2017-12-01 05:54:42

by Wei Xu

[permalink] [raw]
Subject: [PATCH net,stable v3] vhost: fix a few skb leaks

From: Wei Xu <[email protected]>

Matthew found a roughly 40% tcp throughput regression with commit
c67df11f(vhost_net: try batch dequing from skb array) as discussed
in the following thread:
https://www.mail-archive.com/[email protected]/msg187936.html

This is v3.

v3:
- move freeing skb from vhost to tun/tap recvmsg() to not
confuse the callers.

v2:
- add Matthew as the reporter, thanks matthew.
- moving zero headcount check ahead instead of defer consuming skb
due to jason and mst's comment.
- add freeing skb in favor of recvmsg() fails.

Wei Xu (3):
vhost: fix skb leak in handle_rx()
tun: free skb in early errors
tap: free skb if flags error

drivers/net/tap.c | 6 +++++-
drivers/net/tun.c | 14 +++++++++++---
drivers/vhost/net.c | 20 ++++++++++----------
3 files changed, 26 insertions(+), 14 deletions(-)

--
1.8.3.1


2017-12-01 05:54:43

by Wei Xu

[permalink] [raw]
Subject: [PATCH 2/3] tun: free skb in early errors

From: Wei Xu <[email protected]>

tun_recvmsg() supports accepting skb by msg_control after
commit ac77cfd4258f ("tun: support receiving skb through msg_control"),
the skb if presented should be freed within the function, otherwise it
would be leaked.

Signed-off-by: Wei Xu <[email protected]>
Reported-by: Matthew Rosato <[email protected]>
---
drivers/net/tun.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 6a7bde9..5563430 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -2067,14 +2067,17 @@ static int tun_recvmsg(struct socket *sock, struct msghdr *m, size_t total_len,
{
struct tun_file *tfile = container_of(sock, struct tun_file, socket);
struct tun_struct *tun = tun_get(tfile);
+ struct sk_buff *skb = m->msg_control;
int ret;

- if (!tun)
- return -EBADFD;
+ if (!tun) {
+ ret = -EBADFD;
+ goto out_free_skb;
+ }

if (flags & ~(MSG_DONTWAIT|MSG_TRUNC|MSG_ERRQUEUE)) {
ret = -EINVAL;
- goto out;
+ goto out_free_skb;
}
if (flags & MSG_ERRQUEUE) {
ret = sock_recv_errqueue(sock->sk, m, total_len,
@@ -2087,6 +2090,11 @@ static int tun_recvmsg(struct socket *sock, struct msghdr *m, size_t total_len,
m->msg_flags |= MSG_TRUNC;
ret = flags & MSG_TRUNC ? ret : total_len;
}
+ goto out;
+
+out_free_skb:
+ if (skb)
+ kfree_skb(skb);
out:
tun_put(tun);
return ret;
--
1.8.3.1

2017-12-01 05:55:01

by Wei Xu

[permalink] [raw]
Subject: [PATCH 3/3] tap: free skb if flags error

From: Wei Xu <[email protected]>

tap_recvmsg() supports accepting skb by msg_control after
commit 3b4ba04acca8 ("tap: support receiving skb from msg_control"),
the skb if presented should be freed within the function, otherwise
it would be leaked.

Signed-off-by: Wei Xu <[email protected]>
Reported-by: Matthew Rosato <[email protected]>
---
drivers/net/tap.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/net/tap.c b/drivers/net/tap.c
index e9489b8..1c66b75 100644
--- a/drivers/net/tap.c
+++ b/drivers/net/tap.c
@@ -1154,9 +1154,13 @@ static int tap_recvmsg(struct socket *sock, struct msghdr *m,
size_t total_len, int flags)
{
struct tap_queue *q = container_of(sock, struct tap_queue, sock);
+ struct sk_buff *skb = m->msg_control;
int ret;
- if (flags & ~(MSG_DONTWAIT|MSG_TRUNC))
+ if (flags & ~(MSG_DONTWAIT|MSG_TRUNC)) {
+ if (skb)
+ kfree_skb(skb);
return -EINVAL;
+ }
ret = tap_do_read(q, &m->msg_iter, flags & MSG_DONTWAIT,
m->msg_control);
if (ret > total_len) {
--
1.8.3.1

