[033/151] lnet: resolve unsafe list access

Message ID	1569869810-23848-34-git-send-email-jsimmons@infradead.org (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=+Pn3=XZ=lists.lustre.org=lustre-devel-bounces@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CADEC224D5 From: James Simmons <jsimmons@infradead.org> To: Andreas Dilger <adilger@whamcloud.com>, Oleg Drokin <green@whamcloud.com>, NeilBrown <neilb@suse.com> Date: Mon, 30 Sep 2019 14:54:52 -0400 Message-Id: <1569869810-23848-34-git-send-email-jsimmons@infradead.org> In-Reply-To: <1569869810-23848-1-git-send-email-jsimmons@infradead.org> References: <1569869810-23848-1-git-send-email-jsimmons@infradead.org> Subject: [lustre-devel] [PATCH 033/151] lnet: resolve unsafe list access Precedence: list Cc: Amir Shehata <ashehata@whamcloud.com>, Lustre Development List <lustre-devel@lists.lustre.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: lustre-devel-bounces@lists.lustre.org Sender: "lustre-devel" <lustre-devel-bounces@lists.lustre.org>
Series	lustre: update to 2.11 support \| expand [000/151] lustre: update to 2.11 support [001/151] lnet: fix needed headers for lnet headers [002/151] lustre: fix signal handling in abortable waits. [003/151] lnet: ksocklnd: add secondary IP address handling [004/151] lnet: o2iblnd: add secondary IP address handling [005/151] lnet: consoldate secondary IP address handling [006/151] lustre: support for gcc8 [007/151] lnet: Allocate MEs and small MDs in own kmem_caches [008/151] lustre: seq: make seq_proc_write_common() safer [009/151] lustre: ptlrpc: Fix an rq_no_reply assertion failure [010/151] lustre: fld: resend seq lookup RPC if it is on LWP [011/151] lustre: fld: retry fld rpc even for ESHUTDOWN [012/151] lustre: fld: retry fld rpc until the import is closed [013/151] lustre: fld: fld client lookup should retry [014/151] lustre: ldlm: testcases for multiple modify RPCs feature [015/151] lustre: ldlm: Don't check opcode with NULL rq_reqmsg [016/151] lustre: all: remove all Sun license and URL references [017/151] lustre: ldlm: Use interval tree to update kms [018/151] lustre: osc: prepare OSC code to be used from MDC [019/151] lustre: statahead: support striped directory [020/151] lustre: readdir: improve striped readdir [021/151] lustre: llog: consolidate common error checking [022/151] lustre: llite: NULL pointer dereference in cl_object_top() [023/151] lustre: ptlrpc: remove incorrect pid printing [024/151] lnet: Fix lost lock [025/151] lustre: llite: Reduce overhead for ll_do_fast_read [026/151] lustre: ptlrpc: change cr_sent_tv from timespec to ktime [027/151] lustre: ptlrpc: Use C99 initializer in ptlrpc_register_rqbd() [028/151] lustre: lmv: stripe dir page may be released mistakenly [029/151] lnet: selftest: Use C99 struct initializer in framework.c [030/151] lnet: fix memory leak and lnet_interfaces_max [031/151] lnet: decref on peer after use [032/151] lnet: rediscover peer if it changed [033/151] lnet: resolve unsafe list access [034/151] lustre: llite: Implement ladvise lockahead [035/151] lustre: jobstats: move jobstats code into separate file. [036/151] lustre: ldlm: don't use jiffies as sysfs parameter [037/151] lnet: Handle ping buffer with only loopback NID [038/151] lustre: llite: enable readahead for small read_ahead_per_file [039/151] lnet: don't discover loopback interface [040/151] lnet: reduce logging severity [041/151] lustre: ptlrpc: migrate pinger to 64 bit time [042/151] lustre: mdc: add cl_device to the MDC [043/151] lustre: lov: add MDT target to the LOV device [044/151] lustre: mdt: IO request handling in MDT [045/151] lustre: osc: common client setup/cleanup [046/151] lustre: mdc: add IO methods to the MDC [047/151] lustre: lvbo: pass lock as parameter to lvbo_update() [048/151] lustre: mds: add IO locking to the MDC and MDT [049/151] lustre: mdc: add IO stats in mdc [050/151] lustre: lov: add Data-on-MDT tests and fixes [051/151] lustre: mdc: use generic grant code at MDT [052/151] lustre: mds: combine DoM bit with other IBITS [053/151] lustre: llite: increase whole-file readahead to RPC size [054/151] lustre: ldlm: remove liblustre remnants [055/151] lustre: misc: replace LASSERT() with BUILD_BUG_ON() [056/151] lustre: llite: check layout size after cl_object_layout_get [057/151] lustre: mdc: implement own mdc_io_fsync_start() [058/151] lustre: ldlm: migrate the rest of the code to 64 bit time [059/151] lustre: llite: sync bdi sysfs name with lustre sysfs tree [060/151] lustre: lov: allow lov..stripe{size, count}=-1 param [061/151] lustre: brw: add short io osc/ost transfer. [062/151] lustre: lov: take lov layout lock for I/O with ignore_layout [063/151] lustre: lov: pack lsm_flags from layout [064/151] lustre: clio: introduce CIT_GLIMPSE for glimpse [065/151] lustre: flr: add infrastructure to create a new mirror [066/151] lustre: