From: Ido Schimmel <idosch@nvidia.com>
To: Vladimir Oltean <vladimir.oltean@nxp.com>
Cc: netdev@vger.kernel.org, Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, David Ahern <dsahern@kernel.org>
Subject: Re: [PATCH v3 net] net: ipv4/ipv6 addrconf: call igmp{,6}_group_dropped() while dev is still up
Date: Wed, 12 Apr 2023 16:34:00 +0300 [thread overview]
Message-ID: <ZDazSM5UsPPjQuKr@shredder> (raw)
In-Reply-To: <20230411144955.1604591-1-vladimir.oltean@nxp.com>
On Tue, Apr 11, 2023 at 05:49:55PM +0300, Vladimir Oltean wrote:
> ipv4 devinet calls ip_mc_down(), and ipv6 calls addrconf_ifdown(), and
> both of these eventually result in calls to dev_mc_del(), either through
> igmp_group_dropped() or igmp6_group_dropped().
>
> The problem is that dev_mc_del() does call __dev_set_rx_mode(), but this
> will not propagate all the way to the ndo_set_rx_mode() of the device,
> because of this check:
>
> /* dev_open will call this function so the list will stay sane. */
> if (!(dev->flags&IFF_UP))
> return;
>
> and the NETDEV_DOWN notifier is emitted while the interface is already
> down. OTOH we have NETDEV_GOING_DOWN which is emitted a bit earlier -
> see:
>
> dev_close_many()
> -> __dev_close_many()
> -> call_netdevice_notifiers(NETDEV_GOING_DOWN, dev);
> -> dev->flags &= ~IFF_UP;
> -> call_netdevice_notifiers(NETDEV_DOWN, dev);
>
> Normally this oversight is easy to miss, because the addresses aren't
> lost, just not synced to the device until the next up event.
>
> DSA does some processing in its dsa_slave_set_rx_mode(), and assumes
> that all addresses that were synced are also unsynced by the time the
> device is unregistered. Due to that assumption not being satisfied,
> the WARN_ON(!list_empty(&dp->mdbs)); from dsa_switch_release_ports()
> triggers, and we leak memory corresponding to the multicast addresses
> that were never synced.
>
> Minimal reproducer:
> ip link set swp0 up
> ip link set swp0 down
> echo 0000:00:00.5 > /sys/bus/pci/drivers/mscc_felix/unbind
Even with the proposed fix, wouldn't you get the same leak with the
following reproducer?
ip link set dev swp0 up
bridge fdb add 01:02:03:04:05:06 dev swp0 self local
ip link set dev swp0 down
echo 0000:00:00.5 > /sys/bus/pci/drivers/mscc_felix/unbind
If so, I wonder how other drivers that allocate memory in their
ndo_set_rx_mode() deal with this problem. I would imagine that they
flush the addresses in their ndo_stop() or as part of device dismantle.
>
> The proposal is to respond to that slightly earlier notifier with the
> IGMP address deletion, so that the ndo_set_rx_mode() of the device does
> actually get called.
>
> Fixes: 5e8a1e03aa4d ("net: dsa: install secondary unicast and multicast addresses as host FDB/MDB")
> Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
> ---
> v2->v3:
> Returned to the original strategy, with Ido's modification applied
> (to only touch the netdev notifier values, not the inetaddr notifier
> values).
>
> v2 at:
> https://patchwork.kernel.org/project/netdevbpf/patch/20230410195220.1335670-1-vladimir.oltean@nxp.com/
>
> net/ipv4/devinet.c | 2 +-
> net/ipv6/addrconf.c | 6 +++---
> 2 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
> index 5deac0517ef7..679c9819f25b 100644
> --- a/net/ipv4/devinet.c
> +++ b/net/ipv4/devinet.c
> @@ -1588,7 +1588,7 @@ static int inetdev_event(struct notifier_block *this, unsigned long event,
> /* Send gratuitous ARP to notify of link change */
> inetdev_send_gratuitous_arp(dev, in_dev);
> break;
> - case NETDEV_DOWN:
> + case NETDEV_GOING_DOWN:
> ip_mc_down(in_dev);
> break;
> case NETDEV_PRE_TYPE_CHANGE:
> diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
> index 3797917237d0..f4a3b2693d6a 100644
> --- a/net/ipv6/addrconf.c
> +++ b/net/ipv6/addrconf.c
> @@ -3670,12 +3670,12 @@ static int addrconf_notify(struct notifier_block *this, unsigned long event,
> }
> break;
>
> - case NETDEV_DOWN:
> + case NETDEV_GOING_DOWN:
> case NETDEV_UNREGISTER:
> /*
> * Remove all addresses from this interface.
> */
> - addrconf_ifdown(dev, event != NETDEV_DOWN);
> + addrconf_ifdown(dev, event != NETDEV_GOING_DOWN);
> break;
>
> case NETDEV_CHANGENAME:
> @@ -6252,7 +6252,7 @@ static void dev_disable_change(struct inet6_dev *idev)
>
> netdev_notifier_info_init(&info, idev->dev);
> if (idev->cnf.disable_ipv6)
> - addrconf_notify(NULL, NETDEV_DOWN, &info);
> + addrconf_notify(NULL, NETDEV_GOING_DOWN, &info);
> else
> addrconf_notify(NULL, NETDEV_UP, &info);
> }
> --
> 2.34.1
>
next prev parent reply other threads:[~2023-04-12 13:34 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-11 14:49 [PATCH v3 net] net: ipv4/ipv6 addrconf: call igmp{,6}_group_dropped() while dev is still up Vladimir Oltean
2023-04-12 13:34 ` Ido Schimmel [this message]
2023-04-12 13:53 ` Vladimir Oltean
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZDazSM5UsPPjQuKr@shredder \
--to=idosch@nvidia.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=vladimir.oltean@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.