Linux Ethernet Bridging - Jun 2015 - [Bridge] Unable to unregister netdevice after "netfilter: bridge: forward IPv6 fragmented packets"

Hi,

I tried to run the latest Linux tree
(4a10a91756ef381bced7b88cfb9232f660b92d93) as DOM0 Xen.
After destroying a guest using network, I got the following
lines in the DOM0 kernel log:

unregister_netdevice: waiting for vif1.0 to become free. Usage count = 1

The bisector pointed the problem after the commit
efb6de9b4ba0092b2c55f6a52d16294a8a698edd
"netfilter: bridge: forward IPv6 fragmented packets".

This is happening on an xgene board. The bridge is configured
using /etc/network/interfaces:

# The primary network interface
auto xenbr0
iface xenbr0 inet dhcp
        hostname pony
        bridge_ports eth0
        bridge_stp off
        bridge_waitport 0
        bridge_fd 0
        bridge_maxwait 0

Xen tools is creating the interface vif1.0 and adding to the
bridge xenbr0.

Linux log:

device eth0 entered promiscuous mode
xenbr0: port 1(eth0) entered forwarding state
xenbr0: port 1(eth0) entered forwarding state
xenbr0: port 1(eth0) entered disabled state
xgene-enet 17020000.ethernet eth0: Link is Down
random: nonblocking pool is initialized
[....] Configuring network interfaces...
Waiting for a max of 0 seconds for eth0 to become available.
Internet Systems Consortium DHCP Client 4.3.1
Copyright 2004-2014 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/xenbr0/00:01:73:02:1a:00
Sending on   LPF/xenbr0/00:01:73:02:1a:00
Sending on   Socket/fallback
DHCPDISCOVER on xenbr0 to 255.255.255.255 port 67 interval 7
xgene-enet 17020000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx
xenbr0: port 1(eth0) entered forwarding state
xenbr0: port 1(eth0) entered forwarding state
DHCPDISCOVER on xenbr0 to 255.255.255.255 port 67 interval 13
DHCPREQUEST on xenbr0 to 255.255.255.255 port 67
DHCPOFFER from 10.80.224.1
DHCPACK from 10.80.224.1
bound to 10.80.229.126 -- renewal in 19083 seconds.
done.
[ ok ] Starting rpcbind daemon....
[ ok ] Starting NFS common utilities: statd idmapd.
[ ok ] Cleaning up temporary files....
[info] Setting console screen modes.
setterm: cannot (un)set powersave mode: Inappropriate ioctl for device
[....] Setting up console font and keymap...Couldn't get a file descriptor
referring to the console
Couldn't get a file descriptor referring to the console
done.
[ ok ] Setting up X socket directories... /tmp/.X11-unix /tmp/.ICE-unix.
INIT: Entering runlevel: 2
[info] Using makefile-style concurrent boot in runlevel 2.
[ ok ] Starting enhanced syslogd: rsyslogd.
[ ok ] Starting deferred execution scheduler: atd.
[ ok ] Starting periodic command scheduler: cron.
[ ok ] Starting SMP IRQ Balancer: irqbalance.

[ ok ] Starting NTP server: ntpd.
[ ok ] Starting OpenBSD Secure Shell server: sshd.
[ ok ] Starting system message bus: dbus.
Starting /usr/local/sbin/xenstored...
Setting domain 0 name, domid and JSON config...
Done setting up Dom0
Starting xenconsoled...
Starting QEMU as disk backend for dom0

Debian GNU/Linux 8 pony hvc0

pony login: device vif1.0 entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): vif1.0: link is not ready
xen-blkback: ring-ref 8, event-channel 3, protocol 1 (arm-abi) persistent grants
vif vif-1-0 vif1.0: Guest Rx ready
IPv6: ADDRCONF(NETDEV_CHANGE): vif1.0: link becomes ready
xenbr0: port 2(vif1.0) entered forwarding state
xenbr0: port 2(vif1.0) entered forwarding state
(XEN) mm.c:1251:d0v2 gnttab_mark_dirty not implemented yet
xenbr0: port 2(vif1.0) entered disabled state
xenbr0: port 2(vif1.0) entered disabled state
device vif1.0 left promiscuous mode
xenbr0: port 2(vif1.0) entered disabled state
INIT: Id "1" respawning too fast: disabled for 5 minutes
INIT: Id "3" respawning too fast: disabled for 5 minutes
INIT: Id "5" respawning too fast: disabled for 5 minutes
INIT: Id "2" respawning too fast: disabled for 5 minutes
INIT: Id "6" respawning too fast: disabled for 5 minutes
INIT: Id "T0" respawning too fast: disabled for 5 minutes
INIT: Id "4" respawning too fast: disabled for 5 minutes
unregister_netdevice: waiting for vif1.0 to become free. Usage count = 1
unregister_netdevice: waiting for vif1.0 to become free. Usage count = 1
unregister_netdevice: waiting for vif1.0 to become free. Usage count = 1

Regards,

-- 
Julien Grall

Julien Grall <julien.grall at citrix.com> wrote:
> Hi,
> 
> I tried to run the latest Linux tree
> (4a10a91756ef381bced7b88cfb9232f660b92d93) as DOM0 Xen.
> After destroying a guest using network, I got the following
> lines in the DOM0 kernel log:
> 
> unregister_netdevice: waiting for vif1.0 to become free. Usage count = 1
> 
> The bisector pointed the problem after the commit
> efb6de9b4ba0092b2c55f6a52d16294a8a698edd
> "netfilter: bridge: forward IPv6 fragmented packets".
Seems we can leak skb in br_nf_dev_queue_xmit()...  Does this fix the problem?

diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index d89f4fa..1a6fa67 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -742,7 +742,7 @@ static int br_nf_dev_queue_xmit(struct sock *sk, struct
sk_buff *skb)
 		struct brnf_frag_data *data;
 
 		if (br_validate_ipv4(skb))
-			return NF_DROP;
+			goto drop;
 
 		IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
 
@@ -767,7 +767,7 @@ static int br_nf_dev_queue_xmit(struct sock *sk, struct
sk_buff *skb)
 		struct brnf_frag_data *data;
 
 		if (br_validate_ipv6(skb))
-			return NF_DROP;
+			goto drop;
 
 		IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
 
@@ -782,12 +782,16 @@ static int br_nf_dev_queue_xmit(struct sock *sk, struct
sk_buff *skb)
 
 		if (v6ops)
 			return v6ops->fragment(sk, skb, br_nf_push_frag_xmit);
-		else
-			return -EMSGSIZE;
+
+		kfree_skb(skb);
+		return -EMSGSIZE;
 	}
 #endif
 	nf_bridge_info_free(skb);
 	return br_dev_queue_push_xmit(sk, skb);
+ drop:
+	kfree_skb(skb);
+	return 0;
 }
 
 /* PF_BRIDGE/POST_ROUTING ********************************************/