From patchwork Sun Oct  8 23:13:38 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chuck Lever III <chuck.lever@oracle.com>
X-Patchwork-Id: 9992077
Return-Path: <linux-nfs-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	6284360231 for <patchwork-linux-nfs@patchwork.kernel.org>;
	Sun,  8 Oct 2017 23:13:44 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5387528634
	for <patchwork-linux-nfs@patchwork.kernel.org>;
	Sun,  8 Oct 2017 23:13:44 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 46A2428640; Sun,  8 Oct 2017 23:13:44 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5C9DD28634
	for <patchwork-linux-nfs@patchwork.kernel.org>;
	Sun,  8 Oct 2017 23:13:42 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751489AbdJHXNl (ORCPT
	<rfc822;patchwork-linux-nfs@patchwork.kernel.org>);
	Sun, 8 Oct 2017 19:13:41 -0400
Received: from mail-io0-f196.google.com ([209.85.223.196]:37128 "EHLO
	mail-io0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750820AbdJHXNk (ORCPT
	<rfc822;linux-nfs@vger.kernel.org>); Sun, 8 Oct 2017 19:13:40 -0400
Received: by mail-io0-f196.google.com with SMTP id h70so925691ioi.4
	for <linux-nfs@vger.kernel.org>; Sun, 08 Oct 2017 16:13:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=sender:subject:from:to:cc:date:message-id:user-agent:mime-version
	:content-transfer-encoding;
	bh=YkjIXfTUCopd0wNjFfshA2zOcSzbZglQXnGzARyMeXo=;
	b=pq8FPRji3j11eJUduktatN3TJm6dIbogiH3/R2zBvgGmyovyFrcjmbtASzUdwJT6W2
	dRigKVHls7r9SvRXwO6FBldjidWlgBzP04XlL1S9JwmtAPzTZrRuzCzcqDe8uD5FLv3/
	aK1GrNYZYG2C7DUVvkLz9CAb3zYZpdd62WicQVEfMYUwV2mBRLXJlte0LwQbxHi6MOmk
	dnf2ALvi4X9Vf8K2Je3TQfCqd7EJv5m8oXg3F9VGKrc51lFB5knd5WRMoeLQRkVdjKo2
	A+0Akf382gOeXq5Zh1xNUl6k/qXjfLY+9Cmbm3uS0jbp5fnJjS3JnRVBBvKbRF21cv/H
	BeZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:subject:from:to:cc:date:message-id
	:user-agent:mime-version:content-transfer-encoding;
	bh=YkjIXfTUCopd0wNjFfshA2zOcSzbZglQXnGzARyMeXo=;
	b=IUah6+YFu5ocfo3PbWnsy0N6p9O3UAY1/UgEXwCr8X5jcKWOp3HQ1lgExusn8LzR4w
	8caRTfyxvMHTAG6FBlAqgT0dPGdJYQhJzplg9jK/SpUrCbWg2mzw28PoN3VzTsXIszVr
	7y9sGxVNCRRt2eswOsLQlzmER7Qx5jaj3yBqAyq45ZC2ll4lScPoNkeLkJ9sG64Maqlf
	MWNs3bKz3llWOh3UQPXBu7xTluPs4BeldjGOee1VzQJVOt1nIILWdtzpb3mG2GEn2HgY
	Qlg5W/zZgQyYpQzrzI67Pg5Z/McJy7FmjExGAneZ6YPNYv4UZUi8ZJAppNDSDmsASFR+
	JPug==
X-Gm-Message-State: AMCzsaWbaEceRQww2v2qjpqTmpT/Xbsu1ABtDI7gMoASmsLU03hCx1SN
	VQciG9/hEzCFz6kOBk83OwmbNQ==
X-Google-Smtp-Source: 
 AOwi7QCKZU6qEJr7rmL7B5Mc41Mi73atT26Y7lz5znJiQj5y3hjYMx7Dgt4gE4hyYDBrD4BOgIyJrA==
X-Received: by 10.107.17.5 with SMTP id z5mr12196785ioi.9.1507504419733;
	Sun, 08 Oct 2017 16:13:39 -0700 (PDT)
Received: from klimt.1015granger.net (c-68-46-169-226.hsd1.mi.comcast.net.
	[68.46.169.226]) by smtp.gmail.com with ESMTPSA id
	p142sm3413752itb.11.2017.10.08.16.13.38
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Sun, 08 Oct 2017 16:13:38 -0700 (PDT)
Subject: [PATCH RFC] svcrdma: Preserve CB send buffer across retransmits
From: Chuck Lever <chuck.lever@oracle.com>
To: bcodding@redhat.com, jlayton@redhat.com
Cc: linux-nfs@vger.kernel.org
Date: Sun, 08 Oct 2017 19:13:38 -0400
Message-ID: <20171008225546.16538.99253.stgit@klimt.1015granger.net>
User-Agent: StGit/0.17.1-dirty
MIME-Version: 1.0
Sender: linux-nfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-nfs.vger.kernel.org>
X-Mailing-List: linux-nfs@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

During each NFSv4 callback Call, an RDMA Send completion frees the
page that contains the RPC Call message. If the upper layer determines
that a retransmit is necessary, this is too soon.

