From mboxrd@z Thu Jan 1 00:00:00 1970 From: Cong Wang Subject: Re: [vlan_device_event] BUG: unable to handle kernel paging request at 6b6b6ccf Date: Thu, 9 Nov 2017 16:16:01 -0800 Message-ID: References: <20171107102156.3fgxt6y6v5y2kqnf@wfg-t540p.sh.intel.com> <20171108094832.qxvkawpw2snpcbvh@wfg-t540p.sh.intel.com> <20171108171230.ccf7lwutjysk26fc@wfg-t540p.sh.intel.com> <20171109031206.x6ta5ysdalf3lk3s@wfg-t540p.sh.intel.com> <008a7e8d-86e2-0709-d2ae-8aa743ef12ac@oracle.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Cc: Fengguang Wu , Alexander Duyck , Linus Torvalds , Jeff Kirsher , Network Development , "David S. Miller" , Linux Kernel Mailing List , intel-wired-lan To: Girish Moodalbail Return-path: In-Reply-To: <008a7e8d-86e2-0709-d2ae-8aa743ef12ac@oracle.com> Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org On Thu, Nov 9, 2017 at 7:51 AM, Girish Moodalbail wrote: > > Upon receiving NETDEV_DOWN event, we are calling > > vlan_vid_del(dev, htons(ETH_P_8021Q), 0); > > which in turn calls call_rcu() to queue vlan_info_free_rcu() to be called at > some point. This free function frees the array[] > (vlan_info.vlan_grp.vn_devices_array). My guess is that > vlan_info_free_rcu() is being called first and then the array[] is being > accessed in vlan_device_event(). > Well yes and no. No, RCU itself is not broken and we clearly unpublish the RCU pointer before calling call_rcu(). Yes, I see where it is broken: the grp pointer still points to old dev->vlan_info, we should re-fetch it after vlan_vid_del(). I will send a fix. Thanks!