search for: vhost_net_release

....651789] Pid: 21042, comm: trinity Not tainted 3.2.0-rc2-sasha-00057-ga9098b3 #5 [ 2025.653342] Call Trace: [ 2025.653792] [<ffffffff810b4a6a>] lockdep_rcu_suspicious+0xaf/0xb9 [ 2025.654916] [<ffffffff818d4c2c>] vhost_dev_cleanup+0x342/0x3ac [ 2025.655985] [<ffffffff818d4f18>] vhost_net_release+0x48/0x7f [ 2025.657247] [<ffffffff811416e3>] fput+0x11e/0x1dc [ 2025.658091] [<ffffffff8113f1ec>] filp_close+0x6e/0x79 [ 2025.658964] [<ffffffff81089ed7>] put_files_struct+0xcc/0x196 [ 2025.659971] [<ffffffff8108a034>] exit_files+0x46/0x4f [ 2025.660865] [<ffffffff8...

....651789] Pid: 21042, comm: trinity Not tainted 3.2.0-rc2-sasha-00057-ga9098b3 #5 [ 2025.653342] Call Trace: [ 2025.653792] [<ffffffff810b4a6a>] lockdep_rcu_suspicious+0xaf/0xb9 [ 2025.654916] [<ffffffff818d4c2c>] vhost_dev_cleanup+0x342/0x3ac [ 2025.655985] [<ffffffff818d4f18>] vhost_net_release+0x48/0x7f [ 2025.657247] [<ffffffff811416e3>] fput+0x11e/0x1dc [ 2025.658091] [<ffffffff8113f1ec>] filp_close+0x6e/0x79 [ 2025.658964] [<ffffffff81089ed7>] put_files_struct+0xcc/0x196 [ 2025.659971] [<ffffffff8108a034>] exit_files+0x46/0x4f [ 2025.660865] [<ffffffff8...

...A_DONE_LEN : VHOST_DMA_FAILED_LEN; > - vhost_net_ubuf_put(ubufs); > } > > /* Expects to be always run from workqueue - which acts as > with this change, vq would lose protection that provided by ubufs->kref. if another thread is waiting at vhost_net_ubuf_put_and_wait called by vhost_net_release, then after vhost_net_ubuf_put, vq would been free by vhost_net_release soon, vhost_poll_queue(&vq->poll) may cause NULL pointer Exception. another question is that vhost_zerocopy_callback is called by kfree_skb, it may called in different thread context. vhost_poll_queue is called decided...

...A_DONE_LEN : VHOST_DMA_FAILED_LEN; > - vhost_net_ubuf_put(ubufs); > } > > /* Expects to be always run from workqueue - which acts as > with this change, vq would lose protection that provided by ubufs->kref. if another thread is waiting at vhost_net_ubuf_put_and_wait called by vhost_net_release, then after vhost_net_ubuf_put, vq would been free by vhost_net_release soon, vhost_poll_queue(&vq->poll) may cause NULL pointer Exception. another question is that vhost_zerocopy_callback is called by kfree_skb, it may called in different thread context. vhost_poll_queue is called decided...

...lf Danton <hdanton at sina.com> wrote: > > > > > > Hello Jason > > > > > > On Thu, 13 Jun 2019 17:10:39 +0800 Jason Wang wrote: > > > > > > > > This is basically a kfree(ubuf) after the second vhost_net_flush() in > > > > vhost_net_release(). > > > > > > > Fairly good catch. > > > > > > > Could you please post a formal patch? > > > > > > > I'd like very much to do that; but I wont, I am afraid, until I collect a > > > Tested-by because of reproducer without a...

...On Thu, Jun 13, 2019 at 2:07 PM Hillf Danton <hdanton at sina.com> wrote: > > > > Hello Jason > > > > On Thu, 13 Jun 2019 17:10:39 +0800 Jason Wang wrote: > > > > > > This is basically a kfree(ubuf) after the second vhost_net_flush() in > > > vhost_net_release(). > > > > > Fairly good catch. > > > > > Could you please post a formal patch? > > > > > I'd like very much to do that; but I wont, I am afraid, until I collect a > > Tested-by because of reproducer without a cutting edge. > > You can ea...