clio: no glimpse for data immutable file [067/151] lustre: flr: read support for flr [068/151] lustre: lov: rework write intent on componect instantiation [069/151] lustre: ptlrpc: use lu_extent in layout_intent [070/151] lustre: flr: Send write intent RPC to mdt [071/151] lustre: flr: extend DATA_VERSION API to read layout version [072/151] lustre: lov: skip empty pages in lov_io_submit() [073/151] lustre: mdc: don't assert on name pack [074/151] lustre: flr: mirror read and write [075/151] lustre: flr: resync support and test tool [076/151] lustre: flr: randomize mirror pick [077/151] lustre: flr: instantiate component for truncate [078/151] lustre: hsm: don't release with wrong size [079/151] lustre: mdc: Add an additional set of 64 changelog flags [080/151] lustre: ldlm: assume OBD_CONNECT_IBITS [081/151] lustre: llite: assume OBD_CONNECT_ATTRFID [082/151] lustre: llite: simplify ll_inode_revalidate() [083/151] lustre: obd: free obd_svc_stats when all users are gone [084/151] lustre: mdc: add uid/gid to Changelogs entries [085/151] lustre: scrub: general framework for OI scrub [086/151] lustre: idl: clean up and document ptlrpc structures [087/151] lustre: idl: remove obsolete RPC MSG flags [088/151] lnet: libcfs: call proper crypto algo when keys are passed in [089/151] lustre: clio: remove unused cl_lock layers [090/151] lustre: sec: migrate to 64 bit time [091/151] lustre: llite: avoid live-lock when concurrent mmap()s [092/151] lustre: llite: change lli_glimpse_time to ktime [093/151] lustre: hsm: filter kkuc write by client UUID [094/151] lustre: dne: allow mkdir with specific MDTs [095/151] lustre: misc: update Intel copyright messages for 2017 [096/151] lustre: fid: improve seq allocation error messages [097/151] lustre: mdc: interruptable during RPC retry for EINPROGRESS [098/151] lustre: osc: migrate to 64 bit time [099/151] lustre: vvp: Print discarded page warning on -EIO [100/151] lustre: clio: Use readahead for partial page write [101/151] lustre: flr: comp-flags support when creating mirrors [102/151] lustre: libcfs: remove cfs_time_XXX_64 wrappers [103/151] lustre: address issues raised by gcc7 [104/151] lustre: lov: fill no-extent fiemap on object with no stripe. [105/151] lustre: ptlrpc: allow to limit number of service's rqbds [106/151] lnet: ensure peer put back on dc request queue [107/151] lustre: recovery: support setstripe replay [108/151] lustre: lustre: move LA_ flags to lustre_user.h [109/151] lustre: flr: revise lease API [110/151] lustre: idl: add PTLRPC definitions to enum [111/151] lustre: obd: remove s2dhms time function [112/151] lustre: mdc: add client NID to Changelogs entries [113/151] lustre: mdc: implement CL_OPEN for Changelogs [114/151] lustre: acl: prepare small buffer for ACL RPC reply [115/151] lnet: safe access in debug print [116/151] lnet: Remove LASSERT on userspace data [117/151] lustre: flr: split a mirror from mirrored file [118/151] lustre: llite: deny 2.10 clients to open mirrored files [119/151] lustre: uapi: rename LCM_FL_NOT_FLR to LCM_FL_NONE [120/151] lustre: flr: layout truncate compatibility [121/151] lustre: mdc: high-priority request handling for DOM [122/151] lustre: llite: Add tiny write support [123/151] lustre: mdc: add CL_GETXATTR for Changelogs [124/151] lustre: uapi: record denied OPEN in Changelogs [125/151] lustre: llite: have ll_write_end to sync for DIO [126/151] lustre: obd: add check to obd_statfs [127/151] lustre: obd: fix statfs handling [128/151] lustre: dom: support DATA_VERSION IO type [129/151] lnet: fix contiguous range support [130/151] lustre: osc: add a bit to indicate osc_page in cache tree [131/151] lustre: ldlm: fix export reference [132/151] lustre: llite: Add exit for filedata allocation failed [133/151] lustre: misc: Wrong checksum return value [134/151] lustre: llite: fix mount error handing [135/151] lustre: llite: Disable tiny writes for append [136/151] lustre: uapi: replace FMODE_{READ, WRITE} with MDS_* equivs [137/151] lnet: reduce discovery timeout [138/151] lustre: update version to 2.10.99 [139/151] lustre: ptlrpc: clarify 64 bit time usage [140/151] lustre: ptlrpc: add watchdog for ptlrpc service threads. [141/151] lustre: handles: discard h_owner in favour of h_ops [142/151] lustre: ldlm: Remove use of SLAB_DESTROY_BY_RCU for ldlm lock slab [143/151] lustre: ldlm: simplify lock_mode_to_index() [144/151] lustre: ptlrpc: use list_move where appropriate. [145/151] lustre: ptlrpc: simplify locking in ptlrpc_add_rqs_to_pool() [146/151] lustre: ptlrpc: incorporate BUILD_BUG_ON into ptlrpc_req_async_args() [147/151] lustre: introduce CONFIG_LUSTRE_FS_POSIX_ACL [148/151] lustre: ptlrpc: discard a server-only waitq. [149/151] lustre: llite: remove // comments. [150/151] lustre: remove outdated comments about ->ap_* functions. [151/151] lustre: clean up some comment alignment.

