Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp4221575ybb; Mon, 23 Mar 2020 16:16:00 -0700 (PDT) X-Google-Smtp-Source: ADFU+vtH3dfwuraRozkAXsM7pFENnNpzsxqKQ8jaruuc1UTwiGZUfTEA6Q+4bvrL1GezVJ3yg4/9 X-Received: by 2002:a54:4090:: with SMTP id i16mr1427717oii.18.1585005359898; Mon, 23 Mar 2020 16:15:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585005359; cv=none; d=google.com; s=arc-20160816; b=OLHTeRcLY1ah+xL5gv1Yv4mTAHBlkCh+2AKRGOvb4cBM3L2GsMP1LRa7hE7cnEa96G jawVT5QMNQemWZGRekmo5gDTqxHUNytEKRB03SNEJYmGEQ7fcK2FCLonD87bFY3FirQq YjG+TtzN2u6Ao7g6k6cwpYwTrvJXVmQI6Srbsb/87tImcng5PQnzsaA8QjKfoZoBVPyv vf1d+exxsI9dNKEel1ifyXH1KmYqtk2DQ00pJNybF9OV6rg6v6AIa9cFEv+1E7t4wH+X 4jh9Lvn3DXJH3t6RX7XJQEhIosU6IRkrhOLMSGD674iFMwrb+X0Xt3xNjLPchi0OjCe7 duWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=6XMWmroL8l0RyumbjJQMXqqTUiBB/qlm/O2qNYaLqxs=; b=F/QAGmLf0iGtwAUahZJCq9DXpkOGzmaqwG+96uImORYJp5vTtWZpyGb/3Yl+CYY+u4 x8ddAaaMh1BOCuLEY2KDt/FAxcNPnzzFn3FrNKlZP4t2UENJMhJ4Y7hakGLzy13XVpiP /ZpMXvkjErRhiP7ZxvQJn+hpZ1N6wrucEmXRbgCVla9Lxjl5s6KPxakScl7wn9iA4KyU 6JJCBorj68zeLxRjRuEwRSsuJLXI5y2+ZxP7XLurdS1uxZS0PkcNdj7mvaC4t4GWmZVd wNAejIzSZx3mA7njae19vyOM11IT79EZ90G2CDAxe24yoNT+qRibT/N8qHx/7ktdUE0p CoAw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=g8kc3zua; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y18si411827ooq.45.2020.03.23.16.15.46; Mon, 23 Mar 2020 16:15:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=g8kc3zua; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727053AbgCWXPH (ORCPT + 99 others); Mon, 23 Mar 2020 19:15:07 -0400 Received: from mail-oi1-f196.google.com ([209.85.167.196]:36261 "EHLO mail-oi1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725990AbgCWXPH (ORCPT ); Mon, 23 Mar 2020 19:15:07 -0400 Received: by mail-oi1-f196.google.com with SMTP id k18so16698751oib.3; Mon, 23 Mar 2020 16:15:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6XMWmroL8l0RyumbjJQMXqqTUiBB/qlm/O2qNYaLqxs=; b=g8kc3zua4EN8yhOvo2P3ovQ9jQiLF1szvCtR0XEAsm2wMuvlYDYuPxGBRsqxzKJYAc 4a8I/I1nB/5+ffpBCTbehxZMdRsEs5jDx8VXGxIpnr/pX1NWDroh7ehtXRMgebkoDF7v OF/gFgMQO+/FTOwAnTZFGFbdjxYcN36Vxa5uvKHsqmvOczR1Gr+g1CE0EkglFWDZu0ar w2H7QtmFhbbXIJxc03vwj/bJKZsYR9Yku5oeuUldltz66QFsel1OFFSyapHhEc1AZdCH BBRZCUvFw2sxxd+XzJfR0S3ROcjZQIG6dRQaQtNOJPXdBIYd9pSRQspP4PoetbNQFy8a zVbw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6XMWmroL8l0RyumbjJQMXqqTUiBB/qlm/O2qNYaLqxs=; b=E6JFiZKmK7hDstkb0iwl7k6qzyZyfupsbHl4nIjfpcbC/tByR9q4cRrOdwg+YwdpyX DaKYLSCANevHcuJdOrqIVY5F+VU/3kZRNtwa/SSoXuNv1Au8yawTMtoIhoFoJq6Nz07L X8HcPXmUqn0IvCTvstVHOUQDu1uJd4zFTT2Tv/HVornwWL7YmHJYg9CVmzQunjObXnR0 j9BCVG63n6M3UvmWz6nOTYWHUFbyYwISNfS7aLv0b5Ujirs9IzqAViBSPfz/QUK1Y4kd 0Z6IvFxaZDh32LAygUE41EH99G4ba9F7D1BA3nfKgxPJ5hWS4KX0KPT3rSehRkihVhkQ DkNA== X-Gm-Message-State: ANhLgQ3GnL11xzeooI0GvOCkh9toHnhPqQzL0rXmA1MrBcDkSZAoHx09 qh1c92J/SALwukZl1PmBstWvWjHz+Nc9YgH4hehSWXipJRk= X-Received: by 