From patchwork Tue Apr 7 19:10:56 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever III X-Patchwork-Id: 11478897 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2AFE31392 for ; Tue, 7 Apr 2020 19:11:03 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 09AF420771 for ; Tue, 7 Apr 2020 19:11:03 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="KDSNARiY" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726767AbgDGTLC (ORCPT ); Tue, 7 Apr 2020 15:11:02 -0400 Received: from mail-qk1-f193.google.com ([209.85.222.193]:35563 "EHLO mail-qk1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726332AbgDGTLC (ORCPT ); Tue, 7 Apr 2020 15:11:02 -0400 Received: by mail-qk1-f193.google.com with SMTP id k134so589268qke.2; Tue, 07 Apr 2020 12:11:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:subject:from:to:date:message-id:in-reply-to:references :user-agent:mime-version:content-transfer-encoding; bh=6M+9hJD2Ii/fe7oHvimiU4NB246pMmOOp/SK1fuTXMs=; b=KDSNARiYqF8n3oNgYHuDg6hWiOIt91tlS2rFmqDs+/gJ3iHiYpjkAghBM8HHzukbwv OfJw6XZ+1eMSCv1xRyuDuXI+7QDUGMykEtOo0kT8FIG39YCWkHVRyphDYwhJuttSla9k sWhxMUNDP5bK4wi0cTVbFBT0QlAgOjCALg61lUdG8A+PiU/n+vxmBgZxDM6bDZtuc90a yhon1KwLikaBm19su8rLOhUBZgxKgakTnRJ26yFnBKAwDucJRQKgLhBSFrYwj+D32JuZ raNfTBcCeJ3vGwg9rIk5Q4qCEtSKPeojlnndSUrdelwWiuw5Agedzn0AkVpbtPQNPxub waQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:subject:from:to:date:message-id :in-reply-to:references:user-agent:mime-version :content-transfer-encoding; bh=6M+9hJD2Ii/fe7oHvimiU4NB246pMmOOp/SK1fuTXMs=; b=C+BBUyk4/f6VKp+Htb3cK+E6ILapxIs4NUUFVu3pWddgV3AA1GQJ6bLrM/ebDJnV/S RNGiM/n+etrR1ptagORCEWlpMR+osrple+OLm1Vvjr2j6PxjN0240r6Dz39l2rX4rz42 6TXGcltFZRCY7gaUKatUjyH7UWuMRDouzzu/ymHeGu4eVADai59jGCj9KpUr0vB2vsAE VLZlFs+VCmH2mGc6+UI+wP/vwZL/zBcD44lLMIOdXMvmwGwolBqMZY8gqSmi99Xeuz4F EY+wQL24AZiOjeEBZEWFXLNksZd0ddP540EtZSKv/wI7BlpE8zJpte8CnMfwPS2xxYRL wCuQ== X-Gm-Message-State: AGi0PuZ+Lzny7qnt89Nr6J+kLDGB2UfggdN1+/JFwC/XBQR04XY3lyFa DfRRhV3FjMi/mHloQ0DiGrZQM/ya X-Google-Smtp-Source: APiQypJM1YQnO5fQpUW6sg3YC3hhu8sPX//RvZqyGViTrMGj/7gPyLIc9zzZ7BKiwJm8oNL0T5v55w== X-Received: by 2002:a37:6044:: with SMTP id u65mr4046193qkb.246.1586286657708; Tue, 07 Apr 2020 12:10:57 -0700 (PDT) Received: from gateway.1015granger.net (c-68-61-232-219.hsd1.mi.comcast.net. [68.61.232.219]) by smtp.gmail.com with ESMTPSA id j50sm18633565qta.42.2020.04.07.12.10.57 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 Apr 2020 12:10:57 -0700 (PDT) Received: from klimt.1015granger.net (klimt.1015granger.net [192.168.1.55]) by gateway.1015granger.net (8.14.7/8.14.7) with ESMTP id 037JAuVQ010258; Tue, 7 Apr 2020 19:10:56 GMT Subject: [PATCH v1 1/3] svcrdma: Fix trace point use-after-free race From: Chuck Lever To: linux-nfs@vger.kernel.org, linux-rdma@vger.kernel.org Date: Tue, 07 Apr 2020 15:10:56 -0400 Message-ID: <20200407191056.24045.23262.stgit@klimt.1015granger.net> In-Reply-To: <20200407190938.24045.64947.stgit@klimt.1015granger.net> References: <20200407190938.24045.64947.stgit@klimt.1015granger.net> User-Agent: StGit/0.22-8-g198f MIME-Version: 1.0 Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org I hit this while testing nfsd-5.7 with kernel memory debugging enabled on my server: Mar 30 13:21:45 klimt kernel: BUG: unable to handle page fault for address: ffff8887e6c279a8 Mar 30 13:21:45 klimt kernel: #PF: supervisor read access in kernel mode Mar 30 13:21:45 klimt kernel: #PF: error_code(0x0000) - not-present page Mar 30 13:21:45 klimt kernel: PGD 3601067 P4D 3601067 PUD 87c519067 PMD 87c3e2067 PTE 800ffff8193d8060 Mar 30 13:21:45 klimt kernel: Oops: 0000 [#1] SMP DEBUG_PAGEALLOC PTI Mar 30 13:21:45 klimt kernel: CPU: 2 PID: 1933 Comm: nfsd Not tainted 5.6.0-rc6-00040-g881e87a3c6f9 #1591 Mar 30 13:21:45 klimt kernel: Hardware name: Supermicro Super Server/X10SRL-F, BIOS 1.0c 09/09/2015 Mar 30 13:21:45 klimt kernel: RIP: 0010:svc_rdma_post_chunk_ctxt+0xab/0x284 [rpcrdma] Mar 30 13:21:45 klimt kernel: Code: c1 83 34 02 00 00 29 d0 85 c0 7e 72 48 8b bb a0 02 00 00 48 8d 54 24 08 4c 89 e6 48 8b 07 48 8b 40 20 e8 5a 5c 2b e1 41 89 c6 <8b> 45 20 89 44 24 04 8b 05 02 e9 01 00 85 c0 7e 33 e9 5e 01 00 00 Mar 30 13:21:45 klimt kernel: RSP: 0018:ffffc90000dfbdd8 EFLAGS: 00010286 Mar 30 13:21:45 klimt kernel: RAX: 0000000000000000 RBX: ffff8887db8db400 RCX: 0000000000000030 Mar 30 13:21:45 klimt kernel: RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000246 Mar 30 13:21:45 klimt kernel: RBP: ffff8887e6c27988 R08: 0000000000000000 R09: 0000000000000004 Mar 30 13:21:45 klimt kernel: R10: ffffc90000dfbdd8 R11: 00c068ef00000000 R12: ffff8887eb4e4a80 Mar 30 13:21:45 klimt kernel: R13: ffff8887db8db634 R14: 0000000000000000 R15: ffff8887fc931000 Mar 30 13:21:45 klimt kernel: FS: 0000000000000000(0000) GS:ffff88885bd00000(0000) knlGS:0000000000000000 Mar 30 13:21:45 klimt kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Mar 30 13:21:45 klimt kernel: CR2: ffff8887e6c279a8 CR3: 000000081b72e002 CR4: 00000000001606e0 Mar 30 13:21:45 klimt kernel: Call Trace: Mar 30 13:21:45 klimt kernel: ? svc_rdma_vec_to_sg+0x7f/0x7f [rpcrdma] Mar 30 13:21:45 klimt kernel: svc_rdma_send_write_chunk+0x59/0xce [rpcrdma] Mar 30 13:21:45 klimt kernel: svc_rdma_sendto+0xf9/0x3ae [rpcrdma] Mar 30 13:21:45 klimt kernel: ? nfsd_destroy+0x51/0x51 [nfsd] Mar 30 13:21:45 klimt kernel: svc_send+0x105/0x1e3 [sunrpc] Mar 30 13:21:45 klimt kernel: nfsd+0xf2/0x149 [nfsd] Mar 30 13:21:45 klimt kernel: kthread+0xf6/0xfb Mar 30 13:21:45 klimt kernel: ? kthread_queue_delayed_work+0x74/0x74 Mar 30 13:21:45 klimt kernel: ret_from_fork+0x3a/0x50 Mar 30 13:21:45 klimt kernel: Modules linked in: ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue ib_umad ib_ipoib mlx4_ib sb_edac x86_pkg_temp_thermal iTCO_wdt iTCO_vendor_support coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel glue_helper crypto_simd cryptd pcspkr rpcrdma i2c_i801 rdma_ucm lpc_ich mfd_core