From patchwork Wed Oct 9 05:15:04 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: NeilBrown X-Patchwork-Id: 11180503 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 473BA1575 for ; Wed, 9 Oct 2019 05:15:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 26DB420B7C for ; Wed, 9 Oct 2019 05:15:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730117AbfJIFPM (ORCPT ); Wed, 9 Oct 2019 01:15:12 -0400 Received: from mx2.suse.de ([195.135.220.15]:36042 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1730107AbfJIFPM (ORCPT ); Wed, 9 Oct 2019 01:15:12 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 77EF4AD35 for ; Wed, 9 Oct 2019 05:15:10 +0000 (UTC) From: NeilBrown To: Linux NFS Mailing List Date: Wed, 09 Oct 2019 16:15:04 +1100 Subject: NFSv4.1 backchannel xprt problems. Message-ID: <87tv8iqz3b.fsf@notabene.neil.brown.name> MIME-Version: 1.0 Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org Hi, I have a customer with a 4.12-based kernel who is experiencing memory exhaustion. There are over 100,000 rpc_rqst structures queue on sv_cb_list for handing by the NFSv4 callback, which is idle. The rpc_rqst.rq_xprt pointer points to freed memory. I notice that that server code calls svc_xprt_get() on the xprt before storing it in rq_xprt, but the client/backchannel code doesn't. I'm wondering if the following might be useful. I plan to explore the code a bit more tomorrow and if this still seems likely I get the customer to test this change, but I thought I would ask here as well incase someone more knowledgeable can give me any pointers. Thanks, NeilBrown diff --git a/net/sunrpc/backchannel_rqst.c b/net/sunrpc/backchannel_rqst.c index 339e8c077c2d..c95ca39688b6 100644 --- a/net/sunrpc/backchannel_rqst.c +++ b/net/sunrpc/backchannel_rqst.c @@ -61,6 +61,7 @@ static void xprt_free_allocation(struct rpc_rqst *req) free_page((unsigned long)xbufp->head[0].iov_base); xbufp = &req->rq_snd_buf; free_page((unsigned long)xbufp->head[0].iov_base); + xprt_put(req->rq_xprt); kfree(req); } @@ -85,7 +86,7 @@ struct rpc_rqst *xprt_alloc_bc_req(struct rpc_xprt *xprt, gfp_t gfp_flags) if (req == NULL) return NULL; - req->rq_xprt = xprt; + req->rq_xprt = xprt_get(xprt); INIT_LIST_HEAD(&req->rq_bc_list); /* Preallocate one XDR receive buffer */