...On Thu, Jun 13, 2019 at 2:07 PM Hillf Danton <hdanton at sina.com> wrote: > > > > Hello Jason > > > > On Thu, 13 Jun 2019 17:10:39 +0800 Jason Wang wrote: > > > > > > This is basically a kfree(ubuf) after the second vhost_net_flush() in > > > vhost_net_release(). > > > > > Fairly good catch. > > > > > Could you please post a formal patch? > > > > > I'd like very much to do that; but I wont, I am afraid, until I collect a > > Tested-by because of reproducer without a cutting edge. > > You can ea...

Hello Jason On Thu, 13 Jun 2019 17:10:39 +0800 Jason Wang wrote: > > This is basically a kfree(ubuf) after the second vhost_net_flush() in > vhost_net_release(). > Fairly good catch. > Could you please post a formal patch? > I'd like very much to do that; but I wont, I am afraid, until I collect a Tested-by because of reproducer without a cutting edge. Thanks Hillf

Hello Jason On Thu, 13 Jun 2019 17:10:39 +0800 Jason Wang wrote: > > This is basically a kfree(ubuf) after the second vhost_net_flush() in > vhost_net_release(). > Fairly good catch. > Could you please post a formal patch? > I'd like very much to do that; but I wont, I am afraid, until I collect a Tested-by because of reproducer without a cutting edge. Thanks Hillf

...;> - vhost_net_ubuf_put(ubufs); >> } >> >> /* Expects to be always run from workqueue - which acts as >> > with this change, vq would lose protection that provided by ubufs->kref. > if another thread is waiting at vhost_net_ubuf_put_and_wait called by > vhost_net_release, then after vhost_net_ubuf_put, vq would been free > by vhost_net_release soon, vhost_poll_queue(&vq->poll) may cause NULL > pointer Exception. > Good catch. > another question is that vhost_zerocopy_callback is called by kfree_skb, > it may called in different thread context...

...LEN; @@ -322,6 +324,8 @@ static void vhost_zerocopy_callback(struct ubuf_info *ubuf, bool success) */ if (cnt <= 1 || !(cnt % 16)) vhost_poll_queue(&vq->poll); + + rcu_read_unlock_bh(); } /* Expects to be always run from workqueue - which acts as @@ -804,6 +808,8 @@ static int vhost_net_release(struct inode *inode, struct file *f) fput(tx_sock->file); if (rx_sock) fput(rx_sock->file); + /* Make sure no callbacks are outstanding */ + synchronize_rcu_bh(); /* We do an extra flush before freeing memory, * since jobs can re-queue themselves. */ vhost_net_flush(n); -- MST

...LEN; @@ -322,6 +324,8 @@ static void vhost_zerocopy_callback(struct ubuf_info *ubuf, bool success) */ if (cnt <= 1 || !(cnt % 16)) vhost_poll_queue(&vq->poll); + + rcu_read_unlock_bh(); } /* Expects to be always run from workqueue - which acts as @@ -804,6 +808,8 @@ static int vhost_net_release(struct inode *inode, struct file *f) fput(tx_sock->file); if (rx_sock) fput(rx_sock->file); + /* Make sure no callbacks are outstanding */ + synchronize_rcu_bh(); /* We do an extra flush before freeing memory, * since jobs can re-queue themselves. */ vhost_net_flush(n); -- MST

Hi Linus, Please pull the following. Please note this needs to be merged before merging target-pending PULL which Nicholas will be sending out shortly. Thanks! The following changes since commit 1860e379875dfe7271c649058aeddffe5afd9d0d: Linux 3.15 (2014-06-08 11:19:54 -0700) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost.git tags/for_linus

Hi Linus, Please pull the following. Please note this needs to be merged before merging target-pending PULL which Nicholas will be sending out shortly. Thanks! The following changes since commit 1860e379875dfe7271c649058aeddffe5afd9d0d: Linux 3.15 (2014-06-08 11:19:54 -0700) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost.git tags/for_linus

...ffff8800ba06f6a0 ffff880092f2fdf0 ffffffff81c1c6df ffff88001a7c0000 [179906.476583] ffff880092f2fe18 ffffffff81c1c771 ffff8800b69718c0 0000000000000008 [179906.480377] Call Trace: [179906.481636] [<ffffffff81c1c6df>] vhost_net_vq_reset+0x7f/0xb0 [179906.484611] [<ffffffff81c1c771>] vhost_net_release+0x61/0xb0 [179906.487481] [<ffffffff8123237a>] __fput+0x12a/0x230 [179906.489968] [<ffffffff81232489>] ____fput+0x9/0x10 [179906.492422] [<ffffffff8113a79e>] task_work_run+0xae/0xf0 [179906.495169] [<ffffffff811172bc>] do_exit+0x44c/0xb40 [179906.497789] [<ffffffff82...

