From: Uladzislau Rezki <urezki@gmail.com>
To: "Johan Knöös" <jknoos@google.com>
Cc: paulmck@kernel.org, Joel Fernandes <joel@joelfernandes.org>,
Gregory Rose <gvrose8192@gmail.com>,
bugs@openvswitch.org, Tonghao Zhang <xiangxia.m.yue@gmail.com>,
Netdev <netdev@vger.kernel.org>,
"Uladzislau Rezki (Sony)" <urezki@gmail.com>,
rcu <rcu@vger.kernel.org>
Subject: Re: [ovs-discuss] Double free in recent kernels after memleak fix
Date: Sat, 8 Aug 2020 13:44:00 +0200 [thread overview]
Message-ID: <20200808114400.GA15974@pc636> (raw)
In-Reply-To: <CA+Sh73O25w4ktkvnxTpjckX857C7ACqZmrSLyM-NgowADpt-yA@mail.gmail.com>
> On Fri, Aug 7, 2020 at 3:20 PM Paul E. McKenney <paulmck@kernel.org> wrote:
> >
> > On Fri, Aug 07, 2020 at 04:47:56PM -0400, Joel Fernandes wrote:
> > > Hi,
> > > Adding more of us working on RCU as well. Johan from another team at
> > > Google discovered a likely issue in openswitch, details below:
> > >
> > > On Fri, Aug 7, 2020 at 11:32 AM Johan Knöös <jknoos@google.com> wrote:
> > > >
> > > > On Tue, Aug 4, 2020 at 8:52 AM Gregory Rose <gvrose8192@gmail.com> wrote:
> > > > >
> > > > >
> > > > >
> > > > > On 8/3/2020 12:01 PM, Johan Knöös via discuss wrote:
> > > > > > Hi Open vSwitch contributors,
> > > > > >
> > > > > > We have found openvswitch is causing double-freeing of memory. The
> > > > > > issue was not present in kernel version 5.5.17 but is present in
> > > > > > 5.6.14 and newer kernels.
> > > > > >
> > > > > > After reverting the RCU commits below for debugging, enabling
> > > > > > slub_debug, lockdep, and KASAN, we see the warnings at the end of this
> > > > > > email in the kernel log (the last one shows the double-free). When I
> > > > > > revert 50b0e61b32ee890a75b4377d5fbe770a86d6a4c1 ("net: openvswitch:
> > > > > > fix possible memleak on destroy flow-table"), the symptoms disappear.
> > > > > > While I have a reliable way to reproduce the issue, I unfortunately
> > > > > > don't yet have a process that's amenable to sharing. Please take a
> > > > > > look.
> > > > > >
> > > > > > 189a6883dcf7 rcu: Remove kfree_call_rcu_nobatch()
> > > > > > 77a40f97030b rcu: Remove kfree_rcu() special casing and lazy-callback handling
> > > > > > e99637becb2e rcu: Add support for debug_objects debugging for kfree_rcu()
> > > > > > 0392bebebf26 rcu: Add multiple in-flight batches of kfree_rcu() work
> > > > > > 569d767087ef rcu: Make kfree_rcu() use a non-atomic ->monitor_todo
> > > > > > a35d16905efc rcu: Add basic support for kfree_rcu() batching
> > >
> > > Note that these reverts were only for testing the same code, because
> > > he was testing 2 different kernel versions. One of them did not have
> > > this set. So I asked him to revert. There's no known bug in the
> > > reverted code itself. But somehow these patches do make it harder for
> > > him to reproduce the issue.
>
> I'm not certain the frequency of the issue changes with and without
> these commits on 5.6.14, but at least the symptoms/definition of the
> issue changes. To clarify, this is what I've observed with different
> kernels:
> * 5.6.14: "kernel BUG at mm/slub.c:304!". Easily reproducible.
> * 5.6.14 with the above RCU commits reverted: the warnings reported in
> my original email. Easily reproducible.
> * 5.6.14 with the above RCU commits reverted and
> 50b0e61b32ee890a75b4377d5fbe770a86d6a4c1 reverted: no warnings
> observed (the frequency might be the same as on 5.5.17).
> * 5.5.17: warning at kernel/rcu/tree.c#L2239. Difficult to reproduce.
> Maybe a different root cause.
>
If you can reproduce it, maybe enabling CONFIG_KASAN will detect something?
It can detect out-of-bounds and use after free bugs.
Thanks.
--
Vlad Rezki
next prev parent reply other threads:[~2020-08-08 11:44 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CA+Sh73MJhqs7PBk6OV2AhzVjYvE1foUQUnwP5DwWR44LHZRZ9w@mail.gmail.com>
2020-08-04 15:51 ` [ovs-discuss] Double free in recent kernels after memleak fix Gregory Rose
2020-08-07 15:31 ` Johan Knöös
2020-08-07 20:47 ` Joel Fernandes
2020-08-07 20:49 ` Joel Fernandes
2020-08-07 22:20 ` Paul E. McKenney
2020-08-07 23:05 ` Johan Knöös
2020-08-08 11:44 ` Uladzislau Rezki [this message]
2020-08-10 20:08 ` Joel Fernandes
2020-08-10 20:28 ` Paul E. McKenney
2020-08-11 1:14 ` Tonghao Zhang
2020-08-11 2:24 ` Cong Wang
2020-08-11 3:26 ` Tonghao Zhang
2020-08-11 4:07 ` Cong Wang
2020-08-11 5:58 ` Tonghao Zhang
2020-08-11 18:28 ` Johan Knöös
2020-08-12 0:43 ` Cong Wang
2020-08-07 21:52 ` Cong Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200808114400.GA15974@pc636 \
--to=urezki@gmail.com \
--cc=bugs@openvswitch.org \
--cc=gvrose8192@gmail.com \
--cc=jknoos@google.com \
--cc=joel@joelfernandes.org \
--cc=netdev@vger.kernel.org \
--cc=paulmck@kernel.org \
--cc=rcu@vger.kernel.org \
--cc=xiangxia.m.yue@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.