2017-12-01 05:55:29

by Wei Xu

[permalink] [raw]
Subject: [PATCH 1/3] vhost: fix skb leak in handle_rx()

From: Wei Xu <[email protected]>

Matthew found a roughly 40% tcp throughput regression with commit
c67df11f(vhost_net: try batch dequing from skb array) as discussed
in the following thread:
https://www.mail-archive.com/[email protected]/msg187936.html

Eventually we figured out that it was a skb leak in handle_rx()
when sending packets to the VM. This usually happens when a guest
can not drain out vq as fast as vhost fills in, afterwards it sets
off the traffic jam and leaks skb(s) which occurs as no headcount
to send on the vq from vhost side.

This can be avoided by making sure we have got enough headcount
before actually consuming a skb from the batched rx array while
transmitting, which is simply done by moving checking the zero
headcount a bit ahead.

Signed-off-by: Wei Xu <[email protected]>
Reported-by: Matthew Rosato <[email protected]>
---
drivers/vhost/net.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 8d626d7..c7bdeb6 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -778,16 +778,6 @@ static void handle_rx(struct vhost_net *net)
/* On error, stop handling until the next kick. */
if (unlikely(headcount < 0))
goto out;
- if (nvq->rx_array)
- msg.msg_control = vhost_net_buf_consume(&nvq->rxq);
- /* On overrun, truncate and discard */
- if (unlikely(headcount > UIO_MAXIOV)) {
- iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1);
- err = sock->ops->recvmsg(sock, &msg,
- 1, MSG_DONTWAIT | MSG_TRUNC);
- pr_debug("Discarded rx packet: len %zd\n", sock_len);
- continue;
- }
/* OK, now we need to know about added descriptors. */
if (!headcount) {
if (unlikely(vhost_enable_notify(&net->dev, vq))) {
@@ -800,6 +790,16 @@ static void handle_rx(struct vhost_net *net)
* they refilled. */
goto out;
}
+ if (nvq->rx_array)
+ msg.msg_control = vhost_net_buf_consume(&nvq->rxq);
+ /* On overrun, truncate and discard */
+ if (unlikely(headcount > UIO_MAXIOV)) {
+ iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1);
+ err = sock->ops->recvmsg(sock, &msg,
+ 1, MSG_DONTWAIT | MSG_TRUNC);
+ pr_debug("Discarded rx packet: len %zd\n", sock_len);
+ continue;
+ }
/* We don't need to be notified again. */
iov_iter_init(&msg.msg_iter, READ, vq->iov, in, vhost_len);
fixup = msg.msg_iter;
--
1.8.3.1

2017-12-01 07:07:54

by Jason Wang

[permalink] [raw]
Subject: Re: [PATCH 2/3] tun: free skb in early errors



On 2017年12月01日 13:54, [email protected] wrote:
> From: Wei Xu <[email protected]>
>
> tun_recvmsg() supports accepting skb by msg_control after
> commit ac77cfd4258f ("tun: support receiving skb through msg_control"),
> the skb if presented should be freed within the function, otherwise it
> would be leaked.
>
> Signed-off-by: Wei Xu <[email protected]>
> Reported-by: Matthew Rosato <[email protected]>
> ---
> drivers/net/tun.c | 14 +++++++++++---
> 1 file changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> index 6a7bde9..5563430 100644
> --- a/drivers/net/tun.c
> +++ b/drivers/net/tun.c
> @@ -2067,14 +2067,17 @@ static int tun_recvmsg(struct socket *sock, struct msghdr *m, size_t total_len,
> {
> struct tun_file *tfile = container_of(sock, struct tun_file, socket);
> struct tun_struct *tun = tun_get(tfile);
> + struct sk_buff *skb = m->msg_control;
> int ret;
>
> - if (!tun)
> - return -EBADFD;
> + if (!tun) {
> + ret = -EBADFD;
> + goto out_free_skb;

Unfortunately, you can't to there since tun is NULL.


> + }
>
> if (flags & ~(MSG_DONTWAIT|MSG_TRUNC|MSG_ERRQUEUE)) {
> ret = -EINVAL;
> - goto out;
> + goto out_free_skb;
> }
> if (flags & MSG_ERRQUEUE) {
> ret = sock_recv_errqueue(sock->sk, m, total_len,
> @@ -2087,6 +2090,11 @@ static int tun_recvmsg(struct socket *sock, struct msghdr *m, size_t total_len,
> m->msg_flags |= MSG_TRUNC;
> ret = flags & MSG_TRUNC ? ret : total_len;
> }
> + goto out;

We usually don't use goto in the case of success, and you need deal with
the case skb != NULL but iov_iter_count(to) == 0 in tun_do_read().

Thanks

> +
> +out_free_skb:
> + if (skb)
> + kfree_skb(skb);
> out:
> tun_put(tun);
> return ret;

2017-12-01 07:10:18

by Jason Wang

[permalink] [raw]
Subject: Re: [PATCH 3/3] tap: free skb if flags error



On 2017年12月01日 13:54, [email protected] wrote:
> From: Wei Xu <[email protected]>
>
> tap_recvmsg() supports accepting skb by msg_control after
> commit 3b4ba04acca8 ("tap: support receiving skb from msg_control"),
> the skb if presented should be freed within the function, otherwise
> it would be leaked.
>
> Signed-off-by: Wei Xu <[email protected]>
> Reported-by: Matthew Rosato <[email protected]>
> ---
> drivers/net/tap.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/tap.c b/drivers/net/tap.c
> index e9489b8..1c66b75 100644
> --- a/drivers/net/tap.c
> +++ b/drivers/net/tap.c
> @@ -1154,9 +1154,13 @@ static int tap_recvmsg(struct socket *sock, struct msghdr *m,
> size_t total_len, int flags)
> {
> struct tap_queue *q = container_of(sock, struct tap_queue, sock);
> + struct sk_buff *skb = m->msg_control;
> int ret;
> - if (flags & ~(MSG_DONTWAIT|MSG_TRUNC))
> + if (flags & ~(MSG_DONTWAIT|MSG_TRUNC)) {
> + if (skb)
> + kfree_skb(skb);
> return -EINVAL;
> + }
> ret = tap_do_read(q, &m->msg_iter, flags & MSG_DONTWAIT,
> m->msg_control);

Need to deal with iov_iterator_count() == 0.

Thanks

> if (ret > total_len) {

2017-12-01 07:11:13

by Jason Wang

[permalink] [raw]
Subject: Re: [PATCH 1/3] vhost: fix skb leak in handle_rx()



On 2017年12月01日 13:54, [email protected] wrote:
> From: Wei Xu <[email protected]>
>
> Matthew found a roughly 40% tcp throughput regression with commit
> c67df11f(vhost_net: try batch dequing from skb array) as discussed
> in the following thread:
> https://www.mail-archive.com/[email protected]/msg187936.html
>
> Eventually we figured out that it was a skb leak in handle_rx()
> when sending packets to the VM. This usually happens when a guest
> can not drain out vq as fast as vhost fills in, afterwards it sets
> off the traffic jam and leaks skb(s) which occurs as no headcount
> to send on the vq from vhost side.
>
> This can be avoided by making sure we have got enough headcount
> before actually consuming a skb from the batched rx array while
> transmitting, which is simply done by moving checking the zero
> headcount a bit ahead.
>
> Signed-off-by: Wei Xu <[email protected]>
> Reported-by: Matthew Rosato <[email protected]>
> ---
> drivers/vhost/net.c | 20 ++++++++++----------
> 1 file changed, 10 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
> index 8d626d7..c7bdeb6 100644
> --- a/drivers/vhost/net.c
> +++ b/drivers/vhost/net.c
> @@ -778,16 +778,6 @@ static void handle_rx(struct vhost_net *net)
> /* On error, stop handling until the next kick. */
> if (unlikely(headcount < 0))
> goto out;
> - if (nvq->rx_array)
> - msg.msg_control = vhost_net_buf_consume(&nvq->rxq);
> - /* On overrun, truncate and discard */
> - if (unlikely(headcount > UIO_MAXIOV)) {
> - iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1);
> - err = sock->ops->recvmsg(sock, &msg,
> - 1, MSG_DONTWAIT | MSG_TRUNC);
> - pr_debug("Discarded rx packet: len %zd\n", sock_len);
> - continue;
> - }
> /* OK, now we need to know about added descriptors. */
> if (!headcount) {
> if (unlikely(vhost_enable_notify(&net->dev, vq))) {
> @@ -800,6 +790,16 @@ static void handle_rx(struct vhost_net *net)
> * they refilled. */
> goto out;
> }
> + if (nvq->rx_array)
> + msg.msg_control = vhost_net_buf_consume(&nvq->rxq);
> + /* On overrun, truncate and discard */
> + if (unlikely(headcount > UIO_MAXIOV)) {
> + iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1);
> + err = sock->ops->recvmsg(sock, &msg,
> + 1, MSG_DONTWAIT | MSG_TRUNC);
> + pr_debug("Discarded rx packet: len %zd\n", sock_len);
> + continue;
> + }
> /* We don't need to be notified again. */
> iov_iter_init(&msg.msg_iter, READ, vq->iov, in, vhost_len);
> fixup = msg.msg_iter;

I suggest to reorder this patch to 3/3.

Thanks

2017-12-01 14:36:53

by Michael S. Tsirkin

[permalink] [raw]
Subject: Re: [PATCH 2/3] tun: free skb in early errors

On Fri, Dec 01, 2017 at 03:07:44PM +0800, Jason Wang wrote:
>
>
> On 2017年12月01日 13:54, [email protected] wrote:
> > From: Wei Xu <[email protected]>
> >
> > tun_recvmsg() supports accepting skb by msg_control after
> > commit ac77cfd4258f ("tun: support receiving skb through msg_control"),
> > the skb if presented should be freed within the function, otherwise it
> > would be leaked.
> >
> > Signed-off-by: Wei Xu <[email protected]>
> > Reported-by: Matthew Rosato <[email protected]>
> > ---
> > drivers/net/tun.c | 14 +++++++++++---
> > 1 file changed, 11 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> > index 6a7bde9..5563430 100644
> > --- a/drivers/net/tun.c
> > +++ b/drivers/net/tun.c
> > @@ -2067,14 +2067,17 @@ static int tun_recvmsg(struct socket *sock, struct msghdr *m, size_t total_len,
> > {
> > struct tun_file *tfile = container_of(sock, struct tun_file, socket);
> > struct tun_struct *tun = tun_get(tfile);
> > + struct sk_buff *skb = m->msg_control;
> > int ret;
> > - if (!tun)
> > - return -EBADFD;
> > + if (!tun) {
> > + ret = -EBADFD;
> > + goto out_free_skb;
>
> Unfortunately, you can't to there since tun is NULL.

Right, this should just be kfree_skb(skb); return -EBADFD;

>
> > + }
> > if (flags & ~(MSG_DONTWAIT|MSG_TRUNC|MSG_ERRQUEUE)) {
> > ret = -EINVAL;
> > - goto out;
> > + goto out_free_skb;
> > }
> > if (flags & MSG_ERRQUEUE) {
> > ret = sock_recv_errqueue(sock->sk, m, total_len,
> > @@ -2087,6 +2090,11 @@ static int tun_recvmsg(struct socket *sock, struct msghdr *m, size_t total_len,
> > m->msg_flags |= MSG_TRUNC;
> > ret = flags & MSG_TRUNC ? ret : total_len;
> > }
> > + goto out;
>
> We usually don't use goto in the case of success, and you need deal with the
> case skb != NULL but iov_iter_count(to) == 0 in tun_do_read().
>
> Thanks

I agree, the way to lay this out is:


tun_put(tun);
return ret;

err:
tun_put(tun);
err_tun:
if (skb)
kfree_skb(skb);
return ret;




> > +
> > +out_free_skb:
> > + if (skb)
> > + kfree_skb(skb);
> > out:
> > tun_put(tun);
> > return ret;

2017-12-01 14:37:46

by Michael S. Tsirkin

[permalink] [raw]
Subject: Re: [PATCH 1/3] vhost: fix skb leak in handle_rx()

On Fri, Dec 01, 2017 at 03:11:05PM +0800, Jason Wang wrote:
>
>
> On 2017年12月01日 13:54, [email protected] wrote:
> > From: Wei Xu <[email protected]>
> >
> > Matthew found a roughly 40% tcp throughput regression with commit
> > c67df11f(vhost_net: try batch dequing from skb array) as discussed
> > in the following thread:
> > https://www.mail-archive.com/[email protected]/msg187936.html
> >
> > Eventually we figured out that it was a skb leak in handle_rx()
> > when sending packets to the VM. This usually happens when a guest
> > can not drain out vq as fast as vhost fills in, afterwards it sets
> > off the traffic jam and leaks skb(s) which occurs as no headcount
> > to send on the vq from vhost side.
> >
> > This can be avoided by making sure we have got enough headcount
> > before actually consuming a skb from the batched rx array while
> > transmitting, which is simply done by moving checking the zero
> > headcount a bit ahead.
> >
> > Signed-off-by: Wei Xu <[email protected]>
> > Reported-by: Matthew Rosato <[email protected]>
> > ---
> > drivers/vhost/net.c | 20 ++++++++++----------
> > 1 file changed, 10 insertions(+), 10 deletions(-)
> >
> > diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
> > index 8d626d7..c7bdeb6 100644
> > --- a/drivers/vhost/net.c
> > +++ b/drivers/vhost/net.c
> > @@ -778,16 +778,6 @@ static void handle_rx(struct vhost_net *net)
> > /* On error, stop handling until the next kick. */
> > if (unlikely(headcount < 0))
> > goto out;
> > - if (nvq->rx_array)
> > - msg.msg_control = vhost_net_buf_consume(&nvq->rxq);
> > - /* On overrun, truncate and discard */
> > - if (unlikely(headcount > UIO_MAXIOV)) {
> > - iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1);
> > - err = sock->ops->recvmsg(sock, &msg,
> > - 1, MSG_DONTWAIT | MSG_TRUNC);
> > - pr_debug("Discarded rx packet: len %zd\n", sock_len);
> > - continue;
> > - }
> > /* OK, now we need to know about added descriptors. */
> > if (!headcount) {
> > if (unlikely(vhost_enable_notify(&net->dev, vq))) {
> > @@ -800,6 +790,16 @@ static void handle_rx(struct vhost_net *net)
> > * they refilled. */
> > goto out;
> > }
> > + if (nvq->rx_array)
> > + msg.msg_control = vhost_net_buf_consume(&nvq->rxq);
> > + /* On overrun, truncate and discard */
> > + if (unlikely(headcount > UIO_MAXIOV)) {
> > + iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1);
> > + err = sock->ops->recvmsg(sock, &msg,
> > + 1, MSG_DONTWAIT | MSG_TRUNC);
> > + pr_debug("Discarded rx packet: len %zd\n", sock_len);
> > + continue;
> > + }
> > /* We don't need to be notified again. */
> > iov_iter_init(&msg.msg_iter, READ, vq->iov, in, vhost_len);
> > fixup = msg.msg_iter;
>
> I suggest to reorder this patch to 3/3.
>
> Thanks

Why? This doesn't cause any new leaks, does it?

--
MST

2017-12-04 07:18:44

by Jason Wang

[permalink] [raw]
Subject: Re: [PATCH 1/3] vhost: fix skb leak in handle_rx()



On 2017年12月01日 22:37, Michael S. Tsirkin wrote:
> On Fri, Dec 01, 2017 at 03:11:05PM +0800, Jason Wang wrote:
>>
>> On 2017年12月01日 13:54, [email protected] wrote:
>>> From: Wei Xu <[email protected]>
>>>
>>> Matthew found a roughly 40% tcp throughput regression with commit
>>> c67df11f(vhost_net: try batch dequing from skb array) as discussed
>>> in the following thread:
>>> https://www.mail-archive.com/[email protected]/msg187936.html
>>>
>>> Eventually we figured out that it was a skb leak in handle_rx()
>>> when sending packets to the VM. This usually happens when a guest
>>> can not drain out vq as fast as vhost fills in, afterwards it sets
>>> off the traffic jam and leaks skb(s) which occurs as no headcount
>>> to send on the vq from vhost side.
>>>
>>> This can be avoided by making sure we have got enough headcount
>>> before actually consuming a skb from the batched rx array while
>>> transmitting, which is simply done by moving checking the zero
>>> headcount a bit ahead.
>>>
>>> Signed-off-by: Wei Xu <[email protected]>
>>> Reported-by: Matthew Rosato <[email protected]>
>>> ---
>>> drivers/vhost/net.c | 20 ++++++++++----------
>>> 1 file changed, 10 insertions(+), 10 deletions(-)
>>>
>>> diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
>>> index 8d626d7..c7bdeb6 100644
>>> --- a/drivers/vhost/net.c
>>> +++ b/drivers/vhost/net.c
>>> @@ -778,16 +778,6 @@ static void handle_rx(struct vhost_net *net)
>>> /* On error, stop handling until the next kick. */
>>> if (unlikely(headcount < 0))
>>> goto out;
>>> - if (nvq->rx_array)
>>> - msg.msg_control = vhost_net_buf_consume(&nvq->rxq);
>>> - /* On overrun, truncate and discard */
>>> - if (unlikely(headcount > UIO_MAXIOV)) {
>>> - iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1);
>>> - err = sock->ops->recvmsg(sock, &msg,
>>> - 1, MSG_DONTWAIT | MSG_TRUNC);
>>> - pr_debug("Discarded rx packet: len %zd\n", sock_len);
>>> - continue;
>>> - }
>>> /* OK, now we need to know about added descriptors. */
>>> if (!headcount) {
>>> if (unlikely(vhost_enable_notify(&net->dev, vq))) {
>>> @@ -800,6 +790,16 @@ static void handle_rx(struct vhost_net *net)
>>> * they refilled. */
>>> goto out;
>>> }
>>> + if (nvq->rx_array)
>>> + msg.msg_control = vhost_net_buf_consume(&nvq->rxq);
>>> + /* On overrun, truncate and discard */
>>> + if (unlikely(headcount > UIO_MAXIOV)) {
>>> + iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1);
>>> + err = sock->ops->recvmsg(sock, &msg,
>>> + 1, MSG_DONTWAIT | MSG_TRUNC);
>>> + pr_debug("Discarded rx packet: len %zd\n", sock_len);
>>> + continue;
>>> + }
>>> /* We don't need to be notified again. */
>>> iov_iter_init(&msg.msg_iter, READ, vq->iov, in, vhost_len);
>>> fixup = msg.msg_iter;
>> I suggest to reorder this patch to 3/3.
>>
>> Thanks
> Why? This doesn't cause any new leaks, does it?
>

It doesn't, just think it can ease the downstream back porting in case
patch 2-3 were missed if somebody did a bisect and just backport patch 1.

Thanks