One possible symptom: after a GARBAGE_ARGS response an NFSv4.1
callback request, the following BUG fires on the NFS server:

kernel: BUG: Bad page state in process kworker/0:2H  pfn:7d3ce2
kernel: page:ffffea001f4f3880 count:-2 mapcount:0 mapping:          (null) index:0x0
kernel: flags: 0x2fffff80000000()
kernel: raw: 002fffff80000000 0000000000000000 0000000000000000 fffffffeffffffff
kernel: raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000
kernel: page dumped because: nonzero _refcount
kernel: Modules linked in: cts rpcsec_gss_krb5 ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm
ocfs2_nodemanager ocfs2_stackglue rpcrdm a ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad
rdma_cm ib_cm iw_cm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel
kvm irqbypass crct10dif_pc lmul crc32_pclmul ghash_clmulni_intel pcbc iTCO_wdt
iTCO_vendor_support aesni_intel crypto_simd glue_helper cryptd pcspkr lpc_ich i2c_i801
mei_me mf d_core mei raid0 sg wmi ioatdma ipmi_si ipmi_devintf ipmi_msghandler shpchp
acpi_power_meter acpi_pad nfsd nfs_acl lockd auth_rpcgss grace sunrpc ip_tables xfs
libcrc32c mlx4_en mlx4_ib mlx5_ib ib_core sd_mod sr_mod cdrom ast drm_kms_helper
syscopyarea sysfillrect sysimgblt fb_sys_fops ttm ahci crc32c_intel libahci drm
mlx5_core igb libata mlx4_core dca i2c_algo_bit i2c_core nvme
kernel: ptp nvme_core pps_core dm_mirror dm_region_hash dm_log dm_mod dax
kernel: CPU: 0 PID: 11495 Comm: kworker/0:2H Not tainted 4.14.0-rc3-00001-g577ce48 #811
kernel: Hardware name: Supermicro Super Server/X10SRL-F, BIOS 1.0c 09/09/2015
kernel: Workqueue: ib-comp-wq ib_cq_poll_work [ib_core]
kernel: Call Trace:
kernel: dump_stack+0x62/0x80
kernel: bad_page+0xfe/0x11a
kernel: free_pages_check_bad+0x76/0x78
kernel: free_pcppages_bulk+0x364/0x441
kernel: ? ttwu_do_activate.isra.61+0x71/0x78
kernel: free_hot_cold_page+0x1c5/0x202
kernel: __put_page+0x2c/0x36
kernel: svc_rdma_put_context+0xd9/0xe4 [rpcrdma]
kernel: svc_rdma_wc_send+0x50/0x98 [rpcrdma]

This issue exists all the way back to v4.5, but refactoring and code
re-organization prevents this simple patch from applying to kernels
older than v4.12. The fix is the same, however, if someone needs to
backport it.

Reported-by: Ben Coddington <bcodding@redhat.com>
Fixes: 5d252f90a800 ('svcrdma: Add class for RDMA backwards ... ')
Cc: stable@vger.kernel.org # v4.12
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
---
 net/sunrpc/xprtrdma/svc_rdma_backchannel.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Hi Ben, Jeff-

I was able to reproduce the problem here with a rigged Linux client.
This is my proposed fix. Fix also tested with a prototype Solaris
client similar to the one that exposed the problem.



--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/net/sunrpc/xprtrdma/svc_rdma_backchannel.c b/net/sunrpc/xprtrdma/svc_rdma_backchannel.c
index ec37ad8..1854db2 100644
--- a/net/sunrpc/xprtrdma/svc_rdma_backchannel.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_backchannel.c
@@ -132,6 +132,10 @@ static int svc_rdma_bc_sendto(struct svcxprt_rdma *rdma,
 	if (ret)
 		goto out_err;
 
+	/* Bump page refcnt so Send completion doesn't release
+	 * the rq_buffer before all retransmits are complete.
+	 */
+	get_page(virt_to_page(rqst->rq_buffer));
 	ret = svc_rdma_post_send_wr(rdma, ctxt, 1, 0);
 	if (ret)
 		goto out_unmap;
@@ -164,7 +168,6 @@ static int svc_rdma_bc_sendto(struct svcxprt_rdma *rdma,
 		return -EINVAL;
 	}
 
-	/* svc_rdma_sendto releases this page */
 	page = alloc_page(RPCRDMA_DEF_GFP);
 	if (!page)
 		return -ENOMEM;
@@ -183,6 +186,7 @@ static int svc_rdma_bc_sendto(struct svcxprt_rdma *rdma,
 {
 	struct rpc_rqst *rqst = task->tk_rqstp;
 
+	put_page(virt_to_page(rqst->rq_buffer));
 	kfree(rqst->rq_rbuffer);
 }