...ffff8800ba06f6a0 ffff880092f2fdf0 ffffffff81c1c6df ffff88001a7c0000 [179906.476583] ffff880092f2fe18 ffffffff81c1c771 ffff8800b69718c0 0000000000000008 [179906.480377] Call Trace: [179906.481636] [<ffffffff81c1c6df>] vhost_net_vq_reset+0x7f/0xb0 [179906.484611] [<ffffffff81c1c771>] vhost_net_release+0x61/0xb0 [179906.487481] [<ffffffff8123237a>] __fput+0x12a/0x230 [179906.489968] [<ffffffff81232489>] ____fput+0x9/0x10 [179906.492422] [<ffffffff8113a79e>] task_work_run+0xae/0xf0 [179906.495169] [<ffffffff811172bc>] do_exit+0x44c/0xb40 [179906.497789] [<ffffffff82...

...| 5 ++--- drivers/vhost/vhost.h | 2 +- drivers/vhost/vsock.c | 2 +- 6 files changed, 7 insertions(+), 8 deletions(-) diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c index c7bdeb655646..a354d8d731e3 100644 --- a/drivers/vhost/net.c +++ b/drivers/vhost/net.c @@ -996,7 +996,7 @@ static int vhost_net_release(struct inode *inode, struct file *f) vhost_net_stop(n, &tx_sock, &rx_sock); vhost_net_flush(n); vhost_dev_stop(&n->dev); - vhost_dev_cleanup(&n->dev, false); + vhost_dev_cleanup(&n->dev); vhost_net_vq_reset(n); if (tx_sock) sockfd_put(tx_sock); diff --git a...

...ee(n->vqs[VHOST_NET_VQ_TX].ubufs); + else + vhost_net_ubuf_put_and_wait(n->vqs[VHOST_NET_VQ_TX].ubufs); mutex_lock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex); n->tx_flush = false; atomic_set(&n->vqs[VHOST_NET_VQ_TX].ubufs->refcount, 1); @@ -1403,6 +1408,7 @@ static int vhost_net_release(struct inode *inode, struct file *f) synchronize_rcu(); /* We do an extra flush before freeing memory, * since jobs can re-queue themselves. */ + n->ld = true; vhost_net_flush(n); kfree(n->vqs[VHOST_NET_VQ_RX].rxq.queue); kfree(n->vqs[VHOST_NET_VQ_TX].xdp); --

...ee(n->vqs[VHOST_NET_VQ_TX].ubufs); + else + vhost_net_ubuf_put_and_wait(n->vqs[VHOST_NET_VQ_TX].ubufs); mutex_lock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex); n->tx_flush = false; atomic_set(&n->vqs[VHOST_NET_VQ_TX].ubufs->refcount, 1); @@ -1403,6 +1408,7 @@ static int vhost_net_release(struct inode *inode, struct file *f) synchronize_rcu(); /* We do an extra flush before freeing memory, * since jobs can re-queue themselves. */ + n->ld = true; vhost_net_flush(n); kfree(n->vqs[VHOST_NET_VQ_RX].rxq.queue); kfree(n->vqs[VHOST_NET_VQ_TX].xdp); --

...; +??????? else > + vhost_net_ubuf_put_and_wait(n->vqs[VHOST_NET_VQ_TX].ubufs); > ??????? mutex_lock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex); > ??????? n->tx_flush = false; > atomic_set(&n->vqs[VHOST_NET_VQ_TX].ubufs->refcount, 1); > @@ -1403,6 +1408,7 @@ static int vhost_net_release(struct inode > *inode, struct file *f) > ????synchronize_rcu(); > ????/* We do an extra flush before freeing memory, > ???? * since jobs can re-queue themselves. */ > +??? n->ld = true; > ????vhost_net_flush(n); > ????kfree(n->vqs[VHOST_NET_VQ_RX].rxq.queue); > ????kf...