ib_iser rdma_cm iw_cm ib_cm mei_me raid0 libiscsi mei sg scsi_transport_iscsi ioatdma wmi ipmi_si ipmi_devintf ipmi_msghandler acpi_power_meter nfsd nfs_acl lockd auth_rpcgss grace sunrpc ip_tables xfs libcrc32c mlx4_en sd_mod sr_mod cdrom mlx4_core crc32c_intel igb nvme i2c_algo_bit ahci i2c_core libahci nvme_core dca libata t10_pi qedr dm_mirror dm_region_hash dm_log dm_mod dax qede qed crc8 ib_uverbs ib_core Mar 30 13:21:45 klimt kernel: CR2: ffff8887e6c279a8 Mar 30 13:21:45 klimt kernel: ---[ end trace 87971d2ad3429424 ]--- It's absolutely not safe to use resources pointed to by the @send_wr argument of ib_post_send() _after_ that function returns. Those resources are typically freed by the Send completion handler, which can run before ib_post_send() returns. Thus the trace points currently around ib_post_send() in the server's RPC/RDMA transport are a hazard, even when they are disabled. Rearrange them so that they touch the Work Request only _before_ ib_post_send() is invoked. Fixes: bd2abef33394 ("svcrdma: Trace key RDMA API events") Fixes: 4201c7464753 ("svcrdma: Introduce svc_rdma_send_ctxt") Signed-off-by: Chuck Lever --- include/trace/events/rpcrdma.h | 50 ++++++++++++++++++++++++--------- net/sunrpc/xprtrdma/svc_rdma_rw.c | 3 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 16 ++++++----- 3 files changed, 46 insertions(+), 23 deletions(-) diff --git a/include/trace/events/rpcrdma.h b/include/trace/events/rpcrdma.h index 9238d233f8cf..94087219f8a7 100644 --- a/include/trace/events/rpcrdma.h +++ b/include/trace/events/rpcrdma.h @@ -1722,17 +1722,15 @@ DECLARE_EVENT_CLASS(svcrdma_sendcomp_event, TRACE_EVENT(svcrdma_post_send, TP_PROTO( - const struct ib_send_wr *wr, - int status + const struct ib_send_wr *wr ), - TP_ARGS(wr, status), + TP_ARGS(wr), TP_STRUCT__entry( __field(const void *, cqe) __field(unsigned int, num_sge) __field(u32, inv_rkey) - __field(int, status) ), TP_fast_assign( @@ -1740,12 +1738,11 @@ TRACE_EVENT(svcrdma_post_send, __entry->num_sge = wr->num_sge; __entry->inv_rkey = (wr->opcode == IB_WR_SEND_WITH_INV) ? wr->ex.invalidate_rkey : 0; - __entry->status = status; ), - TP_printk("cqe=%p num_sge=%u inv_rkey=0x%08x status=%d", + TP_printk("cqe=%p num_sge=%u inv_rkey=0x%08x", __entry->cqe, __entry->num_sge, - __entry->inv_rkey, __entry->status + __entry->inv_rkey ) ); @@ -1810,26 +1807,23 @@ TRACE_EVENT(svcrdma_wc_receive, TRACE_EVENT(svcrdma_post_rw, TP_PROTO( const void *cqe, - int sqecount, - int status + int sqecount ), - TP_ARGS(cqe, sqecount, status), + TP_ARGS(cqe, sqecount), TP_STRUCT__entry( __field(const void *, cqe) __field(int, sqecount) - __field(int, status) ), TP_fast_assign( __entry->cqe = cqe; __entry->sqecount = sqecount; - __entry->status = status; ), - TP_printk("cqe=%p sqecount=%d status=%d", - __entry->cqe, __entry->sqecount, __entry->status + TP_printk("cqe=%p sqecount=%d", + __entry->cqe, __entry->sqecount ) ); @@ -1897,6 +1891,34 @@ DECLARE_EVENT_CLASS(svcrdma_sendqueue_event, DEFINE_SQ_EVENT(full); DEFINE_SQ_EVENT(retry); +TRACE_EVENT(svcrdma_sq_post_err, + TP_PROTO( + const struct svcxprt_rdma *rdma, + int status + ), + + TP_ARGS(rdma, status), + + TP_STRUCT__entry( + __field(int, avail) + __field(int, depth) + __field(int, status) + __string(addr, rdma->sc_xprt.xpt_remotebuf) + ), + + TP_fast_assign( + __entry->avail = atomic_read(&rdma->sc_sq_avail); + __entry->depth = rdma->sc_sq_depth; + __entry->status = status; + __assign_str(addr, rdma->sc_xprt.xpt_remotebuf); + ), + + TP_printk("addr=%s sc_sq_avail=%d/%d status=%d", + __get_str(addr), __entry->avail, __entry->depth, + __entry->status + ) +); + #endif /* _TRACE_RPCRDMA_H */ #include diff --git a/net/sunrpc/xprtrdma/svc_rdma_rw.c b/net/sunrpc/xprtrdma/svc_rdma_rw.c index bd7c195d872e..23c2d3ce0dc9 100644 --- a/net/sunrpc/xprtrdma/svc_rdma_rw.c +++ b/net/sunrpc/xprtrdma/svc_rdma_rw.c @@ -323,8 +323,6 @@ static int svc_rdma_post_chunk_ctxt(struct svc_rdma_chunk_ctxt *cc) if (atomic_sub_return(cc->cc_sqecount, &rdma->sc_sq_avail) > 0) { ret = ib_post_send(rdma->sc_qp, first_wr, &bad_wr); - trace_svcrdma_post_rw(&cc->cc_cqe, - cc->cc_sqecount, ret); if (ret) break; return 0; @@ -337,6 +335,7 @@ static int svc_rdma_post_chunk_ctxt(struct svc_rdma_chunk_ctxt *cc) trace_svcrdma_sq_retry(rdma); } while (1); + trace_svcrdma_sq_post_err(rdma, ret); set_bit(XPT_CLOSE, &xprt->xpt_flags); /* If even one was posted, there will be a completion. */ diff --git a/net/sunrpc/xprtrdma/svc_rdma_sendto.c b/net/sunrpc/xprtrdma/svc_rdma_sendto.c index 90cba3058f04..6a87a2379e91 100644 --- a/net/sunrpc/xprtrdma/svc_rdma_sendto.c +++ b/net/sunrpc/xprtrdma/svc_rdma_sendto.c @@ -322,15 +322,17 @@ int svc_rdma_send(struct svcxprt_rdma *rdma, struct ib_send_wr *wr) } svc_xprt_get(&rdma->sc_xprt); + trace_svcrdma_post_send(wr); ret = ib_post_send(rdma->sc_qp, wr, NULL); - trace_svcrdma_post_send(wr, ret); - if (ret) { - set_bit(XPT_CLOSE, &rdma->sc_xprt.xpt_flags); - svc_xprt_put(&rdma->sc_xprt); - wake_up(&rdma->sc_send_wait); - } - break; + if (ret) + break; + return 0; } + + trace_svcrdma_sq_post_err(rdma, ret); + set_bit(XPT_CLOSE, &rdma->sc_xprt.xpt_flags); + svc_xprt_put(&rdma->sc_xprt); + wake_up(&rdma->sc_send_wait); return ret; } From patchwork Tue Apr 7 19:11:01 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever III X-Patchwork-Id: 11478901 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 04E4081 for ; Tue, 7 Apr 2020 19:11:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D7E6520748 for ; Tue, 7 Apr 2020 19:11:05 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="l2kF6juP" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726740AbgDGTLF (ORCPT ); Tue, 7 Apr 2020 15:11:05 -0400 Received: from mail-qk1-f195.google.com ([209.85.222.195]:47039 "EHLO mail-qk1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726332AbgDGTLF (ORCPT ); Tue, 7 Apr 2020 15:11:05 -0400 Received: by mail-qk1-f195.google.com