All of lore.kernel.org
 help / color / mirror / Atom feed
* unsafe req->rq_xprt using inside bc_svc_process() ?
@ 2019-11-29 14:10 Vasily Averin
  2019-12-05  8:40 ` Vasily Averin
  0 siblings, 1 reply; 3+ messages in thread
From: Vasily Averin @ 2019-11-29 14:10 UTC (permalink / raw)
  To: linux-nfs, J. Bruce Fields, Chuck Lever, Trond Myklebust, Anna Schumaker

OpenVz team got complain on crash in bc_svc_process().
Crashed node had 15 running containers with active nfsv4.1 mounts,
single nfsv4.1-svc thread was processed its back-channel requests.
In our case nfs41_callback_svc() took rpc_rqst *req from serv->sv_cb_list
started its processing but found that req->rq_xprt points to already freed
struct rpc_xprt aka part of struct sock_xprt transport.

Back-channel request was submitted via xprt_complete_bc_request(),
its processing uses req->rq_xprt reference in many times,
however I did not found who keeps this reference.
It seems sock_xprt or even whole its net namespace can be freed before bc_svc_process() will start processing of submitted back-channel request, and req->rq_xprt using is unsafe in bc_svc_process()

Am I missed something probably?

Thank you,
	Vasily Averin

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: unsafe req->rq_xprt using inside bc_svc_process() ?
  2019-11-29 14:10 unsafe req->rq_xprt using inside bc_svc_process() ? Vasily Averin
@ 2019-12-05  8:40 ` Vasily Averin
  2019-12-06 21:20   ` J. Bruce Fields
  0 siblings, 1 reply; 3+ messages in thread
From: Vasily Averin @ 2019-12-05  8:40 UTC (permalink / raw)
  To: linux-nfs, J. Bruce Fields, Chuck Lever, Trond Myklebust, Anna Schumaker

I've found that Trond fixed it recently in commit 875f0706acc
"SUNRPC: The TCP back channel mustn't disappear while requests are outstanding"

On 11/29/19 5:10 PM, Vasily Averin wrote:
> OpenVz team got complain on crash in bc_svc_process().
> Crashed node had 15 running containers with active nfsv4.1 mounts,
> single nfsv4.1-svc thread was processed its back-channel requests.
> In our case nfs41_callback_svc() took rpc_rqst *req from serv->sv_cb_list
> started its processing but found that req->rq_xprt points to already freed
> struct rpc_xprt aka part of struct sock_xprt transport.
> 
> Back-channel request was submitted via xprt_complete_bc_request(),
> its processing uses req->rq_xprt reference in many times,
> however I did not found who keeps this reference.
> It seems sock_xprt or even whole its net namespace can be freed before bc_svc_process() will start processing of submitted back-channel request, and req->rq_xprt using is unsafe in bc_svc_process()
> 
> Am I missed something probably?

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: unsafe req->rq_xprt using inside bc_svc_process() ?
  2019-12-05  8:40 ` Vasily Averin
@ 2019-12-06 21:20   ` J. Bruce Fields
  0 siblings, 0 replies; 3+ messages in thread
From: J. Bruce Fields @ 2019-12-06 21:20 UTC (permalink / raw)
  To: Vasily Averin; +Cc: linux-nfs, Chuck Lever, Trond Myklebust, Anna Schumaker

On Thu, Dec 05, 2019 at 11:40:04AM +0300, Vasily Averin wrote:
> I've found that Trond fixed it recently in commit 875f0706acc
> "SUNRPC: The TCP back channel mustn't disappear while requests are outstanding"

Thanks for following up!--b.

> 
> On 11/29/19 5:10 PM, Vasily Averin wrote:
> >OpenVz team got complain on crash in bc_svc_process().
> >Crashed node had 15 running containers with active nfsv4.1 mounts,
> >single nfsv4.1-svc thread was processed its back-channel requests.
> >In our case nfs41_callback_svc() took rpc_rqst *req from serv->sv_cb_list
> >started its processing but found that req->rq_xprt points to already freed
> >struct rpc_xprt aka part of struct sock_xprt transport.
> >
> >Back-channel request was submitted via xprt_complete_bc_request(),
> >its processing uses req->rq_xprt reference in many times,
> >however I did not found who keeps this reference.
> >It seems sock_xprt or even whole its net namespace can be freed before bc_svc_process() will start processing of submitted back-channel request, and req->rq_xprt using is unsafe in bc_svc_process()
> >
> >Am I missed something probably?

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-12-06 21:21 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-29 14:10 unsafe req->rq_xprt using inside bc_svc_process() ? Vasily Averin
2019-12-05  8:40 ` Vasily Averin
2019-12-06 21:20   ` J. Bruce Fields

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.