Re: [PATCH 0/1] cache_head leak in sunrpc_cache_lookup()

From: "J. Bruce Fields" <bfields@fieldses.org>
To: NeilBrown <neilb@suse.com>
Cc: Vasily Averin <vvs@virtuozzo.com>,
	Jeff Layton <jlayton@kernel.org>,
	linux-nfs@vger.kernel.org,
	"David S. Miller" <davem@davemloft.net>,
	Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Subject: Re: [PATCH 0/1] cache_head leak in sunrpc_cache_lookup()
Date: Tue, 4 Dec 2018 15:42:36 -0500	[thread overview]
Message-ID: <20181204204236.GE3903@fieldses.org> (raw)
In-Reply-To: <87zhtso38v.fsf@notabene.neil.brown.name>

On Thu, Nov 29, 2018 at 04:35:12PM +1100, NeilBrown wrote:
> On Wed, Nov 28 2018, J. Bruce Fields wrote:
> 
> > On Wed, Nov 28, 2018 at 11:45:46AM +0300, Vasily Averin wrote:
> >> Dear all, we have found memory leak on OpenVz7 node and believe it
> >> affects mainline too.
> >> 
> >> sunrpc_cache_lookup() removes exprired cache_head from hash, however
> >> if it waits for reply on submitted cache_request both of them can leak
> >> forever, nobody cleans unhashed cache_heads.
> >> 
> >> Originally we had claim on busy loop device of stopped container, that
> >> had executed nfs server inside.  Device was kept by mount that was
> >> detached from already destroyed mount namespace.  By using crash
> >> search we have found some structure with path struct related to our
> >> mount.  Finally we have found that it was alive svc_export struct used
> >> by to alive cache_request, however both of them pointed to already
> >> freed cache_detail.
> >> 
> >> We decided that cache_detail was correctly freed during destroy of net
> >> namespace, however svc_export with taken path struct, cache_request
> >> and some other structures seems was leaked forever.
> >> 
> >> This could  happen only if cache_head of svc_export was removed from
> >> hash on cache_detail before its destroy. Finally we have found that it
> >> could happen when sunrpc_cache_lookup() removes expired cache_head
> >> from hash.
> >> 
> >> Usually it works correctly and cache_put(freeme) frees expired
> >> cache_head.  However in our case cache_head have an extra reference
> >> counter from stalled cache_request.  Becasue of cache_head was removed
> >> from hash of cache_detail it cannot be found in cache_clean() and its
> >> cache_request cannot be freed in cache_dequeue(). Memory leaks
> >> forever, exactly like we observed.
> >> 
> >> After may attempts we have reproduced this situation on OpenVz7
> >> kernel, however our reproducer is quite long and complex.
> >> Unfortunately we still did not reproduced this problem on mainline
> >> kernel and did not validated the patch yet.
> >> 
> >> It would be great if someone advised us some simple way to trigger
> >> described scenario.
> >
> > I think you should be able to produce hung upcalls by flushing the cache
> > (exportfs -f), then stopping mountd, then trying to access the
> > filesystem from a client.  Does that help?
> >
> >> We are not sure that our patch is correct, please let us know if our
> >> analyze missed something.
> >
> > It looks OK to me, but it would be helpful to have Neil's review too.
> 
> Yes, it makes sense to me.
>  Reviewed-by: NeilBrown <neilb@suse.com>

OK, applied for 4.21.--b.