2.6.34 Crash in dmaengine_put()

2.6.34 Crash in dmaengine_put()

[Jeffrey Merkey]

If someone sets the IFF_UP flags in the netdev structure without going
through ifup userspace stuff, during unregister of the the netdev
the dmaengine-put code will decrement the reference counter negative,
and crash at BUG! in the driver/dma/dmaengine.c code.  This seems
busted.

Jeff

Re: 2.6.34 Crash in dmaengine_put()

[Andrew Morton]

On Mon, 21 Jun 2010 20:57:40 -0600 Jeffrey Merkey <jeffmerkey@gmail.com> wrote:

> If someone sets the IFF_UP flags in the netdev structure without going
> through ifup userspace stuff, during unregister of the the netdev
> the dmaengine-put code will decrement the reference counter negative,
> and crash at BUG! in the driver/dma/dmaengine.c code.  This seems
> busted.
> 

Please send a copy of the kernel BUG trace.

Re: 2.6.34 Crash in dmaengine_put()

[Jeffrey Merkey]

OK.  This bug occurs if you OR in the IFF_UP flag while creating
virtual interfaces without going through the normal ifup/ifdown
scripts.  Looks like a hole.  I will post the trace shortly.  It's
easy to reproduce, take the dummy net driver, OR in the IFF_UP flag in
dummy_setup, and watch the kernel crash.

Jeff

On Mon, Jun 21, 2010 at 9:28 PM, Andrew Morton
<akpm@linux-foundation.org> wrote:
> On Mon, 21 Jun 2010 20:57:40 -0600 Jeffrey Merkey <jeffmerkey@gmail.com> wrote:
>
>> If someone sets the IFF_UP flags in the netdev structure without going
>> through ifup userspace stuff, during unregister of the the netdev
>> the dmaengine-put code will decrement the reference counter negative,
>> and crash at BUG! in the driver/dma/dmaengine.c code.  This seems
>> busted.
>>
>
> Please send a copy of the kernel BUG trace.
>

Re: 2.6.34 Crash in dmaengine_put()

[Eric Dumazet]

Le mardi 22 juin 2010 à 08:08 -0600, Jeffrey Merkey a écrit :

Please dont top post on lkml (or netdev) messages

> OK.  This bug occurs if you OR in the IFF_UP flag while creating
> virtual interfaces without going through the normal ifup/ifdown
> scripts.  Looks like a hole.  I will post the trace shortly.  It's
> easy to reproduce, take the dummy net driver, OR in the IFF_UP flag in
> dummy_setup, and watch the kernel crash.
> 

Then dont do that ?

No need to send us a trace, unless you use a pristine kernel.

IFF_UP changes rules are very strict, dont try to avoid them and claim
there is a hole or something wrong.

Check __dev_open() , __dev_close() and __dev_change_flags() were OR/AND
IFF_UP is done by core network.

Net drivers are not allowed to change IFF_UP themselves.

(DE-600 & DE-620 being the exceptions to confirm this rule, of course)


> Jeff
> 
> On Mon, Jun 21, 2010 at 9:28 PM, Andrew Morton
> <akpm@linux-foundation.org> wrote:
> > On Mon, 21 Jun 2010 20:57:40 -0600 Jeffrey Merkey <jeffmerkey@gmail.com> wrote:
> >
> >> If someone sets the IFF_UP flags in the netdev structure without going
> >> through ifup userspace stuff, during unregister of the the netdev
> >> the dmaengine-put code will decrement the reference counter negative,
> >> and crash at BUG! in the driver/dma/dmaengine.c code.  This seems
> >> busted.
> >>
> >
> > Please send a copy of the kernel BUG trace.
> >
> -

Re: 2.6.34 Crash in dmaengine_put()

[Jeffrey Merkey]

>
>> OK.  This bug occurs if you OR in the IFF_UP flag while creating
>> virtual interfaces without going through the normal ifup/ifdown
>> scripts.  Looks like a hole.  I will post the trace shortly.  It's
>> easy to reproduce, take the dummy net driver, OR in the IFF_UP flag in
>> dummy_setup, and watch the kernel crash.
>>
>
> Then dont do that ?
>
> No need to send us a trace, unless you use a pristine kernel.
>
> IFF_UP changes rules are very strict, dont try to avoid them and claim
> there is a hole or something wrong.
>
> Check __dev_open() , __dev_close() and __dev_change_flags() were OR/AND
> IFF_UP is done by core network.
>
> Net drivers are not allowed to change IFF_UP themselves.
>
> (DE-600 & DE-620 being the exceptions to confirm this rule, of course)
>

Gee.  OK, its a bug.  I see the crash when unregister_netdev is
called.  Changing a flag in a driver should not cause the kernel to
crash.  You should check the code.  The dmaengine registration should
have nothing to do with registering a netdev -- period.  I have coded
arounnd it but its damn convenient to create virtual drivers on the
fly and mark them as UP without needing to configure a bunch of text
scripts to bring one up or down.

The code itself is busted because it has a check if the dmaengine ref
count goes negative.  If you are going to have a registration layer
the rest of the OS should not have to wonder about its disconnected
state.  The busted code is right at the top of dmaengine_put where it
decrements the ref count then immediately jumps to a bug.  Need a
better way here I think to prevent needless crashes.  Someone could
just alter this flag remotely and crash a server -- HOLE - :)

Jeff