Message ID

1569869810-23848-34-git-send-email-jsimmons@infradead.org (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CADEC224D5
From: James Simmons <jsimmons@infradead.org>
To: Andreas Dilger <adilger@whamcloud.com>, Oleg Drokin <green@whamcloud.com>,
 NeilBrown <neilb@suse.com>
Date: Mon, 30 Sep 2019 14:54:52 -0400
Message-Id: <1569869810-23848-34-git-send-email-jsimmons@infradead.org>
In-Reply-To: <1569869810-23848-1-git-send-email-jsimmons@infradead.org>
References: <1569869810-23848-1-git-send-email-jsimmons@infradead.org>
Subject: [lustre-devel] [PATCH 033/151] lnet: resolve unsafe list access
Precedence: list
Cc: Amir Shehata <ashehata@whamcloud.com>,
 Lustre Development List <lustre-devel@lists.lustre.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: lustre-devel-bounces@lists.lustre.org
Sender: "lustre-devel" <lustre-devel-bounces@lists.lustre.org>

Series

lustre: update to 2.11 support | expand

Commit Message

James Simmons Sept. 30, 2019, 6:54 p.m. UTC

From: Amir Shehata <ashehata@whamcloud.com>

Use list_for_each_entry_safe() when accessing messages on pending
queue. Remove the message from the list before calling lnet_finalize()
or lnet_send().

When destroying the peer make sure to queue all pending messages on
a global list. We can not resend them at this point because the
cpt lock is held. Unlocking the cpt lock could lead to an inconsistent
state. Use the discovery thread to check if the global list is not
empty and if so resend all messages on the list. Use a new spin
lock to protect the resend message list. I steered clear from reusing
an existing lock because LNet locking is complex and reusing a lock
will add to this complexity. Using a new lock makes the code easier
to understand.

Verify that all lists are empty before destroying the peer_ni

WC-bug-id: https://jira.whamcloud.com/browse/LU-9921
Lustre-commit: 62c3c8d14856 ("LU-9921 lnet: resolve unsafe list access")
Signed-off-by: Amir Shehata <ashehata@whamcloud.com>
Reviewed-on: https://review.whamcloud.com/28723
Reviewed-by: Olaf Weber <olaf.weber@hpe.com>
Reviewed-by: John L. Hammond <jhammond@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
Signed-off-by: James Simmons <jsimmons@infradead.org>
---
 include/linux/lnet/lib-types.h |  4 +++
 net/lnet/lnet/api-ni.c         | 15 ++++++++++
 net/lnet/lnet/peer.c           | 68 ++++++++++++++++++++++++++++++++++++++++--
 3 files changed, 85 insertions(+), 2 deletions(-)