with SMTP id g74so510156qke.13; Tue, 07 Apr 2020 12:11:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:subject:from:to:date:message-id:in-reply-to:references :user-agent:mime-version:content-transfer-encoding; bh=B89KhKI3dBPR7z9BrJ0Gc3y7hT1W0vJQLGSA4yPn/XM=; b=l2kF6juPKSTAmuhhzdaoWd8z3TXs7fPPDtA9rxxf3IFO/6jA4Gdf1m3Zvmf1wFkTAs YTqB2SXETsSpXSydGrEJQnzhZzuUd2Y8HlYQuCGxUQKHKWA3LwyXgdIOASfkERfRpIJ0 MDxFDwLuOfE83fGf6+KvIJQIhqntX9mJpCVCf6UprrcgX6GOLeO/zp7ohULZ1Ktol4Rn 90MtgV+1SVpbPxCLuwaUwL/1RUXrtH4WGDaairNULWxhSgFDYNEKScv+OFO0yGvPJG7y il3bhBbax0HBPofK/egwi8SoqsJpz8irtkFvt0p33KkZi7nv70yF0YDil3gjq7LKXacm XzfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:subject:from:to:date:message-id :in-reply-to:references:user-agent:mime-version :content-transfer-encoding; bh=B89KhKI3dBPR7z9BrJ0Gc3y7hT1W0vJQLGSA4yPn/XM=; b=C8fdPaBanY2Ry9xvS1VvM/8Q5mgMMJvHQhozOJm2qvMSW67cFwRYfDHO9xmnAf00z3 6/7GfulOiiRfhDs8946FpjJNIoXTjyO5Szb1KhXtrXdc62J/CGmyiI/Rd6W2yrGwwHgY EUfnI7/byp/h/zmv3Kzz5NwsF3oV4qqjNXPoO1uD69bjWAWlEbRwVP0qbAIf8UhQ9bTV jC8jgQ64Fgomw9TEbP4/j5mf6wTudh8vQ+/8JgemGW2UtjWoxK8TLoqYB1Xk49GWDQ/n /xfWPQCtU03+kBUXjKVmYKBmlg1C8DrE8yEbQEUul7O6N4u4tCC+ZkQAPhAZkOLXpXT/ gCnQ== X-Gm-Message-State: AGi0PuYVa6r0lA6T/eQOn5zKzfhDQ8RtHwsx//YDe3fFJ6ZIHDDXmjn6 NmGsPahT4T4E0Sdd7JCE/pTC82cb X-Google-Smtp-Source: APiQypLwsgN3WNjIKtRIxIB/BHslu7LDPoajAVrAsv6qp0ZagttyuOF85jzagZy+gJqzOwikK6nidg== X-Received: by 2002:a05:620a:48:: with SMTP id t8mr3840079qkt.21.1586286663354; Tue, 07 Apr 2020 12:11:03 -0700 (PDT) Received: from gateway.1015granger.net (c-68-61-232-219.hsd1.mi.comcast.net. [68.61.232.219]) by smtp.gmail.com with ESMTPSA id g63sm13384201qkb.89.2020.04.07.12.11.02 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 Apr 2020 12:11:02 -0700 (PDT) Received: from klimt.1015granger.net (klimt.1015granger.net [192.168.1.55]) by gateway.1015granger.net (8.14.7/8.14.7) with ESMTP id 037JB1rb010261; Tue, 7 Apr 2020 19:11:01 GMT Subject: [PATCH v1 2/3] SUNRPC: Remove naked ->xpo_release_rqst from svc_send() From: Chuck Lever To: linux-nfs@vger.kernel.org, linux-rdma@vger.kernel.org Date: Tue, 07 Apr 2020 15:11:01 -0400 Message-ID: <20200407191101.24045.10662.stgit@klimt.1015granger.net> In-Reply-To: <20200407190938.24045.64947.stgit@klimt.1015granger.net> References: <20200407190938.24045.64947.stgit@klimt.1015granger.net> User-Agent: StGit/0.22-8-g198f MIME-Version: 1.0 Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org Refactor: Instead of making two transport method calls in svc_send(), fold the ->xpo_release_rqst call into the ->xpo_sendto method of the two transports that need this extra behavior. Subsequently, svcrdma, which does not want or need the extra ->xpo_release_rqst call can then use ->xpo_release_rqst properly. This patch does not fix commit 3a88092ee319 ("svcrdma: Preserve Receive buffer until svc_rdma_sendto"), but is a prerequisite for the next patch, which does fix that commit. Signed-off-by: Chuck Lever --- net/sunrpc/svc_xprt.c | 3 --- net/sunrpc/svcsock.c | 4 ++++ 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c index 92f2c08c67a5..2284ff038dad 100644 --- a/net/sunrpc/svc_xprt.c +++ b/net/sunrpc/svc_xprt.c @@ -908,9 +908,6 @@ int svc_send(struct svc_rqst *rqstp) if (!xprt) goto out; - /* release the receive skb before sending the reply */ - xprt->xpt_ops->xpo_release_rqst(rqstp); - /* calculate over-all length */ xb = &rqstp->rq_res; xb->len = xb->head[0].iov_len + diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c index 519cf9c4f8fd..023514e392b3 100644 --- a/net/sunrpc/svcsock.c +++ b/net/sunrpc/svcsock.c @@ -527,6 +527,8 @@ static int svc_udp_sendto(struct svc_rqst *rqstp) unsigned int uninitialized_var(sent); int err; + svc_release_udp_skb(rqstp); + svc_set_cmsg_data(rqstp, cmh); err = xprt_sock_sendmsg(svsk->sk_sock, &msg, xdr, 0, 0, &sent); @@ -1076,6 +1078,8 @@ static int svc_tcp_sendto(struct svc_rqst *rqstp) unsigned int uninitialized_var(sent); int err; + svc_release_skb(rqstp); + err = xprt_sock_sendmsg(svsk->sk_sock, &msg, xdr, 0, marker, &sent); xdr_free_bvec(xdr); if (err < 0 || sent != (xdr->len + sizeof(marker))) From patchwork Tue Apr 7 19:11:06 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever III X-Patchwork-Id: 11478905 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2F7EC174A for ; Tue, 7 Apr 2020 19:11:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 0E26B20748 for ; Tue, 7 Apr 2020 19:11:11 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="eArYt/oz" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726776AbgDGTLK (ORCPT ); Tue, 7 Apr 2020 15:11:10 -0400 Received: from mail-qv1-f67.google.com ([209.85.219.67]:38051 "EHLO mail-qv1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726332AbgDGTLK (ORCPT ); Tue, 7 Apr 2020 15:11:10 -0400 Received: by mail-qv1-f67.google.com with SMTP id p60so2404435qva.5; Tue, 07 Apr 2020 12:11:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:subject:from:to:date:message-id:in-reply-to:references :user-agent:mime-version:content-transfer-encoding; bh=eTPMFzVxJLohyOWfFVldmZfg4Ttab96R40GG74GHol4=; b=eArYt/ozUL+hx6OuaPZ+4Qd6tytB5Mnz8FBqXO+4GzQOLr76Aou9kZKDit6NA71OGl ancF13+ad5B8pi6vdevk4fv3gPhB7+i+ZpKH39fuHuYWz+RNlCTkaCJcBBw0UdnFZjN1 uKNHfbSHm61hyRY8XoHNjTEZDeo9ZD4WC2S7s0pwzu09FhY0p3rjNOoV2MCgpDdSFqDl yuvLen0tkITb3TpO9TMEavvpkw+368rcQYXu86RPxldJgnEK/dCMGd+JA4CZ2TWp5OMO Q2z+grAZ5XBorr9j1ojlV4Nf6WSMUO7Q3YD/WUCrhHCMYJ+E8Sq4dCW4iUQZ2MukI5FC E5NA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:subject:from:to:date:message-id :in-reply-to:references:user-agent:mime-version :content-transfer-encoding; bh=eTPMFzVxJLohyOWfFVldmZfg4Ttab96R40GG74GHol4=; b=fvzMuvmIdhZjN0WuV+4Foe6tcrB2wVnZ7mHINq4hEqb4FxhNYuATMi1F61ocMI0kcY FwI3ykYuccJJfysla5ePFaw/cJfaS85Zx9OqQsjRhe7wxPNH6/iBO/uFfDPnr1s596dk GLetvdgOVt8va6uH46zY1PH8iPnW+yjjQIvIJum7ayRUWlpTL/U1IrcqQEn8ovvzXnpu A5Y/9pA4K9Q5RLAVNhNm3kbgpuaAyAcEc8vVKPS0dh0XQ5VXVOZI14NJM6BKK/R0Dg61 