From: Andreas Hartmann <andihartmann@01019freenet.de>
To: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Cc: Michal Kubecek <mkubecek@suse.cz>,
Jason Wang <jasowang@redhat.com>,
David Miller <davem@davemloft.net>,
Network Development <netdev@vger.kernel.org>
Subject: Re: Linux 4.14 - regression: broken tun/tap / bridge network with virtio - bisected
Date: Thu, 21 Dec 2017 18:05:54 +0100 [thread overview]
Message-ID: <b10b506b-1fb1-2e85-1905-83d3ef091be1@01019freenet.de> (raw)
In-Reply-To: <CAF=yD-KFD3++koAi3mzYbH75D526QXZXBaKT5jfbNqniGMTL8w@mail.gmail.com>
On 12/20/2017 at 11:44 PM Willem de Bruijn wrote:
> On Wed, Dec 20, 2017 at 10:56 AM, Andreas Hartmann
> <andihartmann@01019freenet.de> wrote:
>> On 12/18/2017 at 06:11 PM Andreas Hartmann wrote:
>>> On 12/17/2017 at 11:33 PM Willem de Bruijn wrote:
>> [...]
>>>> I have been able to reproduce the hang by sending a UFO packet
>>>> between two guests running v4.13 on a host running v4.15-rc1.
>>>>
>>>> The vhost_net_ubuf_ref refcount indeed hits overflow (-1) from
>>>> vhost_zerocopy_callback being called for each segment of a
>>>> segmented UFO skb. This refcount is decremented then on each
>>>> segment, but incremented only once for the entire UFO skb.
>>>>
>>>> Before v4.14, these packets would be converted in skb_segment to
>>>> regular copy packets with skb_orphan_frags and the callback function
>>>> called once at this point. v4.14 added support for reference counted
>>>> zerocopy skb that can pass through skb_orphan_frags unmodified and
>>>> have their zerocopy state safely cloned with skb_zerocopy_clone.
>>>>
>>>> The call to skb_zerocopy_clone must come after skb_orphan_frags
>>>> to limit cloning of this state to those skbs that can do so safely.
>>>>
>>>> Please try a host with the following patch. This fixes it for me. I intend to
>>>> send it to net.
>>>>
>>>> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
>>>> index a592ca025fc4..d2d985418819 100644
>>>> --- a/net/core/skbuff.c
>>>> +++ b/net/core/skbuff.c
>>>> @@ -3654,8 +3654,6 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
>>>>
>>>> skb_shinfo(nskb)->tx_flags |= skb_shinfo(head_skb)->tx_flags &
>>>> SKBTX_SHARED_FRAG;
>>>> - if (skb_zerocopy_clone(nskb, head_skb, GFP_ATOMIC))
>>>> - goto err;
>>>>
>>>> while (pos < offset + len) {
>>>> if (i >= nfrags) {
>>>> @@ -3681,6 +3679,8 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
>>>>
>>>> if (unlikely(skb_orphan_frags(frag_skb, GFP_ATOMIC)))
>>>> goto err;
>>>> + if (skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC))
>>>> + goto err;
>>>>
>>>> *nskb_frag = *frag;
>>>> __skb_frag_ref(nskb_frag);
>>>>
>>>>
>>>> This is relatively inefficient, as it calls skb_zerocopy_clone for each frag
>>>> in the frags[] array. I will follow-up with a patch to net-next that only
>>>> checks once per skb:
>>>>
>>>> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
>>>> index 466581cf4cdc..a293a33604ec 100644
>>>> --- a/net/core/skbuff.c
>>>> +++ b/net/core/skbuff.c
>>>> @@ -3662,7 +3662,8 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
>>>>
>>>> skb_shinfo(nskb)->tx_flags |= skb_shinfo(head_skb)->tx_flags &
>>>> SKBTX_SHARED_FRAG;
>>>> - if (skb_zerocopy_clone(nskb, head_skb, GFP_ATOMIC))
>>>> + if (skb_orphan_frags(frag_skb, GFP_ATOMIC) ||
>>>> + skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC))
>>>> goto err;
>>>>
>>>> while (pos < offset + len) {
>>>> @@ -3676,6 +3677,11 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
>>>>
>>>> BUG_ON(!nfrags);
>>>>
>>>> + if (skb_orphan_frags(frag_skb, GFP_ATOMIC) ||
>>>> + skb_zerocopy_clone(nskb, frag_skb,
>>>> + GFP_ATOMIC))
>>>> + goto err;
>>>> +
>>>> list_skb = list_skb->next;
>>>> }
>>>>
>>>> @@ -3687,9 +3693,6 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
>>>> goto err;
>>>> }
>>>>
>>>> - if (unlikely(skb_orphan_frags(frag_skb, GFP_ATOMIC)))
>>>> - goto err;
>>>> -
>>>
>>> I'm currently testing this one.