diff --git a/include/linux/lnet/lib-types.h b/include/linux/lnet/lib-types.h
index 6d2d83a..a5cbf07 100644
--- a/include/linux/lnet/lib-types.h
+++ b/include/linux/lnet/lib-types.h
@@ -945,6 +945,10 @@  struct lnet {
 	struct list_head		ln_net_zombie;
 	/* the loopback NI */
 	struct lnet_ni		       *ln_loni;
+	/* resend messages list */
+	struct list_head		ln_msg_resend;
+	/* spin lock to protect the msg resend list */
+	spinlock_t			ln_msg_resend_lock;
 
 	/* remote networks with routes to them */
 	struct list_head	       *ln_remote_nets_hash;
diff --git a/net/lnet/lnet/api-ni.c b/net/lnet/lnet/api-ni.c
index bc3f808..b038010 100644
--- a/net/lnet/lnet/api-ni.c
+++ b/net/lnet/lnet/api-ni.c
@@ -211,6 +211,7 @@  static int lnet_discover(struct lnet_process_id id, u32 force,
 lnet_init_locks(void)
 {
 	spin_lock_init(&the_lnet.ln_eq_wait_lock);
+	spin_lock_init(&the_lnet.ln_msg_resend_lock);
 	init_waitqueue_head(&the_lnet.ln_eq_waitq);
 	init_waitqueue_head(&the_lnet.ln_rc_waitq);
 	mutex_init(&the_lnet.ln_lnd_mutex);
@@ -1652,6 +1653,10 @@  static void lnet_push_target_fini(void)
 lnet_shutdown_lndnets(void)
 {
 	struct lnet_net *net;
+	struct list_head resend;
+	struct lnet_msg *msg, *tmp;
+
+	INIT_LIST_HEAD(&resend);
 
 	/* NB called holding the global mutex */
 
@@ -1682,6 +1687,15 @@  static void lnet_push_target_fini(void)
 					       net_list)) != NULL)
 		lnet_shutdown_lndnet(net);
 
+	spin_lock(&the_lnet.ln_msg_resend_lock);
+	list_splice(&the_lnet.ln_msg_resend, &resend);
+	spin_unlock(&the_lnet.ln_msg_resend_lock);
+
+	list_for_each_entry_safe(msg, tmp, &resend, msg_list) {
+		list_del_init(&msg->msg_list);
+		lnet_finalize(msg, -ECANCELED);
+	}
+
 	lnet_net_lock(LNET_LOCK_EX);
 	the_lnet.ln_state = LNET_STATE_SHUTDOWN;
 	lnet_net_unlock(LNET_LOCK_EX);
@@ -2025,6 +2039,7 @@  int lnet_lib_init(void)
 	INIT_LIST_HEAD(&the_lnet.ln_lnds);
 	INIT_LIST_HEAD(&the_lnet.ln_net_zombie);
 	INIT_LIST_HEAD(&the_lnet.ln_rcd_zombie);
+	INIT_LIST_HEAD(&the_lnet.ln_msg_resend);
 	INIT_LIST_HEAD(&the_lnet.ln_rcd_deathrow);
 
 	/*
diff --git a/net/lnet/lnet/peer.c b/net/lnet/lnet/peer.c
index 34e61f8..d7a2e3b 100644
--- a/net/lnet/lnet/peer.c
+++ b/net/lnet/lnet/peer.c
@@ -231,6 +231,22 @@ 
 	if (lp->lp_data)
 		lnet_ping_buffer_decref(lp->lp_data);
 
+	/* if there are messages still on the pending queue, then make
+	 * sure to queue them on the ln_msg_resend list so they can be
+	 * resent at a later point if the discovery thread is still
+	 * running.
+	 * If the discovery thread has stopped, then the wakeup will be a
+	 * no-op, and it is expected the lnet_shutdown_lndnets() will
+	 * eventually be called, which will traverse this list and
+	 * finalize the messages on the list.
+	 * We can not resend them now because we're holding the cpt lock.
+	 * Releasing the lock can cause an inconsistent state
+	 */
+	spin_lock(&the_lnet.ln_msg_resend_lock);
+	list_splice(&lp->lp_dc_pendq, &the_lnet.ln_msg_resend);
+	spin_unlock(&the_lnet.ln_msg_resend_lock);
+	wake_up(&the_lnet.ln_dc_waitq);
+
 	kfree(lp);
 }
 
