Re: [PATCH] kni: restrict bifurcated device support

[Stephen Hemminger <stephen@networkplumber.org>]

On Tue, 23 Nov 2021 09:54:01 +0000
Ferruh Yigit <ferruh.yigit@intel.com> wrote:

> On 10/9/2021 3:03 AM, Stephen Hemminger wrote:
> > On Sat,  9 Oct 2021 00:58:30 +0100
> > Ferruh Yigit <ferruh.yigit@intel.com> wrote:
> >   
> >> To enable bifurcated device support, rtnl_lock is released before calling
> >> userspace callbacks and asynchronous requests are enabled.
> >>
> >> But these changes caused more issues, like bug #809, #816. To reduce the
> >> scope of the problems, the bifurcated device support related changes are
> >> only enabled when it is requested explicitly with new 'enable_bifurcated'
> >> module parameter.
> >> And bifurcated device support is disabled by default.
> >>
> >> So the bifurcated device related problems are isolated and they can be
> >> fixed without impacting all use cases.
> >>
> >> Bugzilla ID: 816
> >> Fixes: 631217c76135 ("kni: fix kernel deadlock with bifurcated device")
> >> Cc: stable@dpdk.org
> >>
> >> Signed-off-by: Ferruh Yigit <ferruh.yigit@intel.com>  
> > 
> > Calling userspace with semaphore held is still risky and buggy.
> > There is no guarantee that the userspace DPDK application will be well behaved.
> > And if it is not, the spinning holding RTNL would break any other network management
> > functions in the kernel.
> >   
> 
> Hi Stephen,
> 
> Because of what you described above, we tried the option that releases the RTNL
> lock before userspace callback,
> That caused a deadlock in the ifdown, and we add a workaround for it.
> 
> But now we are facing with two more issues because of the rtnl lock release,
> - Bugzilla ID: 816, MAC set cause kernel deadlock
> - Some requests are overwritten (because of the workaround we put for ifdown)
> 
> This patch just converts the default behavior to what it was previously.
> Releasing rtnl lock still supported with the module param, but I think it
> is not good idea to make it default while it is know that it is buggy.
> 
> @Thomas, @David,
> Can it be possible to get this patch for -rc4? Since it has potential
> to cause a deadlock in kernel as it is.
> 
> I can send a new version with documentation update.

Is it possible for userspace to choose the correct behavior instead
of module option. Users will do it wrong.


> 
> > These are the kind of problems that make me think it there should be a
> > big "DO NOT USE THIS" onto KNI. Maybe make it print a big nasty message
> > (see kernel VFIO without IOMMU description) or mark kernel as tainted??
> > 
> > See: https://fedoraproject.org/wiki/KernelStagingPolicy
> > 
> > Something like:
> > 
> > diff --git a/kernel/linux/kni/kni_net.c b/kernel/linux/kni/kni_net.c
> > index 611719b5ee27..d47fc6133cbe 100644
> > --- a/kernel/linux/kni/kni_net.c
> > +++ b/kernel/linux/kni/kni_net.c
> > @@ -838,6 +838,14 @@ kni_net_init(struct net_device *dev)
> >   	dev->header_ops      = &kni_net_header_ops;
> >   	dev->ethtool_ops     = &kni_net_ethtool_ops;
> >   	dev->watchdog_timeo = WD_TIMEOUT;
> > +
> > +	/*
> > +	 * KNI is unsafe since it requires calling userspace to do
> > +	 * control operations. And the overall quality according to
> > +	 * kernel standards is the same as devices in staging.
> > +	 */
> > +	add_taint(TAINT_CRAP, LOCKDEP_STILL_OK);
> > +	netdev_warn(dev, "Adding kernel taint for KNI because it is not safe\n");  
> 
> I am for discussing above separate from this patch, since this patch
> restores the behavior that exist since KNI module exists.

Any user of KNI will already get tainted because KNI is out of tree driver.