Re: xfrm, ip tunnel: non released device reference upon device unregistration

[Steffen Klassert]

On Tue, Feb 06, 2018 at 01:56:24PM +0100, Florian Westphal wrote:
> Eyal Birger <eyal.bir...@gmail.com> wrote:
> > Hi,
> > 
> > We've encountered a non released device reference upon device
> > unregistration which seems to stem from xfrm policy code.
> > 
> > The setup includes:
> > - an underlay device (e.g. eth0) using IPv4
> > - an xfrm IPv6 over IPv4 tunnel routed via the underlay device
> > - an ipip6 tunnel over the xfrm IPv6 tunnel
> > 
> > When tearing down the underlay device, after traffic had passed via the 
> > ipip6
> > tunnel, log messages of the following form are observed:
> > 
> > unregister_netdevice: waiting for eth0 to become free. Usage count = 2
> 
> This looks like it might be related to a bug reported by Hangbin Liu.
> 
> Setup is:
> 
>        Host A                --        Host B
> tun0 -- br0 (ipsec) -- eth0  --  eth0 (ipsec) -- tun0
> 
> ... where tun0 are ipip tunnels.
> 
> module removal then hangs forever as device refcount is held by
> dst_cache.
> Hangbin gave following reproducer script:
> 
> Host B:
> ip link add tun0 type ipip local 192.168.7.1 remote 192.168.7.10
> ip link set tun0 up
> ip addr add 10.0.0.2/24 dev tun0
> ip xfrm state add src 192.168.7.1 dst 192.168.7.10 spi 1000 proto ah
> auth sha1 beef_fish_pork_salad mode transport
> ip xfrm state add src 192.168.7.1 dst 192.168.7.1 spi 1000 proto ah auth
> sha1 beef_fish_pork_salad mode transport
> ip xfrm policy add src 192.168.7.1 dst 192.168.7.10 dir out tmpl src
> 192.168.7.1 dst 192.168.7.10 proto ah spi 1000 mode transport
> ip xfrm policy add src 192.168.7.10 dst 192.168.7.1 dir in tmpl src
> 192.168.7.10 dst 192.168.7.1 proto ah spi 1000 mode transport level use
> 
> On Host A (tun0 10.0.0.1, br0 192.168.7.10):
> ip addr flush dev eth0
> brctl addbr br0
> brctl addif br0 eth0
> ip link set br0 up
> ip addr add 192.168.7.10/24 dev br0
> 
> ip link add tun0 type ipip local 192.168.7.10 remote 192.168.7.1
> ip link set tun0 up
> ip addr add 10.0.0.1/24 dev tun0
> 
> ip xfrm state add src 192.168.7.10 dst 192.168.7.1 spi 1000
> proto ah auth sha1 beef_fish_pork_salad mode transport
> ip xfrm state add src 192.168.7.1 dst 192.168.7.10 spi 1000
> proto ah auth sha1 beef_fish_pork_salad mode transport
> ip xfrm policy add src 192.168.7.10 dst 192.168.7.1 dir out tmpl
> src 192.168.7.10 dst 192.168.7.1 proto ah spi 1000 mode transport
> ip xfrm policy add src 192.168.7.1 dst 192.168.7.10 dir in tmpl src 
> 192.168.7.1 dst 192.168.7.10 proto ah spi 1000 mode transport level use
> 
> # should work, else something is broken:
> ping 10.0.0.2 -c 2
> 
> # This hangs:
> modprobe -r bridge
> 
> This hangs even when I remove the ipsec xfrm pcpu cache.
> 
> What does work in above setup is this:

I gave the patch a quick try, but still I get this:

unregister_netdevice: waiting for dummy1 to become free. Usage count = 2