@@ -1532,6 +1548,8 @@  struct lnet_peer_net *
 	LASSERT(lpni->lpni_rtr_refcount == 0);
 	LASSERT(list_empty(&lpni->lpni_txq));
 	LASSERT(lpni->lpni_txqnob == 0);
+	LASSERT(list_empty(&lpni->lpni_peer_nis));
+	LASSERT(list_empty(&lpni->lpni_on_remote_peer_ni_list));
 
 	lpn = lpni->lpni_peer_net;
 	lpni->lpni_peer_net = NULL;
@@ -1730,7 +1748,7 @@  static int lnet_peer_queue_for_discovery(struct lnet_peer *lp)
  */
 static void lnet_peer_discovery_complete(struct lnet_peer *lp)
 {
-	struct lnet_msg *msg = NULL;
+	struct lnet_msg *msg, *tmp;
 	int rc = 0;
 	struct list_head pending_msgs;
 
@@ -1746,7 +1764,8 @@  static void lnet_peer_discovery_complete(struct lnet_peer *lp)
 	lnet_net_unlock(LNET_LOCK_EX);
 
 	/* iterate through all pending messages and send them again */
-	list_for_each_entry(msg, &pending_msgs, msg_list) {
+	list_for_each_entry_safe(msg, tmp, &pending_msgs, msg_list) {
+		list_del_init(&msg->msg_list);
 		if (lp->lp_dc_error) {
 			lnet_finalize(msg, lp->lp_dc_error);
 			continue;
@@ -2970,6 +2989,8 @@  static int lnet_peer_discovery_wait_for_work(void)
 			break;
 		if (!list_empty(&the_lnet.ln_dc_request))
 			break;
+		if (!list_empty(&the_lnet.ln_msg_resend))
+			break;
 		if (lnet_peer_dc_timed_out(ktime_get_real_seconds()))
 			break;
 		lnet_net_unlock(cpt);
@@ -2995,6 +3016,47 @@  static int lnet_peer_discovery_wait_for_work(void)
 	return rc;
 }
 
+/* Messages that were pending on a destroyed peer will be put on a global
+ * resend list. The message resend list will be checked by
+ * the discovery thread when it wakes up, and will resend messages. These
+ * messages can still be sendable in the case the lpni which was the initial
+ * cause of the message re-queue was transferred to another peer.
+ *
+ * It is possible that LNet could be shutdown while we're iterating
+ * through the list. lnet_shudown_lndnets() will attempt to access the
+ * resend list, but will have to wait until the spinlock is released, by
+ * which time there shouldn't be any more messages on the resend list.
+ * During shutdown lnet_send() will fail and lnet_finalize() will be called
+ * for the messages so they can be released. The other case is that
+ * lnet_shudown_lndnets() can finalize all the messages before this
+ * function can visit the resend list, in which case this function will be
+ * a no-op.
+ */
+static void lnet_resend_msgs(void)
+{
+	struct lnet_msg *msg, *tmp;
+	struct list_head resend;
+	int rc;
+
+	INIT_LIST_HEAD(&resend);
+
+	spin_lock(&the_lnet.ln_msg_resend_lock);
+	list_splice(&the_lnet.ln_msg_resend, &resend);
+	spin_unlock(&the_lnet.ln_msg_resend_lock);
+
+	list_for_each_entry_safe(msg, tmp, &resend, msg_list) {
+		list_del_init(&msg->msg_list);
+		rc = lnet_send(msg->msg_src_nid_param, msg,
+			       msg->msg_rtr_nid_param);
+		if (rc < 0) {
+			CNETERR("Error sending %s to %s: %d\n",
+				lnet_msgtyp2str(msg->msg_type),
+				libcfs_id2str(msg->msg_target), rc);
+			lnet_finalize(msg, rc);
+		}
+	}
+}
+
 /* The discovery thread. */
 static int lnet_peer_discovery(void *arg)
 {
@@ -3008,6 +3070,8 @@  static int lnet_peer_discovery(void *arg)
 		if (lnet_peer_discovery_wait_for_work())
 			break;
 
+		lnet_resend_msgs();
+
 		if (lnet_push_target_resize_needed())
 			lnet_push_target_resize();

[033/151] lnet: resolve unsafe list access

Commit Message

Patch