> Oct 11 14:33:26 ubuntu kernel: [ 134.147048][T13860] ? do_syscall_64+0x26/0x6a0
> Oct 11 14:33:26 ubuntu kernel: [ 134.147056][T13860] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
> Oct 11 14:33:26 ubuntu kernel: [ 134.147063][T13860] ? do_syscall_64+0x26/0x6a0
> Oct 11 14:33:26 ubuntu kernel: [ 134.147074][T13860] __x64_sys_bpf+0x73/0xb0
> Oct 11 14:33:26 ubuntu kernel: [ 134.147084][T13860] do_syscall_64+0xde/0x6a0
> Oct 11 14:33:26 ubuntu kernel: [ 134.147095][T13860] entry_SYSCALL_64_after_hwframe+0x49/0xbe
> (...snipped...)
> Oct 11 14:33:41 ubuntu kernel: [ 148.384539][ T4514] unregister_netdevice: waiting for bridge_slave_0 to become free. Usage count = 850 ffff888091fd2000
> ----------------------------------------
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: unregister_netdevice: waiting for DEV to become free (2)
2019-10-11 15:12 ` Alexei Starovoitov
@ 2019-10-16 10:34 ` Toke Høiland-Jørgensen
2019-11-15 9:43 ` Tetsuo Handa
0 siblings, 1 reply; 5+ messages in thread
From: Toke Høiland-Jørgensen @ 2019-10-16 10:34 UTC (permalink / raw)
To: Alexei Starovoitov, Tetsuo Handa, Jesper Dangaard Brouer
Cc: Alexei Starovoitov, Daniel Borkmann, syzbot, ddstreet,
Dmitry Vyukov, LKML, Network Development, syzkaller-bugs, bpf
Alexei Starovoitov <alexei.starovoitov@gmail.com> writes:
> On Fri, Oct 11, 2019 at 3:15 AM Tetsuo Handa
> <penguin-kernel@i-love.sakura.ne.jp> wrote:
>>
>> Hello.
>>
>> I noticed that syzbot is reporting that refcount incremented by bpf(BPF_MAP_UPDATE_ELEM)
>> syscall is not decremented when unregister_netdevice() is called. Is this a BPF bug?
>
> Jesper, Toke,
> please take a look.
Yeah, that unregister notification handler definitely looks broken for
hashmaps; I'll send a patch :)
-Toke
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: unregister_netdevice: waiting for DEV to become free (2)
2019-10-16 10:34 ` Toke Høiland-Jørgensen
@ 2019-11-15 9:43 ` Tetsuo Handa
2019-11-21 11:36 ` Toke Høiland-Jørgensen
0 siblings, 1 reply; 5+ messages in thread
From: Tetsuo Handa @ 2019-11-15 9:43 UTC (permalink / raw)
To: Toke Høiland-Jørgensen
Cc: Alexei Starovoitov, Jesper Dangaard Brouer, Alexei Starovoitov,
Daniel Borkmann, syzbot, ddstreet, Dmitry Vyukov, LKML,
Network Development, syzkaller-bugs, bpf, Yonghong Song
Hello.
syzbot is still reporting that bpf(BPF_MAP_UPDATE_ELEM) causes
unregister_netdevice() to hang. It seems that commit 546ac1ffb70d25b5
("bpf: add devmap, a map for storing net device references") assigned
dtab->netdev_map[i] at dev_map_update_elem() but commit 6f9d451ab1a33728
("xdp: Add devmap_hash map type for looking up devices by hashed index")
forgot to assign dtab->netdev_map[idx] at __dev_map_hash_update_elem()
when dev is newly allocated by __dev_map_alloc_node(). As far as I and
syzbot tested, https://syzkaller.appspot.com/x/patch.diff?x=140dd206e00000
can avoid the problem, but I don't know whether this is right location to
assign it. Please check and fix.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: unregister_netdevice: waiting for DEV to become free (2)
2019-11-15 9:43 ` Tetsuo Handa
@ 2019-11-21 11:36 ` Toke Høiland-Jørgensen
0 siblings, 0 replies; 5+ messages in thread
From: Toke Høiland-Jørgensen @ 2019-11-21 11:36 UTC (permalink / raw)
To: Tetsuo Handa
Cc: Alexei Starovoitov, Jesper Dangaard Brouer, Alexei Starovoitov,
Daniel Borkmann, syzbot, ddstreet, Dmitry Vyukov, LKML,
Network Development, syzkaller-bugs, bpf, Yonghong Song
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> writes:
> Hello.
>
> syzbot is still reporting that bpf(BPF_MAP_UPDATE_ELEM) causes
> unregister_netdevice() to hang. It seems that commit 546ac1ffb70d25b5
> ("bpf: add devmap, a map for storing net device references") assigned
> dtab->netdev_map[i] at dev_map_update_elem() but commit 6f9d451ab1a33728
> ("xdp: Add devmap_hash map type for looking up devices by hashed index")
> forgot to assign dtab->netdev_map[idx] at __dev_map_hash_update_elem()
> when dev is newly allocated by __dev_map_alloc_node(). As far as I and
> syzbot tested, https://syzkaller.appspot.com/x/patch.diff?x=140dd206e00000
> can avoid the problem, but I don't know whether this is right location to
> assign it. Please check and fix.
