Message ID | 1432100902-10187-2-git-send-email-simon.horman@netronome.com |
---|---|
State | Superseded, archived |
Delegated to: | David Miller |
Headers | show |
Wed, May 20, 2015 at 07:48:19AM CEST, simon.horman@netronome.com wrote: >rocker_port_fdb_flush() is called by rocker_port_stp_update() which in >turn may be called with trans == SWITCHDEV_TRANS_PREPARE and then >trans == SWITCHDEV_TRANS_COMMIT from switchdev_port_attr_set() via >br_set_state(). > >When rocker_port_fdb_flush() is called with trans == SWITCHDEV_TRANS_PREPARE >it calls rocker_port_fdb_learn() for each entry in the FDB table which in >turn calls rocker_flow_tbl_bridge() which will allocate memory using >rocker_port_kzalloc(). rocker_port_fdb_learn() will then remove the entry >from the FDB table. > >Then when rocker_port_fdb_learn() is called with >trans == SWITCHDEV_TRANS_PREPARE no calls are made to rocker_port_fdb_learn() >because there are no longer any entries present in the FDB table. Thus the >memory previously allocated by rocker_port_fdb_learn() is leaked resulting >in the kernel BUG() below. > >Furthermore, it looks like the driver ends up with an incorrect view of the >fdb table as the FDB entries are purged from the driver's table but not the >hardware's table. > >ip link add br0 type bridge >ip link set up dev eth0 >sleep 1 >ip link set dev eth0 master br0 >[ 3.704360] ------------[ cut here ]------------ >[ 3.704611] kernel BUG at drivers/net/ethernet/rocker/rocker.c:4289! >[ 3.704962] invalid opcode: 0000 [#1] SMP >[ 3.705537] Modules linked in: >[ 3.705919] CPU: 0 PID: 63 Comm: ip Not tainted 4.1.0-rc3-01046-gb9fbe709de4d #1044 >[ 3.706191] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.0-0-g4c59f5d-20150219_092859-nilsson.home.kraxel.org 04/01/2014 >[ 3.706820] task: ffff880019f70150 ti: ffff88001f92c000 task.ti: ffff88001f92c000 >[ 3.707138] RIP: 0010:[<ffffffff811f0080>] [<ffffffff811f0080>] rocker_port_attr_set+0xe0/0xf0 >[ 3.707990] RSP: 0018:ffff88001f92f808 EFLAGS: 00000212 >[ 3.708200] RAX: ffff880019d4fa68 RBX: ffff880019d4f000 RCX: 0000000000000000 >[ 3.708471] RDX: 000000000000000c RSI: ffff88001f92f890 RDI: ffff880019d4f680 >[ 3.708740] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000004 >[ 3.708999] R10: ffff880000034024 R11: 0000000000000000 R12: ffff88001f92f890 >[ 3.709276] R13: ffff88001f8f1c00 R14: 000000000000000b R15: 0000000000000000 >[ 3.709303] FS: 00007f8ab66bd700(0000) GS:ffff88001b000000(0000) knlGS:0000000000000000 >[ 3.709303] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >[ 3.709303] CR2: 0000000000654988 CR3: 000000001f8f3000 CR4: 00000000000006b0 >[ 3.709303] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 >[ 3.709303] DR3: 0000000000000000 DR6: 0000000000000000 DR7: 0000000000000000 >[ 3.709303] Stack: >[ 3.709303] ffff88001f8f1c00 000000000000000b ffff88001f92f890 ffff880019d4f000 >[ 3.709303] ffff88001f92f890 ffffffff813332f5 ffff88001f92f880 0000000000000000 >[ 