2002:a05:6808:648:: with SMTP id z8mr1417673oih.72.1585005306171; Mon, 23 Mar 2020 16:15:06 -0700 (PDT) MIME-Version: 1.0 References: <000000000000742e9e05a10170bc@google.com> <87a74arown.fsf@nanos.tec.linutronix.de> <87ftdypyec.fsf@nanos.tec.linutronix.de> In-Reply-To: <87ftdypyec.fsf@nanos.tec.linutronix.de> From: Cong Wang Date: Mon, 23 Mar 2020 16:14:55 -0700 Message-ID: Subject: Re: WARNING: ODEBUG bug in tcindex_destroy_work (3) To: Thomas Gleixner Cc: syzbot , David Miller , Jamal Hadi Salim , Jiri Pirko , Jakub Kicinski , LKML , Linux Kernel Network Developers , syzkaller-bugs Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 23, 2020 at 2:14 PM Thomas Gleixner wrote: > > Cong Wang writes: > > On Sat, Mar 21, 2020 at 3:19 AM Thomas Gleixner wrote: > >> > ------------[ cut here ]------------ > >> > ODEBUG: free active (active state 0) object type: work_struct hint: tcindex_destroy_rexts_work+0x0/0x20 net/sched/cls_tcindex.c:143 > >> ... > >> > __debug_check_no_obj_freed lib/debugobjects.c:967 [inline] > >> > debug_check_no_obj_freed+0x2e1/0x445 lib/debugobjects.c:998 > >> > kfree+0xf6/0x2b0 mm/slab.c:3756 > >> > tcindex_destroy_work+0x2e/0x70 net/sched/cls_tcindex.c:231 > >> > >> So this is: > >> > >> kfree(p->perfect); > >> > >> Looking at the place which queues that work: > >> > >> tcindex_destroy() > >> > >> if (p->perfect) { > >> if (tcf_exts_get_net(&r->exts)) > >> tcf_queue_work(&r-rwork, tcindex_destroy_rexts_work); > >> else > >> __tcindex_destroy_rexts(r) > >> } > >> > >> ..... > >> > >> tcf_queue_work(&p->rwork, tcindex_destroy_work); > >> > >> So obviously if tcindex_destroy_work() runs before > >> tcindex_destroy_rexts_work() then the above happens. > > > > We use an ordered workqueue for tc filters, so these two > > works are executed in the same order as they are queued. > > The workqueue is ordered, but look how the work is queued on the work > queue: > > tcf_queue_work() > queue_rcu_work() > call_rcu(&rwork->rcu, rcu_work_rcufn); > > So after the grace period elapses rcu_work_rcufn() queues it in the > actual work queue. > > Now tcindex_destroy() is invoked via tcf_proto_destroy() which can be > invoked from preemtible context. Now assume the following: > > CPU0 > tcf_queue_work() > tcf_queue_work(&r->rwork, tcindex_destroy_rexts_work); > > -> Migration > > CPU1 > tcf_queue_work(&p->rwork, tcindex_destroy_work); > > So your RCU callbacks can be placed on different CPUs which obviously > has no ordering guarantee at all. See also: Good catch! I thought about this when I added this ordered workqueue, but it seems I misinterpret max_active, so despite we have max_active==1, more than 1 work could still be queued on different CPU's here. I don't know how to fix this properly, I think essentially RCU work should be guaranteed the same ordering with regular work. But this seems impossible unless RCU offers some API to achieve that. Thanks.