Hi Tetsuo
Sorry for missing this email last week :(
I think the issue is not a missing update of dtab->netdev_map (that is
not used at all for DEVMAP_HASH), but rather that dev_map_free() is not
cleaning up properly for DEVMAP_HASH types. Could you please check if
the patch below helps?
-Toke
diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
index 3867864cdc2f..42ccfcb38424 100644
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -74,7 +74,7 @@ struct bpf_dtab_netdev {
struct bpf_dtab {
struct bpf_map map;
- struct bpf_dtab_netdev **netdev_map;
+ struct bpf_dtab_netdev **netdev_map; /* DEVMAP type only */
struct list_head __percpu *flush_list;
struct list_head list;
@@ -101,6 +101,12 @@ static struct hlist_head *dev_map_create_hash(unsigned int entries)
return hash;
}
+static inline struct hlist_head *dev_map_index_hash(struct bpf_dtab *dtab,
+ int idx)
+{
+ return &dtab->dev_index_head[idx & (dtab->n_buckets - 1)];
+}
+
static int dev_map_init_map(struct bpf_dtab *dtab, union bpf_attr *attr)
{
int err, cpu;
@@ -143,24 +149,22 @@ static int dev_map_init_map(struct bpf_dtab *dtab, union bpf_attr *attr)
for_each_possible_cpu(cpu)
INIT_LIST_HEAD(per_cpu_ptr(dtab->flush_list, cpu));
- dtab->netdev_map = bpf_map_area_alloc(dtab->map.max_entries *
- sizeof(struct bpf_dtab_netdev *),
- dtab->map.numa_node);
- if (!dtab->netdev_map)
- goto free_percpu;
-
if (attr->map_type == BPF_MAP_TYPE_DEVMAP_HASH) {
dtab->dev_index_head = dev_map_create_hash(dtab->n_buckets);
if (!dtab->dev_index_head)
- goto free_map_area;
+ goto free_percpu;
spin_lock_init(&dtab->index_lock);
+ } else {
+ dtab->netdev_map = bpf_map_area_alloc(dtab->map.max_entries *
+ sizeof(struct bpf_dtab_netdev *),
+ dtab->map.numa_node);
+ if (!dtab->netdev_map)
+ goto free_percpu;
}
return 0;
-free_map_area:
- bpf_map_area_free(dtab->netdev_map);
free_percpu:
free_percpu(dtab->flush_list);
free_charge:
@@ -228,21 +232,40 @@ static void dev_map_free(struct bpf_map *map)
cond_resched();
}
- for (i = 0; i < dtab->map.max_entries; i++) {
- struct bpf_dtab_netdev *dev;
+ if (dtab->map.map_type == BPF_MAP_TYPE_DEVMAP_HASH) {
+ for (i = 0; i < dtab->n_buckets; i++) {
+ struct bpf_dtab_netdev *dev;
+ struct hlist_head *head;
+ struct hlist_node *next;
- dev = dtab->netdev_map[i];
- if (!dev)
- continue;
+ head = dev_map_index_hash(dtab, i);
- free_percpu(dev->bulkq);
- dev_put(dev->dev);
- kfree(dev);
+ hlist_for_each_entry_safe(dev, next, head, index_hlist) {
+ hlist_del_rcu(&dev->index_hlist);
+ free_percpu(dev->bulkq);
+ dev_put(dev->dev);
+ kfree(dev);
+ }
+ }
+
+ kfree(dtab->dev_index_head);
+ } else {
+ for (i = 0; i < dtab->map.max_entries; i++) {
+ struct bpf_dtab_netdev *dev;
+
+ dev = dtab->netdev_map[i];
+ if (!dev)
+ continue;
+
+ free_percpu(dev->bulkq);
+ dev_put(dev->dev);
+ kfree(dev);
+ }
+
+ bpf_map_area_free(dtab->netdev_map);
}
free_percpu(dtab->flush_list);
- bpf_map_area_free(dtab->netdev_map);
- kfree(dtab->dev_index_head);
kfree(dtab);
}
@@ -263,12 +286,6 @@ static int dev_map_get_next_key(struct bpf_map *map, void *key, void *next_key)
return 0;
}
-static inline struct hlist_head *dev_map_index_hash(struct bpf_dtab *dtab,
- int idx)
-{
- return &dtab->dev_index_head[idx & (dtab->n_buckets - 1)];
-}
-
struct bpf_dtab_netdev *__dev_map_hash_lookup_elem(struct bpf_map *map, u32 key)
{
struct bpf_dtab *dtab = container_of(map, struct bpf_dtab, map);
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-11-21 11:36 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <00000000000056268e05737dcb95@google.com>
[not found] ` <0000000000007d22100573d66078@google.com>
2019-10-11 10:14 ` unregister_netdevice: waiting for DEV to become free (2) Tetsuo Handa
2019-10-11 15:12 ` Alexei Starovoitov
2019-10-16 10:34 ` Toke Høiland-Jørgensen
2019-11-15 9:43 ` Tetsuo Handa
2019-11-21 11:36 ` Toke Høiland-Jørgensen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).