Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753433AbdLDHSo (ORCPT ); Mon, 4 Dec 2017 02:18:44 -0500 Received: from mx1.redhat.com ([209.132.183.28]:52532 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753331AbdLDHSm (ORCPT ); Mon, 4 Dec 2017 02:18:42 -0500 Subject: Re: [PATCH 1/3] vhost: fix skb leak in handle_rx() To: "Michael S. Tsirkin" Cc: wexu@redhat.com, virtualization@lists.linux-foundation.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, mjrosato@linux.vnet.ibm.com References: <1512107669-27572-1-git-send-email-wexu@redhat.com> <1512107669-27572-2-git-send-email-wexu@redhat.com> <09e75683-4c49-7446-e13e-93b316ed270c@redhat.com> <20171201163728-mutt-send-email-mst@kernel.org> From: Jason Wang Message-ID: Date: Mon, 4 Dec 2017 15:18:32 +0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <20171201163728-mutt-send-email-mst@kernel.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Mon, 04 Dec 2017 07:18:42 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3111 Lines: 78 On 2017年12月01日 22:37, Michael S. Tsirkin wrote: > On Fri, Dec 01, 2017 at 03:11:05PM +0800, Jason Wang wrote: >> >> On 2017年12月01日 13:54, wexu@redhat.com wrote: >>> From: Wei Xu >>> >>> Matthew found a roughly 40% tcp throughput regression with commit >>> c67df11f(vhost_net: try batch dequing from skb array) as discussed >>> in the following thread: >>> https://www.mail-archive.com/netdev@vger.kernel.org/msg187936.html >>> >>> Eventually we figured out that it was a skb leak in handle_rx() >>> when sending packets to the VM. This usually happens when a guest >>> can not drain out vq as fast as vhost fills in, afterwards it sets >>> off the traffic jam and leaks skb(s) which occurs as no headcount >>> to send on the vq from vhost side. >>> >>> This can be avoided by making sure we have got enough headcount >>> before actually consuming a skb from the batched rx array while >>> transmitting, which is simply done by moving checking the zero >>> headcount a bit ahead. >>> >>> Signed-off-by: Wei Xu >>> Reported-by: Matthew Rosato >>> --- >>> drivers/vhost/net.c | 20 ++++++++++---------- >>> 1 file changed, 10 insertions(+), 10 deletions(-) >>> >>> diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c >>> index 8d626d7..c7bdeb6 100644 >>> --- a/drivers/vhost/net.c >>> +++ b/drivers/vhost/net.c >>> @@ -778,16 +778,6 @@ static void handle_rx(struct vhost_net *net) >>> /* On error, stop handling until the next kick. */ >>> if (unlikely(headcount < 0)) >>> goto out; >>> - if (nvq->rx_array) >>> - msg.msg_control = vhost_net_buf_consume(&nvq->rxq); >>> - /* On overrun, truncate and discard */ >>> - if (unlikely(headcount > UIO_MAXIOV)) { >>> - iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1); >>> - err = sock->ops->recvmsg(sock, &msg, >>> - 1, MSG_DONTWAIT | MSG_TRUNC); >>> - pr_debug("Discarded rx packet: len %zd\n", sock_len); >>> - continue; >>> - } >>> /* OK, now we need to know about added descriptors. */ >>> if (!headcount) { >>> if (unlikely(vhost_enable_notify(&net->dev, vq))) { >>> @@ -800,6 +790,16 @@ static void handle_rx(struct vhost_net *net) >>> * they refilled. */ >>> goto out; >>> } >>> + if (nvq->rx_array) >>> + msg.msg_control = vhost_net_buf_consume(&nvq->rxq); >>> + /* On overrun, truncate and discard */ >>> + if (unlikely(headcount > UIO_MAXIOV)) { >>> + iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1); >>> + err = sock->ops->recvmsg(sock, &msg, >>> + 1, MSG_DONTWAIT | MSG_TRUNC); >>> + pr_debug("Discarded rx packet: len %zd\n", sock_len); >>> + continue; >>> + } >>> /* We don't need to be notified again. */ >>> iov_iter_init(&msg.msg_iter, READ, vq->iov, in, vhost_len); >>> fixup = msg.msg_iter; >> I suggest to reorder this patch to 3/3. >> >> Thanks > Why? This doesn't cause any new leaks, does it? > It doesn't, just think it can ease the downstream back porting in case patch 2-3 were missed if somebody did a bisect and just backport patch 1. Thanks