3.709303] ffff88001f92f890 0000000000000001 ffff880019d4f000 ffffffff81333627 >[ 3.709303] Call Trace: >[ 3.709303] [<ffffffff813332f5>] ? __switchdev_port_attr_set+0x25/0x90 >[ 3.709303] [<ffffffff81333627>] ? switchdev_port_attr_set+0x27/0x120 >[ 3.709303] [<ffffffff81318e86>] ? br_set_state+0x36/0x50 >[ 3.709303] [<ffffffff8131795c>] ? br_add_if+0x37c/0x400 >[ 3.709303] [<ffffffff81238ce1>] ? do_setlink+0x7e1/0x800 >[ 3.709303] [<ffffffff8111f980>] ? radix_tree_lookup_slot+0x10/0x30 >[ 3.709303] [<ffffffff81136fba>] ? nla_parse+0xaa/0x110 >[ 3.709303] [<ffffffff81239c98>] ? rtnl_newlink+0x548/0x870 >[ 3.709303] [<ffffffff8111f900>] ? __radix_tree_lookup+0x40/0xb0 >[ 3.709303] [<ffffffff81136f3e>] ? nla_parse+0x2e/0x110 >[ 3.709303] [<ffffffff81237d7e>] ? rtnetlink_rcv_msg+0x7e/0x250 >[ 3.709303] [<ffffffff8121d1be>] ? __skb_recv_datagram+0xfe/0x4b0 >[ 3.709303] [<ffffffff81237d00>] ? rtnetlink_rcv+0x30/0x30 >[ 3.709303] [<ffffffff81247948>] ? netlink_rcv_skb+0xa8/0xd0 >[ 3.709303] [<ffffffff81237cef>] ? rtnetlink_rcv+0x1f/0x30 >[ 3.709303] [<ffffffff81247210>] ? netlink_unicast+0x150/0x200 >[ 3.709303] [<ffffffff81247704>] ? netlink_sendmsg+0x374/0x3e0 >[ 3.709303] [<ffffffff8120f8cf>] ? sock_sendmsg+0xf/0x30 >[ 3.709303] [<ffffffff8120ffc3>] ? ___sys_sendmsg+0x1f3/0x200 >[ 3.709303] [<ffffffff812100d5>] ? ___sys_recvmsg+0x105/0x140 >[ 3.709303] [<ffffffff812228d9>] ? dev_get_by_name_rcu+0x69/0x90 >[ 3.709303] [<ffffffff812228d9>] ? dev_get_by_name_rcu+0x69/0x90 >[ 3.709303] [<ffffffff81217b7d>] ? skb_dequeue+0x4d/0x60 >[ 3.709303] [<ffffffff81217bb0>] ? skb_queue_purge+0x20/0x30 >[ 3.709303] [<ffffffff810ebdcf>] ? __inode_wait_for_writeback+0x5f/0xb0 >[ 3.709303] [<ffffffff810648b0>] ? autoremove_wake_function+0x30/0x30 >[ 3.709303] [<ffffffff81210ee9>] ? __sys_sendmsg+0x39/0x70 >[ 3.709303] [<ffffffff8133e097>] ? system_call_fastpath+0x12/0x6a >[ 3.709303] Code: bb 90 06 00 00 48 c7 04 24 00 00 00 00 45 31 c9 45 31 c0 48 c7 c1 c0 b7 1e 81 89 ea e8 da da ff ff eb 95 0f 1f 84 00 00 00 00 00 <0f> 0b 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 48 83 fe 15 75 >[ 3.709303] RIP [<ffffffff811f0080>] rocker_port_attr_set+0xe0/0xf0 >[ 3.709303] RSP <ffff88001f92f808> >[ 3.721409] ---[ end trace b7481fcb7cb032aa ]--- >Segmentation fault > >Fixes: c4f20321d968 ("rocker: support prepare-commit transaction model") >Acked-by: Scott Feldman <sfeldma@gmail.com> >Signed-off-by: Simon Horman <simon.horman@netronome.com> Acked-by: Jiri Pirko <jiri@resnulli.us> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/net/ethernet/rocker/rocker.c b/drivers/net/ethernet/rocker/rocker.c index 0f5e962d691c..ce1bfab077a7 100644 --- a/drivers/net/ethernet/rocker/rocker.c +++ b/drivers/net/ethernet/rocker/rocker.c @@ -3658,7 +3658,8 @@ static int rocker_port_fdb_flush(struct rocker_port *rocker_port, found->key.vlan_id); if (err) goto err_out; - hash_del(&found->entry); + if (trans != SWITCHDEV_TRANS_PREPARE) + hash_del(&found->entry); } err_out: