From: Josef Bacik <josef@toxicpanda.com> To: chuck.lever@oracle.com, jlayton@kernel.org, linux-nfs@vger.kernel.org, edumazet@google.com, kuba@kernel.org, kernel-team@fb.com Subject: [PATCH] sunrpc: hold a ref on netns for tcp sockets Date: Tue, 19 Mar 2024 15:49:49 -0400 [thread overview] Message-ID: <512efbd56ad3679068759586c6fa9b681aec14f0.1710877783.git.josef@toxicpanda.com> (raw) We've been seeing variations of the following panic in production BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: 0010:ip6_pol_route+0x59/0x7a0 Call Trace: <IRQ> ? __die+0x78/0xc0 ? page_fault_oops+0x286/0x380 ? fib6_table_lookup+0x95/0xf40 ? exc_page_fault+0x5d/0x110 ? asm_exc_page_fault+0x22/0x30 ? ip6_pol_route+0x59/0x7a0 ? unlink_anon_vmas+0x370/0x370 fib6_rule_lookup+0x56/0x1b0 ? update_blocked_averages+0x2c6/0x6a0 ip6_route_output_flags+0xd2/0x130 ip6_dst_lookup_tail+0x3b/0x220 ip6_dst_lookup_flow+0x2c/0x80 inet6_sk_rebuild_header+0x14c/0x1e0 ? tcp_release_cb+0x150/0x150 __tcp_retransmit_skb+0x68/0x6b0 ? tcp_current_mss+0xca/0x150 ? tcp_release_cb+0x150/0x150 tcp_send_loss_probe+0x8e/0x220 tcp_write_timer+0xbe/0x2d0 run_timer_softirq+0x272/0x840 ? hrtimer_interrupt+0x2c9/0x5f0 ? sched_clock_cpu+0xc/0x170 irq_exit_rcu+0x171/0x330 sysvec_apic_timer_interrupt+0x6d/0x80 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0xe7/0x243 Inspecting the vmcore with drgn you can see why this is a NULL pointer deref >>> prog.crashed_thread().stack_trace()[0] #0 at 0xffffffff810bfa89 (ip6_pol_route+0x59/0x796) in ip6_pol_route at net/ipv6/route.c:2212:40 2212 if (net->ipv6.devconf_all->forwarding == 0) 2213 strict |= RT6_LOOKUP_F_REACHABLE; >>> prog.crashed_thread().stack_trace()[0]['net'].ipv6.devconf_all (struct ipv6_devconf *)0x0 Looking at the socket you can see that it's been closed >>> decode_enum_type_flags(prog.crashed_thread().stack_trace()[11]['sk'].__sk_common.skc_flags, prog.type('enum sock_flags')) 'SOCK_DEAD|SOCK_KEEPOPEN|SOCK_ZAPPED|SOCK_USE_WRITE_QUEUE' >>> decode_enum_type_flags(1 << prog.crashed_thread().stack_trace()[11]['sk'].__sk_common.skc_state.value_(), prog["TCPF_CLOSE"].type_, bit_numbers=False) 'TCPF_FIN_WAIT1' This occurs in our container setup where we have an NFS mount that belongs to the containers network namespace. On container shutdown our netns goes away, which sets net->ipv6.defconf_all = NULL, and then we panic. In the kernel we're responsible for destroying our sockets when the network namespace exits, or holding a reference on the network namespace for our sockets so this doesn't happen. Even once we shutdown the socket we can still have TCP timers that fire in the background, hence this panic. SUNRPC shuts down the socket and throws away all knowledge of it, but it's still doing things in the background. Fix this by grabbing a reference on the network namespace for any tcp sockets we open. With this patch I'm able to cycle my 500 node stress tier over and over again without panicing, whereas previously I was losing 10-20 nodes every shutdown cycle. Signed-off-by: Josef Bacik <josef@toxicpanda.com> --- net/sunrpc/xprtsock.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c index bb81050c870e..f02387751a94 100644 --- a/net/sunrpc/xprtsock.c +++ b/net/sunrpc/xprtsock.c @@ -2333,6 +2333,7 @@ static int xs_tcp_finish_connecting(struct rpc_xprt *xprt, struct socket *sock) if (!transport->inet) { struct sock *sk = sock->sk; + struct net *net = sock_net(sk); /* Avoid temporary address, they are bad for long-lived * connections such as NFS mounts. @@ -2350,7 +2351,26 @@ static int xs_tcp_finish_connecting(struct rpc_xprt *xprt, struct socket *sock) tcp_sock_set_nodelay(sk); lock_sock(sk); + /* + * Because timers can fire after the fact we need to hold a + * reference on the netns for this socket. + */ + if (!sk->sk_net_refcnt) { + if (!maybe_get_net(net)) { + release_sock(sk); + return -ENOTCONN; + } + /* + * For kernel sockets we have a tracker put in place for + * the tracing, we need to free this to maintaine + * consistent tracking info. + */ + __netns_tracker_free(net, &sk->ns_tracker, false); + sk->sk_net_refcnt = 1; + netns_tracker_alloc(net, &sk->ns_tracker, GFP_KERNEL); + sock_inuse_add(net, 1); + } xs_save_old_callbacks(transport, sk); sk->sk_user_data = xprt; -- 2.43.0
WARNING: multiple messages have this Message-ID (diff)
From: Josef Bacik <josef@toxicpanda.com> To: trond.myklebust@hammerspace.com, anna@kernel.org, linux-nfs@vger.kernel.org, edumazet@google.com, kuba@kernel.org, kernel-team@fb.com Subject: [PATCH][RESEND] sunrpc: hold a ref on netns for tcp sockets Date: Tue, 19 Mar 2024 16:07:48 -0400 [thread overview] Message-ID: <512efbd56ad3679068759586c6fa9b681aec14f0.1710877783.git.josef@toxicpanda.com> (raw) Message-ID: <20240319200748.4wonF1kLS7qA8HrURJDQ0TqoQZhO5vsiSNvIt3p3DYo@z> (raw) We've been seeing variations of the following panic in production BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: 0010:ip6_pol_route+0x59/0x7a0 Call Trace: <IRQ> ? __die+0x78/0xc0 ? page_fault_oops+0x286/0x380 ? fib6_table_lookup+0x95/0xf40 ? exc_page_fault+0x5d/0x110 ? asm_exc_page_fault+0x22/0x30 ? ip6_pol_route+0x59/0x7a0 ? unlink_anon_vmas+0x370/0x370 fib6_rule_lookup+0x56/0x1b0 ? update_blocked_averages+0x2c6/0x6a0 ip6_route_output_flags+0xd2/0x130 ip6_dst_lookup_tail+0x3b/0x220 ip6_dst_lookup_flow+0x2c/0x80 inet6_sk_rebuild_header+0x14c/0x1e0 ? tcp_release_cb+0x150/0x150 __tcp_retransmit_skb+0x68/0x6b0 ? tcp_current_mss+0xca/0x150 ? tcp_release_cb+0x150/0x150 tcp_send_loss_probe+0x8e/0x220 tcp_write_timer+0xbe/0x2d0 run_timer_softirq+0x272/0x840 ? hrtimer_interrupt+0x2c9/0x5f0 ? sched_clock_cpu+0xc/0x170 irq_exit_rcu+0x171/0x330 sysvec_apic_timer_interrupt+0x6d/0x80 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0xe7/0x243 Inspecting the vmcore with drgn you can see why this is a NULL pointer deref >>> prog.crashed_thread().stack_trace()[0] #0 at 0xffffffff810bfa89 (ip6_pol_route+0x59/0x796) in ip6_pol_route at net/ipv6/route.c:2212:40 2212 if (net->ipv6.devconf_all->forwarding == 0) 2213 strict |= RT6_LOOKUP_F_REACHABLE; >>> prog.crashed_thread().stack_trace()[0]['net'].ipv6.devconf_all (struct ipv6_devconf *)0x0 Looking at the socket you can see that it's been closed >>> decode_enum_type_flags(prog.crashed_thread().stack_trace()[11]['sk'].__sk_common.skc_flags, prog.type('enum sock_flags')) 'SOCK_DEAD|SOCK_KEEPOPEN|SOCK_ZAPPED|SOCK_USE_WRITE_QUEUE' >>> decode_enum_type_flags(1 << prog.crashed_thread().stack_trace()[11]['sk'].__sk_common.skc_state.value_(), prog["TCPF_CLOSE"].type_, bit_numbers=False) 'TCPF_FIN_WAIT1' This occurs in our container setup where we have an NFS mount that belongs to the containers network namespace. On container shutdown our netns goes away, which sets net->ipv6.defconf_all = NULL, and then we panic. In the kernel we're responsible for destroying our sockets when the network namespace exits, or holding a reference on the network namespace for our sockets so this doesn't happen. Even once we shutdown the socket we can still have TCP timers that fire in the background, hence this panic. SUNRPC shuts down the socket and throws away all knowledge of it, but it's still doing things in the background. Fix this by grabbing a reference on the network namespace for any tcp sockets we open. With this patch I'm able to cycle my 500 node stress tier over and over again without panicing, whereas previously I was losing 10-20 nodes every shutdown cycle. Signed-off-by: Josef Bacik <josef@toxicpanda.com> --- Apologies, I just grepped for SUNRPC in MAINTAINERS and didn't realize there was a division of the client and server side of SUNRPC. net/sunrpc/xprtsock.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c index bb81050c870e..f02387751a94 100644 --- a/net/sunrpc/xprtsock.c +++ b/net/sunrpc/xprtsock.c @@ -2333,6 +2333,7 @@ static int xs_tcp_finish_connecting(struct rpc_xprt *xprt, struct socket *sock) if (!transport->inet) { struct sock *sk = sock->sk; + struct net *net = sock_net(sk); /* Avoid temporary address, they are bad for long-lived * connections such as NFS mounts. @@ -2350,7 +2351,26 @@ static int xs_tcp_finish_connecting(struct rpc_xprt *xprt, struct socket *sock) tcp_sock_set_nodelay(sk); lock_sock(sk); + /* + * Because timers can fire after the fact we need to hold a + * reference on the netns for this socket. + */ + if (!sk->sk_net_refcnt) { + if (!maybe_get_net(net)) { + release_sock(sk); + return -ENOTCONN; + } + /* + * For kernel sockets we have a tracker put in place for + * the tracing, we need to free this to maintaine + * consistent tracking info. + */ + __netns_tracker_free(net, &sk->ns_tracker, false); + sk->sk_net_refcnt = 1; + netns_tracker_alloc(net, &sk->ns_tracker, GFP_KERNEL); + sock_inuse_add(net, 1); + } xs_save_old_callbacks(transport, sk); sk->sk_user_data = xprt; -- 2.43.0
next reply other threads:[~2024-03-19 19:51 UTC|newest] Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top 2024-03-19 19:49 Josef Bacik [this message] 2024-03-19 20:07 ` [PATCH][RESEND] sunrpc: hold a ref on netns for tcp sockets Josef Bacik 2024-03-19 19:53 ` [PATCH] " Chuck Lever III 2024-03-19 21:59 ` [PATCH][RESEND] " Trond Myklebust 2024-03-20 14:10 ` Josef Bacik 2024-03-20 14:28 ` Eric Dumazet 2024-03-20 14:56 ` Josef Bacik 2024-03-20 15:00 ` Eric Dumazet 2024-03-20 15:35 ` Josef Bacik 2024-03-21 18:49 ` Josef Bacik
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=512efbd56ad3679068759586c6fa9b681aec14f0.1710877783.git.josef@toxicpanda.com \ --to=josef@toxicpanda.com \ --cc=chuck.lever@oracle.com \ --cc=edumazet@google.com \ --cc=jlayton@kernel.org \ --cc=kernel-team@fb.com \ --cc=kuba@kernel.org \ --cc=linux-nfs@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.