>>>
>>
>> Test is in progress. I'm testing w/ 4.14.7, which already contains "net:
>> accept UFO datagrams from tuntap and packet".
>>
>> At first, I tested an unpatched 4.14.7 - the problem (no more killable
>> qemu-process) did occur promptly on shutdown of the machine. This was
>> expected.
>>
>> Next, I applied the above patch (the second one). Until now, I didn't
>> face any problem any more on shutdown of VMs. Looks promising.
>
> Thanks for testing.
>
> I sent the first, simpler, one to net together with another fix.
>
> http://patchwork.ozlabs.org/patch/851715/
>
If I'm using the second patch above (the more efficient one and not
"[net,1/2] skbuff: orphan frags before zerocopy clone"), which I'm
already testing here: Is it still necessary to apply this patch
"[net,2/2] skbuff: skb_copy_ubufs must release uarg even without user
frags"?
Thanks,
Andreas
next prev parent reply other threads:[~2017-12-21 17:05 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-26 14:17 Linux 4.14 - regression: broken tun/tap / bridge network with virtio - bisected Andreas Hartmann
2017-11-27 16:46 ` Andreas Hartmann
2017-11-27 16:55 ` Michal Kubecek
2017-11-27 19:09 ` Andreas Hartmann
2017-12-01 10:11 ` Andreas Hartmann
2017-12-03 11:35 ` Andreas Hartmann
2017-12-04 16:28 ` Andreas Hartmann
2017-12-05 3:50 ` Jason Wang
2017-12-05 16:23 ` Andreas Hartmann
2017-12-06 3:08 ` Jason Wang
2017-12-08 7:21 ` Andreas Hartmann
2017-12-08 8:47 ` Michal Kubecek
2017-12-08 10:31 ` Andreas Hartmann
2017-12-08 11:40 ` Michal Kubecek
2017-12-08 12:45 ` Andreas Hartmann
2017-12-08 12:58 ` Michal Kubecek
2017-12-08 13:13 ` Andreas Hartmann
2017-12-08 15:11 ` Jason Wang
2017-12-08 16:04 ` Willem de Bruijn
2017-12-08 20:11 ` Andreas Hartmann
2017-12-08 20:44 ` Andreas Hartmann
2017-12-11 15:54 ` Andreas Hartmann
2017-12-14 16:31 ` Andreas Hartmann
2017-12-14 22:17 ` Willem de Bruijn
2017-12-14 22:47 ` Willem de Bruijn
2017-12-15 6:05 ` Andreas Hartmann
2017-12-17 22:33 ` Willem de Bruijn
2017-12-18 17:11 ` Andreas Hartmann
2017-12-20 15:56 ` Andreas Hartmann
2017-12-20 22:44 ` Willem de Bruijn
2017-12-21 17:05 ` Andreas Hartmann [this message]
2017-12-21 17:11 ` Willem de Bruijn
2017-12-24 16:24 ` Andreas Hartmann
2017-12-24 18:54 ` Willem de Bruijn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b10b506b-1fb1-2e85-1905-83d3ef091be1@01019freenet.de \
--to=andihartmann@01019freenet.de \
--cc=davem@davemloft.net \
--cc=jasowang@redhat.com \
--cc=mkubecek@suse.cz \
--cc=netdev@vger.kernel.org \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).