This debug patch series is base on '[PATCH v3] aoe: fix the potential
use-after-free problem in more places' for tracking the reference count
of using net_device in aoeif. It adds a nd_pcpu_refcnt field in aoeif
structure. And two wrappers, nd_dev_hold() and nd_dev_put() are used to
call dev_hold(nd)/dev_put(nd) and maintain ifp->nd_pcpu_refcnt at the
same time.
Defined DEBUG to the top of the aoe.h can enable the tracking function.
The nd_pcpu_refcnt will be printed to debugfs:
rttavg: 249029 rttdev: 1781043
nskbpool: 0
kicked: 0
maxbcnt: 1024
ref: 0
falloc: 36
ffree: 0000000013c0033f
52540054c48e:0:16:16
ssthresh:8
taint:0
r:1270
w:8
enp1s0:1 <-- the aoeif->nd_pcpu_refcnt is behind nd->name
The value of aoeif->nd_pcpu_refcnt will also be printed when 'rmmod aoe':
[23412.255237][ T2857] aoe: enp1s0->refcnt: 32, aoeif->nd_refcnt: 0
Using kernel dynamic debug can print more detail log but it causes extra
overhead:
echo -n 'file drivers/block/aoe/* +p' > /sys/kernel/debug/dynamic_debug/control
[ 6961.938642] aoe: tx dev_put enp1s0->refcnt: 31, aoeif->nd_refcnt: 1
[ 7023.368814] aoe: aoecmd_cfg_pkts dev_hold lo->refcnt: 30
[ 7023.370530] aoe: aoecmd_cfg_pkts dev_hold enp1s0->refcnt: 32, aoeif->nd_refcnt: 2
[ 7023.372977] aoe: tx dev_put lo->refcnt: 29
[ 7023.375147] aoe: tx dev_put enp1s0->refcnt: 31, aoeif->nd_refcnt: 1
Normally, after one operation of aoe, the aoeif->nd_refcnt should be
shown as '1' which means that calls of dev_hold(nd)/dev_put(nd) are
balanced. The final '1' reference of net_device will be removed when
rmmod aoe.
Chun-Yi Lee (2):
aoe: add reference count in aoeif for tracking the using of net_device
aoe: using wrappers instead of dev_hold/dev_put for tracking the
references of net_device in aoeif
drivers/block/aoe/aoe.h | 84 ++++++++++++++++++++++++++++++++++++++
drivers/block/aoe/aoeblk.c | 5 +++
drivers/block/aoe/aoecmd.c | 24 +++++------
drivers/block/aoe/aoedev.c | 23 ++++++++++-
drivers/block/aoe/aoenet.c | 2 +-
5 files changed, 124 insertions(+), 14 deletions(-)
--
2.35.3