Re: [PATCH] kni: restrict bifurcated device support

[Ferruh Yigit <ferruh.yigit@intel.com>]

On 10/9/2021 3:03 AM, Stephen Hemminger wrote:
> On Sat,  9 Oct 2021 00:58:30 +0100
> Ferruh Yigit <ferruh.yigit@intel.com> wrote:
> 
>> To enable bifurcated device support, rtnl_lock is released before calling
>> userspace callbacks and asynchronous requests are enabled.
>>
>> But these changes caused more issues, like bug #809, #816. To reduce the
>> scope of the problems, the bifurcated device support related changes are
>> only enabled when it is requested explicitly with new 'enable_bifurcated'
>> module parameter.
>> And bifurcated device support is disabled by default.
>>
>> So the bifurcated device related problems are isolated and they can be
>> fixed without impacting all use cases.
>>
>> Bugzilla ID: 816
>> Fixes: 631217c76135 ("kni: fix kernel deadlock with bifurcated device")
>> Cc: stable@dpdk.org
>>
>> Signed-off-by: Ferruh Yigit <ferruh.yigit@intel.com>
> 
> Calling userspace with semaphore held is still risky and buggy.
> There is no guarantee that the userspace DPDK application will be well behaved.
> And if it is not, the spinning holding RTNL would break any other network management
> functions in the kernel.
> 

Hi Stephen,

Because of what you described above, we tried the option that releases the RTNL
lock before userspace callback,
That caused a deadlock in the ifdown, and we add a workaround for it.

But now we are facing with two more issues because of the rtnl lock release,
- Bugzilla ID: 816, MAC set cause kernel deadlock
- Some requests are overwritten (because of the workaround we put for ifdown)

This patch just converts the default behavior to what it was previously.
Releasing rtnl lock still supported with the module param, but I think it
is not good idea to make it default while it is know that it is buggy.

@Thomas, @David,
Can it be possible to get this patch for -rc4? Since it has potential
to cause a deadlock in kernel as it is.

I can send a new version with documentation update.

> These are the kind of problems that make me think it there should be a
> big "DO NOT USE THIS" onto KNI. Maybe make it print a big nasty message
> (see kernel VFIO without IOMMU description) or mark kernel as tainted??
> 
> See: https://fedoraproject.org/wiki/KernelStagingPolicy
> 
> Something like:
> 
> diff --git a/kernel/linux/kni/kni_net.c b/kernel/linux/kni/kni_net.c
> index 611719b5ee27..d47fc6133cbe 100644
> --- a/kernel/linux/kni/kni_net.c
> +++ b/kernel/linux/kni/kni_net.c
> @@ -838,6 +838,14 @@ kni_net_init(struct net_device *dev)
>   	dev->header_ops      = &kni_net_header_ops;
>   	dev->ethtool_ops     = &kni_net_ethtool_ops;
>   	dev->watchdog_timeo = WD_TIMEOUT;
> +
> +	/*
> +	 * KNI is unsafe since it requires calling userspace to do
> +	 * control operations. And the overall quality according to
> +	 * kernel standards is the same as devices in staging.
> +	 */
> +	add_taint(TAINT_CRAP, LOCKDEP_STILL_OK);
> +	netdev_warn(dev, "Adding kernel taint for KNI because it is not safe\n");

I am for discussing above separate from this patch, since this patch
restores the behavior that exist since KNI module exists.