On Wed, Nov 28 2018, J. Bruce Fields wrote: > On Wed, Nov 28, 2018 at 11:45:46AM +0300, Vasily Averin wrote: >> Dear all, we have found memory leak on OpenVz7 node and believe it >> affects mainline too. >> >> sunrpc_cache_lookup() removes exprired cache_head from hash, however >> if it waits for reply on submitted cache_request both of them can leak >> forever, nobody cleans unhashed cache_heads. >> >> Originally we had claim on busy loop device of stopped container, that >> had executed nfs server inside. Device was kept by mount that was >> detached from already destroyed mount namespace. By using crash >> search we have found some structure with path struct related to our >> mount. Finally we have found that it was alive svc_export struct used >> by to alive cache_request, however both of them pointed to already >> freed cache_detail. >> >> We decided that cache_detail was correctly freed during destroy of net >> namespace, however svc_export with taken path struct, cache_request >> and some other structures seems was leaked forever. >> >> This could happen only if cache_head of svc_export was removed from >> hash on cache_detail before its destroy. Finally we have found that it >> could happen when sunrpc_cache_lookup() removes expired cache_head >> from hash. >> >> Usually it works correctly and cache_put(freeme) frees expired >> cache_head. However in our case cache_head have an extra reference >> counter from stalled cache_request. Becasue of cache_head was removed >> from hash of cache_detail it cannot be found in cache_clean() and its >> cache_request cannot be freed in cache_dequeue(). Memory leaks >> forever, exactly like we observed. >> >> After may attempts we have reproduced this situation on OpenVz7 >> kernel, however our reproducer is quite long and complex. >> Unfortunately we still did not reproduced this problem on mainline >> kernel and did not validated the patch yet. >> >> It would be great if someone advised us some simple way to trigger >> described scenario. > > I think you should be able to produce hung upcalls by flushing the cache > (exportfs -f), then stopping mountd, then trying to access the > filesystem from a client. Does that help? > >> We are not sure that our patch is correct, please let us know if our >> analyze missed something. > > It looks OK to me, but it would be helpful to have Neil's review too. Yes, it makes sense to me. Reviewed-by: NeilBrown Thanks, NeilBrown > > I think I'd also copy some of the above into the changelog--e.g. it > might be useful to document that this can manifest as a stray reference > cuont on a mount. > > --b.