0012711: [Patch] IFP Refcount Leak Causes "Unregister Netdevice Failed" errors

ID	Project	Category	View Status	Date Submitted	Last Update

0012711	CentOS-7	kernel	public	2017-01-24 16:06	2017-05-28 07:07

Reporter	alfredo	Assigned To
Priority	normal	Severity	block	Reproducibility	random
Status	resolved	Resolution	fixed
Platform	X86_64
Product Version	7.3.1611

Summary	0012711: [Patch] IFP Refcount Leak Causes "Unregister Netdevice Failed" errors
Description	[Reproduced From RedHat Bugzilla #1416105] In net/ipv6/addrconf.c if there is a duplicate IPV6 address or some issue setting an address, a race condition exists that can cause an IFP refcount leak. Attempts to unregister a netdevice will then produce a message like: "unregister_netdevice: waiting for <device> to become free. Usage count = 1" where <device> is system specific. This issue was documented and patched upstream in Kernel 4.4.22 (and related LTS kernels) (commit 751eb6b6042a596b0080967c1a529a9fe98dac1d) but I have backported the fix to 3.10.x kernels in the attached patch. Docker users (and anyone heavily using network namespaces) are heavily affected by this issue as evidenced in this thread: https://github.com/docker/docker/issues/5618
Steps To Reproduce	Running a docker daemon featuring IPV6 support under heavy load (lots of container creation, removal) using a docker network with the MacVLAN driver will eventually produce the "waiting for <device> to become free" issue.
Additional Information	I've backported the fix from the 4.xx kernels to the 3.10.x kernel. The patch is attached.
Tags	No tags attached.

abrt_hash
URL

alfredo 2017-01-24 16:06 reporter	ipv6refcnt.patch (581 bytes) diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index b7d5ce6..dc65579 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -1656,6 +1656,7 @@ void addrconf_dad_failure(struct inet6_ifaddr ifp) spin_unlock_bh(&ifp->state_lock); addrconf_mod_dad_work(ifp, 0); + in6_ifa_put(ifp); } / Join to solicited addr multicast group. @@ -3300,6 +3301,7 @@ static void addrconf_dad_work(struct work_struct *w) addrconf_dad_begin(ifp); goto out; } else if (action == DAD_ABORT) { + in6_ifa_hold(ifp); addrconf_dad_stop(ifp, 1); goto out; } ipv6refcnt.patch (581 bytes)

toracat 2017-02-06 17:43 manager ~0028536	From the fact that this is already in the RH bugzilla (private), I presume the issue is being worked on. CentOS will get the fix once it is in the RHEL kernel. In the meantime, we can apply the patch to the centosplus kernel.

toracat 2017-02-23 16:45 manager ~0028669	kernel-plus-3.10.0-514.6.2.el7.centos.plus is out. It has the patch from this bug report.

toracat 2017-05-28 07:07 manager ~0029344	The patch is now in kernel-3.10.0-514.21.1.el7, so has been removed from the plus kernel.

Date Modified	Username	Field	Change
2017-01-24 16:06	alfredo	New Issue
2017-01-24 16:06	alfredo	File Added: ipv6refcnt.patch
2017-02-06 17:43	toracat	Note Added: 0028536
2017-02-06 17:43	toracat	Status	new => assigned
2017-02-23 16:45	toracat	Note Added: 0028669
2017-05-28 07:07	toracat	Note Added: 0029344
2017-05-28 07:07	toracat	Status	assigned => resolved
2017-05-28 07:07	toracat	Resolution	open => fixed