bi8ZhcDd/CUHZzCzF9qWIth+bu/A+RGl/Ijd1UkBEEpUcQbDtBaTCC8+aPf6CLgcv7bg bsHQ== X-Gm-Message-State: AGi0Pua0JMjNg/svBq+8jxfYv3FWfoqy+LH0V8sUHRIeDefVmLv0vqc+ Gtt2WxvoEX4nrPElPRu8DTMANyiH X-Google-Smtp-Source: APiQypIBchLnCMf/uB0OQJOyiFr12mpac22FMgGyMVgtZxE8z9IfopAxWEwUw4N5prqacZPhVC6wag== X-Received: by 2002:ad4:5642:: with SMTP id bl2mr3961355qvb.11.1586286668339; Tue, 07 Apr 2020 12:11:08 -0700 (PDT) Received: from gateway.1015granger.net (c-68-61-232-219.hsd1.mi.comcast.net. [68.61.232.219]) by smtp.gmail.com with ESMTPSA id o186sm17493673qke.39.2020.04.07.12.11.07 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 Apr 2020 12:11:07 -0700 (PDT) Received: from klimt.1015granger.net (klimt.1015granger.net [192.168.1.55]) by gateway.1015granger.net (8.14.7/8.14.7) with ESMTP id 037JB6XR010264; Tue, 7 Apr 2020 19:11:06 GMT Subject: [PATCH v1 3/3] svcrdma: Fix leak of svc_rdma_recv_ctxt objects From: Chuck Lever To: linux-nfs@vger.kernel.org, linux-rdma@vger.kernel.org Date: Tue, 07 Apr 2020 15:11:06 -0400 Message-ID: <20200407191106.24045.88035.stgit@klimt.1015granger.net> In-Reply-To: <20200407190938.24045.64947.stgit@klimt.1015granger.net> References: <20200407190938.24045.64947.stgit@klimt.1015granger.net> User-Agent: StGit/0.22-8-g198f MIME-Version: 1.0 Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org Utilize the xpo_release_rqst transport method to ensure that each rqstp's svc_rdma_recv_ctxt object is released even when the server cannot return a Reply for that rqstp. Without this fix, each RPC whose Reply cannot be sent leaks one svc_rdma_recv_ctxt. This is a 2.5KB structure, a 4KB DMA-mapped Receive buffer, and any pages that might be part of the Reply message. The leak is infrequent unless the network fabric is unreliable or Kerberos is in use, as GSS sequence window overruns, which result in connection loss, are more common on fast transports. Fixes: 3a88092ee319 ("svcrdma: Preserve Receive buffer until ... ") Signed-off-by: Chuck Lever --- include/linux/sunrpc/svc_rdma.h | 1 + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 22 ++++++++++++++++++++++ net/sunrpc/xprtrdma/svc_rdma_sendto.c | 13 +++---------- net/sunrpc/xprtrdma/svc_rdma_transport.c | 5 ----- 4 files changed, 26 insertions(+), 15 deletions(-) diff --git a/include/linux/sunrpc/svc_rdma.h b/include/linux/sunrpc/svc_rdma.h index 78fe2ac6dc6c..cbcfbd0521e3 100644 --- a/include/linux/sunrpc/svc_rdma.h +++ b/include/linux/sunrpc/svc_rdma.h @@ -170,6 +170,7 @@ extern bool svc_rdma_post_recvs(struct svcxprt_rdma *rdma); extern void svc_rdma_recv_ctxt_put(struct svcxprt_rdma *rdma, struct svc_rdma_recv_ctxt *ctxt); extern void svc_rdma_flush_recv_queues(struct svcxprt_rdma *rdma); +extern void svc_rdma_release_rqst(struct svc_rqst *rqstp); extern int svc_rdma_recvfrom(struct svc_rqst *); /* svc_rdma_rw.c */ diff --git a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c index 54469b72b25f..efa5fcb5793f 100644 --- a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c +++ b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c @@ -223,6 +223,26 @@ void svc_rdma_recv_ctxt_put(struct svcxprt_rdma *rdma, svc_rdma_recv_ctxt_destroy(rdma, ctxt); } +/** + * svc_rdma_release_rqst - Release transport-specific per-rqst resources + * @rqstp: svc_rqst being released + * + * Ensure that the recv_ctxt is released whether or not a Reply + * was sent. For example, the client could close the connection, + * or svc_process could drop an RPC, before the Reply is sent. + */ +void svc_rdma_release_rqst(struct svc_rqst *rqstp) +{ + struct svc_rdma_recv_ctxt *ctxt = rqstp->rq_xprt_ctxt; + struct svc_xprt *xprt = rqstp->rq_xprt; + struct svcxprt_rdma *rdma = + container_of(xprt, struct svcxprt_rdma, sc_xprt); + + rqstp->rq_xprt_ctxt = NULL; + if (ctxt) + svc_rdma_recv_ctxt_put(rdma, ctxt); +} + static int __svc_rdma_post_recv(struct svcxprt_rdma *rdma, struct svc_rdma_recv_ctxt *ctxt) { @@ -820,6 +840,8 @@ int svc_rdma_recvfrom(struct svc_rqst *rqstp) __be32 *p; int ret; + rqstp->rq_xprt_ctxt = NULL; + spin_lock(&rdma_xprt->sc_rq_dto_lock); ctxt = svc_rdma_next_recv_ctxt(&rdma_xprt->sc_read_complete_q); if (ctxt) { diff --git a/net/sunrpc/xprtrdma/svc_rdma_sendto.c b/net/sunrpc/xprtrdma/svc_rdma_sendto.c index 6a87a2379e91..b6c8643867f2 100644 --- a/net/sunrpc/xprtrdma/svc_rdma_sendto.c +++ b/net/sunrpc/xprtrdma/svc_rdma_sendto.c @@ -926,12 +926,7 @@ int svc_rdma_sendto(struct svc_rqst *rqstp) ret = svc_rdma_send_reply_msg(rdma, sctxt, rctxt, rqstp); if (ret < 0) goto err1; - ret = 0; - -out: - rqstp->rq_xprt_ctxt = NULL; - svc_rdma_recv_ctxt_put(rdma, rctxt); - return ret; + return 0; err2: if (ret != -E2BIG && ret != -EINVAL) @@ -940,16 +935,14 @@ int svc_rdma_sendto(struct svc_rqst *rqstp) ret = svc_rdma_send_error_msg(rdma, sctxt, rqstp); if (ret < 0) goto err1; - ret = 0; - goto out; + return 0; err1: svc_rdma_send_ctxt_put(rdma, sctxt); err0: trace_svcrdma_send_failed(rqstp, ret); set_bit(XPT_CLOSE, &xprt->xpt_flags); - ret = -ENOTCONN; - goto out; + return -ENOTCONN; } /** diff --git a/net/sunrpc/xprtrdma/svc_rdma_transport.c b/net/sunrpc/xprtrdma/svc_rdma_transport.c index 8bb99980ae85..ea54785db4f8 100644 --- a/net/sunrpc/xprtrdma/svc_rdma_transport.c +++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c @@ -71,7 +71,6 @@ static struct svc_xprt *svc_rdma_create(struct svc_serv *serv, struct sockaddr *sa, int salen, int flags); static struct svc_xprt *svc_rdma_accept(struct svc_xprt *xprt); -static void svc_rdma_release_rqst(struct svc_rqst *); static void svc_rdma_detach(struct svc_xprt *xprt); static void svc_rdma_free(struct svc_xprt *xprt); static int svc_rdma_has_wspace(struct svc_xprt *xprt); @@ -552,10 +551,6 @@ static struct svc_xprt *svc_rdma_accept(struct svc_xprt *xprt) return NULL; } -static void svc_rdma_release_rqst(struct svc_rqst *rqstp) -{ -} - /* * When connected, an svc_xprt has at least two references: *