| Message ID | 20250225094049.20142-2-liuhangbin@gmail.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | bond: fix xfrm offload issues | expand |
On 2/25/25 11:40, Hangbin Liu wrote: > The fixed commit placed mutex_lock() inside spin_lock_bh(), which triggers > a warning like: > > BUG: sleeping function called from invalid context at... > > Fix this by moving the mutex_lock() operation to a work queue. > > Fixes: 2aeeef906d5a ("bonding: change ipsec_lock from spin lock to mutex") > Reported-by: Jakub Kicinski <kuba@kernel.org> > Closes: https://lore.kernel.org/netdev/20241212062734.182a0164@kernel.org > Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> > --- > drivers/net/bonding/bond_main.c | 41 +++++++++++++++++++++++++-------- > include/net/bonding.h | 6 +++++ > 2 files changed, 37 insertions(+), 10 deletions(-) > Hi, I think there are a few issues with this solution, comments below. > diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c > index e45bba240cbc..cc7064aa4b35 100644 > --- a/drivers/net/bonding/bond_main.c > +++ b/drivers/net/bonding/bond_main.c > @@ -551,6 +551,25 @@ static void bond_ipsec_add_sa_all(struct bonding *bond) > mutex_unlock(&bond->ipsec_lock); > } > > +static void bond_xfrm_state_gc_work(struct work_struct *work) > +{ > + struct bond_xfrm_work *xfrm_work = container_of(work, struct bond_xfrm_work, work); > + struct bonding *bond = xfrm_work->bond; > + struct xfrm_state *xs = xfrm_work->xs; > + struct bond_ipsec *ipsec; > + > + mutex_lock(&bond->ipsec_lock); > + list_for_each_entry(ipsec, &bond->ipsec_list, list) { > + if (ipsec->xs == xs) { > + list_del(&ipsec->list); > + kfree(ipsec); > + xfrm_state_put(xs); > + break; > + } > + } > + mutex_unlock(&bond->ipsec_lock); > +} > + > /** > * bond_ipsec_del_sa - clear out this specific SA > * @xs: pointer to transformer state struct > @@ -558,9 +577,9 @@ static void bond_ipsec_add_sa_all(struct bonding *bond) > static void bond_ipsec_del_sa(struct xfrm_state *xs) > { > struct net_device *bond_dev = xs->xso.dev; > + struct bond_xfrm_work *xfrm_work; > struct net_device *real_dev; > netdevice_tracker tracker; > - struct bond_ipsec *ipsec; > struct bonding *bond; > struct slave *slave; > > @@ -592,15 +611,17 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs) > real_dev->xfrmdev_ops->xdo_dev_state_delete(xs); > out: > netdev_put(real_dev, &tracker); > - mutex_lock(&bond->ipsec_lock); > - list_for_each_entry(ipsec, &bond->ipsec_list, list) { > - if (ipsec->xs == xs) { > - list_del(&ipsec->list); > - kfree(ipsec); > - break; > - } > - } > - mutex_unlock(&bond->ipsec_lock); > + > + xfrm_work = kmalloc(sizeof(*xfrm_work), GFP_ATOMIC); > + if (!xfrm_work) > + return; > + What happens if this allocation fails? I think you'll leak memory and potentially call the xdo_dev callbacks for this xs again because it's still in the list. Also this xfrm_work memory doesn't get freed anywhere, so you're leaking it as well. Perhaps you can do this allocation in add_sa, it seems you can sleep there and potentially return an error if it fails, so this can never fail later. You'll have to be careful with the freeing dance though. Alternatively, make the work a part of struct bond so it doesn't need memory management, but then you need a mechanism to queue these items (e.g. a separate list with a spinlock) and would have more complexity with freeing in parallel. > + INIT_WORK(&xfrm_work->work, bond_xfrm_state_gc_work); > + xfrm_work->bond = bond; > + xfrm_work->xs = xs; > + xfrm_state_hold(xs); > + > + queue_work(bond->wq, &xfrm_work->work); Note that nothing waits for this work anywhere and .ndo_uninit runs before bond's .priv_destructor which means ipsec_lock will be destroyed and will be used afterwards when destroying bond->wq from the destructor if there were any queued works. [snip] Cheers, Nik
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index e45bba240cbc..cc7064aa4b35 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -551,6 +551,25 @@ static void bond_ipsec_add_sa_all(struct bonding *bond) mutex_unlock(&bond->ipsec_lock); } +static void bond_xfrm_state_gc_work(struct work_struct *work) +{ + struct bond_xfrm_work *xfrm_work = container_of(work, struct bond_xfrm_work, work); + struct bonding *bond = xfrm_work->bond; + struct xfrm_state *xs = xfrm_work->xs; + struct bond_ipsec *ipsec; + + mutex_lock(&bond->ipsec_lock); + list_for_each_entry(ipsec, &bond->ipsec_list, list) { + if (ipsec->xs == xs) { + list_del(&ipsec->list); + kfree(ipsec); + xfrm_state_put(xs); + break; + } + } + mutex_unlock(&bond->ipsec_lock); +} + /** * bond_ipsec_del_sa - clear out this specific SA * @xs: pointer to transformer state struct @@ -558,9 +577,9 @@ static void bond_ipsec_add_sa_all(struct bonding *bond) static void bond_ipsec_del_sa(struct xfrm_state *xs) { struct net_device *bond_dev = xs->xso.dev; + struct bond_xfrm_work *xfrm_work; struct net_device *real_dev; netdevice_tracker tracker; - struct bond_ipsec *ipsec; struct bonding *bond; struct slave *slave; @@ -592,15 +611,17 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs) real_dev->xfrmdev_ops->xdo_dev_state_delete(xs); out: netdev_put(real_dev, &tracker); - mutex_lock(&bond->ipsec_lock); - list_for_each_entry(ipsec, &bond->ipsec_list, list) { - if (ipsec->xs == xs) { - list_del(&ipsec->list); - kfree(ipsec); - break; - } - } - mutex_unlock(&bond->ipsec_lock); + + xfrm_work = kmalloc(sizeof(*xfrm_work), GFP_ATOMIC); + if (!xfrm_work) + return; + + INIT_WORK(&xfrm_work->work, bond_xfrm_state_gc_work); + xfrm_work->bond = bond; + xfrm_work->xs = xs; + xfrm_state_hold(xs); + + queue_work(bond->wq, &xfrm_work->work); } static void bond_ipsec_del_sa_all(struct bonding *bond) diff --git a/include/net/bonding.h b/include/net/bonding.h index 8bb5f016969f..d54ba5e3affb 100644 --- a/include/net/bonding.h +++ b/include/net/bonding.h @@ -209,6 +209,12 @@ struct bond_ipsec { struct xfrm_state *xs; }; +struct bond_xfrm_work { + struct work_struct work; + struct bonding *bond; + struct xfrm_state *xs; +}; + /* * Here are the locking policies for the two bonding locks: * Get rcu_read_lock when reading or RTNL when writing slave list.
The fixed commit placed mutex_lock() inside spin_lock_bh(), which triggers a warning like: BUG: sleeping function called from invalid context at... Fix this by moving the mutex_lock() operation to a work queue. Fixes: 2aeeef906d5a ("bonding: change ipsec_lock from spin lock to mutex") Reported-by: Jakub Kicinski <kuba@kernel.org> Closes: https://lore.kernel.org/netdev/20241212062734.182a0164@kernel.org Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> --- drivers/net/bonding/bond_main.c | 41 +++++++++++++++++++++++++-------- include/net/bonding.h | 6 +++++ 2 files changed, 37 insertions(+), 10 deletions(-)