View Issue Details

IDProjectCategoryView StatusLast Update
0012711CentOS-7kernelpublic2017-05-28 07:07
Reporteralfredo 
PrioritynormalSeverityblockReproducibilityrandom
Status resolvedResolutionfixed 
PlatformX86_64OSOS Version
Product Version7.3.1611 
Target VersionFixed in Version 
Summary0012711: [Patch] IFP Refcount Leak Causes "Unregister Netdevice Failed" errors
Description[Reproduced From RedHat Bugzilla #1416105]

In net/ipv6/addrconf.c if there is a duplicate IPV6 address or some issue setting an address, a race condition exists that can cause an IFP refcount leak. Attempts to unregister a netdevice will then produce a message like:
"unregister_netdevice: waiting for <device> to become free. Usage count = 1" where <device> is system specific.


This issue was documented and patched upstream in Kernel 4.4.22 (and related LTS kernels) (commit 751eb6b6042a596b0080967c1a529a9fe98dac1d) but I have backported the fix to 3.10.x kernels in the attached patch.

Docker users (and anyone heavily using network namespaces) are heavily affected by this issue as evidenced in this thread:
https://github.com/docker/docker/issues/5618
Steps To ReproduceRunning a docker daemon featuring IPV6 support under heavy load (lots of container creation, removal) using a docker network with the MacVLAN driver will eventually produce the "waiting for <device> to become free" issue.
Additional InformationI've backported the fix from the 4.xx kernels to the 3.10.x kernel. The patch is attached.
TagsNo tags attached.
abrt_hash
URL

Activities

alfredo

alfredo

2017-01-24 16:06

reporter  

ipv6refcnt.patch (581 bytes)
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index b7d5ce6..dc65579 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1656,6 +1656,7 @@ void addrconf_dad_failure(struct inet6_ifaddr *ifp)
 	spin_unlock_bh(&ifp->state_lock);
 
 	addrconf_mod_dad_work(ifp, 0);
+    in6_ifa_put(ifp);
 }
 
 /* Join to solicited addr multicast group.
@@ -3300,6 +3301,7 @@ static void addrconf_dad_work(struct work_struct *w)
 		addrconf_dad_begin(ifp);
 		goto out;
 	} else if (action == DAD_ABORT) {
+        in6_ifa_hold(ifp);
 		addrconf_dad_stop(ifp, 1);
 		goto out;
 	}
ipv6refcnt.patch (581 bytes)
toracat

toracat

2017-02-06 17:43

manager   ~0028536

From the fact that this is already in the RH bugzilla (private), I presume the issue is being worked on. CentOS will get the fix once it is in the RHEL kernel.

In the meantime, we can apply the patch to the centosplus kernel.
toracat

toracat

2017-02-23 16:45

manager   ~0028669

kernel-plus-3.10.0-514.6.2.el7.centos.plus is out. It has the patch from this bug report.
toracat

toracat

2017-05-28 07:07

manager   ~0029344

The patch is now in kernel-3.10.0-514.21.1.el7, so has been removed from the plus kernel.

Issue History

Date Modified Username Field Change
2017-01-24 16:06 alfredo New Issue
2017-01-24 16:06 alfredo File Added: ipv6refcnt.patch
2017-02-06 17:43 toracat Note Added: 0028536
2017-02-06 17:43 toracat Status new => assigned
2017-02-23 16:45 toracat Note Added: 0028669
2017-05-28 07:07 toracat Note Added: 0029344
2017-05-28 07:07 toracat Status assigned => resolved
2017-05-28 07:07 toracat Resolution open => fixed