On 12/20/2017 11:59 AM, Jiri Pirko wrote:
> Wed, Dec 20, 2017 at 07:17:50PM CET, xiyou.wangc...@gmail.com wrote:
>> On Tue, Dec 19, 2017 at 10:34 PM, Jakub Kicinski <kubak...@wp.pl> wrote:
>>> Ah, no object debug but KASAN on produces this:
>>>
>>
>>
>> I bet it is an ingress qdisc which is being freed?
>>
>>
>>
>>> [ 39.268209] BUG: KASAN: use-after-free in
>>> cpu_needs_another_gp+0x246/0x2b0
>>> [ 39.275965] Read of size 8 at addr ffff8803aa64f138 by task swapper/13/0
>>> [ 39.283524]
>>> [ 39.285256] CPU: 13 PID: 0 Comm: swapper/13 Not tainted
>>> 4.15.0-rc3-perf-00955-g1d0b01347dd5-dirty #8
>>> [ 39.295535] Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.3.4
>>> 11/08/2016
>>> [ 39.303969] Call Trace:
>>> [ 39.306769] <IRQ>
>>> [ 39.309088] dump_stack+0xa6/0x118
>>> [ 39.312957] ? _atomic_dec_and_lock+0xe8/0xe8
>>> [ 39.317895] ? cpu_needs_another_gp+0x246/0x2b0
>>> [ 39.323030] print_address_description+0x6a/0x270
>>> [ 39.328380] ? cpu_needs_another_gp+0x246/0x2b0
>>> [ 39.333510] kasan_report+0x23f/0x350
>>> [ 39.337672] cpu_needs_another_gp+0x246/0x2b0
>>> ...
>>> [ 39.383026] rcu_process_callbacks+0x1a0/0x620
>>> ...
>>
>>
>> This is confusing.
>>
>> I guess it is q->miniqp which is freed in qdisc_graft() without properly
>> waiting for rcu readers?
>
> miniqp is inside qdisc private data:
> struct ingress_sched_data {
> struct tcf_block *block;
> struct tcf_block_ext_info block_info;
> struct mini_Qdisc_pair miniqp;
> };
>
> That is freed along with the qdisc itself in:
> qdisc_destroy->qdisc_free
>
> Before miniq, tp was checked in the rcu reader path. In case it was not
> null, q was processed. In slow patch, tp is freed after rcu grace period:
> tcf_proto_destroy->kfree_rcu
>
> I assumed that since q is processed in rcu reader, it is also freed after
> a grace period, but now looking at the code I don't see it happening
> like that.
>
> So I think that change to miniq made the existing race window
> a bit wider and easier to hit.
>
> I believe that calling kfree_rcu by call_rcu should resolve this.
>
Hi,
Just sent a patch to complete qdisc_destroy from rcu callback. This
is needed to resolve a race with the lockless qdisc patches.
But I guess it should fix the miniq issue as well?
Thanks,
John
