Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp2051158pxu; Tue, 24 Nov 2020 15:56:15 -0800 (PST) X-Google-Smtp-Source: ABdhPJytZ/JiweQ44Vr4mk2OrFxIHFYgdH5jGzTQaSTFnM/xnXP9eokvJ4uDsSimFpnymdBGS4+5 X-Received: by 2002:a50:af21:: with SMTP id g30mr993451edd.46.1606262175387; Tue, 24 Nov 2020 15:56:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606262175; cv=none; d=google.com; s=arc-20160816; b=1C0/lHQDVwTvDb71SgOFs03AQC/j0ij2TVcjst++5CGGqPSXk58PETXRObq8KjCYeC 01/YX2chPw0dzm3mq/FpU2h8KjUf8m+TH5txtITzHE5liOOeBIrP1nMIDR6TGpcbgK7f 5zdxx+fiEIxhrPQbQ7mjDyUyrXaRnombFVGuBZjSUhoCH3DLeceTyujEzh5x77qEO0hS AtnhjZ+mihOxy699qEeii+9Vr8f9N4w0Lor/QbLbdqI9WcJcKBy+aGl7PLjCmTrolWYh O6r8aQgBHQn5fNWvGH2FvlwjGdL97MUXZu3XHYEU2nZxe4YbMkCdsZh3SGMK8G8jyHt9 T5rA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:cc:to:from:date:subject :dkim-signature; bh=6+85ndIY+Mt46znb8PshLbDJvgm6Q6Mm/bRNp6T8MMU=; b=dFJM12CDKAOBUknplQyHBic6M7GuPv/xBsdUQTzf296acZuKkmjeWtfQud0bzPkomC XAu8B250Mte5HMr1lc5anFXWu4zp+k6uBn0iBfZa1pgbPeaEDFcZ17lp6GKAYUDfULQr 2q2lAG9ZsJNNvrXACebg9/Hf6Feoc5FMcxRxk3xRwvDOhRx3NC7qiMLQvT/3qLT4zx2V jj8Mh6ZJad2s8UecjMPVoYezGR4GtbbzNKYYI9KutHH0WQQ+kTzHxSK7i0IzTFARyjO1 uL9YOfE0XJGbCcxnfNLaJFcIaatQf+C068gOmFEOVqKRl1ojyUNtBomt3CeyDP/NP6oX xYCA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amazon.com header.s=amazon201209 header.b=lPeyDrGW; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r19si241710eju.332.2020.11.24.15.55.52; Tue, 24 Nov 2020 15:56:15 -0800 (PST) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@amazon.com header.s=amazon201209 header.b=lPeyDrGW; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730192AbgKXUGv (ORCPT + 99 others); Tue, 24 Nov 2020 15:06:51 -0500 Received: from smtp-fw-33001.amazon.com ([207.171.190.10]:13159 "EHLO smtp-fw-33001.amazon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730187AbgKXUGv (ORCPT ); Tue, 24 Nov 2020 15:06:51 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1606248411; x=1637784411; h=date:from:to:cc:message-id:references:mime-version: in-reply-to:subject; bh=6+85ndIY+Mt46znb8PshLbDJvgm6Q6Mm/bRNp6T8MMU=; b=lPeyDrGWzDAE+9OjjeTZC2DfE5Bfh+2Mf8ycUr2miIoNuBcaWTRBH2rd MY/hKrK4Tssah35s8zfaDjDiVPDpvWD04lTurTXxoboRcJ4GAihP2Xw1b dZpGZoSzUfwkvep3Gd0+KofKx9fxJLmk9+dYaLALH7eDojV5QhsUh8BRc Q=; X-IronPort-AV: E=Sophos;i="5.78,366,1599523200"; d="scan'208";a="97532490" Subject: Re: [PATCH v1] NFS: Fix rpcrdma_inline_fixup() crash with new LISTXATTRS operation Received: from sea32-co-svc-lb4-vlan3.sea.corp.amazon.com (HELO email-inbound-relay-1a-7d76a15f.us-east-1.amazon.com) ([10.47.23.38]) by smtp-border-fw-out-33001.sea14.amazon.com with ESMTP; 24 Nov 2020 20:06:44 +0000 Received: from EX13MTAUWC002.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan2.iad.amazon.com [10.40.163.34]) by email-inbound-relay-1a-7d76a15f.us-east-1.amazon.com (Postfix) with ESMTPS id 5389EA244E; Tue, 24 Nov 2020 20:06:41 +0000 (UTC) Received: from EX13D11UWC001.ant.amazon.com (10.43.162.151) by EX13MTAUWC002.ant.amazon.com (10.43.162.240) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 24 Nov 2020 20:06:41 +0000 Received: from EX13MTAUWC001.ant.amazon.com (10.43.162.135) by EX13D11UWC001.ant.amazon.com (10.43.162.151) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 24 Nov 2020 20:06:41 +0000 Received: from dev-dsk-fllinden-2c-c1893d73.us-west-2.amazon.com (172.23.141.97) by mail-relay.amazon.com (10.43.162.232) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Tue, 24 Nov 2020 20:06:41 +0000 Received: by dev-dsk-fllinden-2c-c1893d73.us-west-2.amazon.com (Postfix, from userid 6262777) id 7D87BC1392; Tue, 24 Nov 2020 20:06:41 +0000 (UTC) Date: Tue, 24 Nov 2020 20:06:41 +0000 From: Frank van der Linden To: Chuck Lever CC: , Message-ID: <20201124200640.GA2476@dev-dsk-fllinden-2c-c1893d73.us-west-2.amazon.com> References: <160623862874.1534.4471924380357882531.stgit@manet.1015granger.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <160623862874.1534.4471924380357882531.stgit@manet.1015granger.net> User-Agent: Mutt/1.11.4 (2019-03-13) Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Tue, Nov 24, 2020 at 12:26:32PM -0500, Chuck Lever wrote: > CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. > > > > By switching to an XFS-backed export, I am able to reproduce the > ibcomp worker crash on my client with xfstests generic/013. > > For the failing LISTXATTRS operation, xdr_inline_pages() is called > with page_len=12 and buflen=128. Then: > > - Because buflen is small, rpcrdma_marshal_req will not set up a > Reply chunk and the rpcrdma's XDRBUF_SPARSE_PAGES logic does not > get invoked at all. > > - Because page_len is non-zero, rpcrdma_inline_fixup() tries to > copy received data into rq_rcv_buf->pages, but they're missing. > > The result is that the ibcomp worker faults and dies. Sometimes that > causes a visible crash, and sometimes it results in a transport > hang without other symptoms. > > RPC/RDMA's XDRBUF_SPARSE_PAGES support is not entirely correct, and > should eventually be fixed or replaced. However, my preference is > that upper-layer operations should explicitly allocate their receive > buffers (using GFP_KERNEL) when possible, rather than relying on > XDRBUF_SPARSE_PAGES. > > Reported-by: Olga kornievskaia > Suggested-by: Olga kornievskaia > Signed-off-by: Chuck Lever > --- > fs/nfs/nfs42proc.c | 17 ++++++++++------- > fs/nfs/nfs42xdr.c | 1 - > 2 files changed, 10 insertions(+), 8 deletions(-) > > Hi- > > I like Olga's proposed approach. What do you think of this patch? > > > diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c > index 2b2211d1234e..24810305ec1c 100644 > --- a/fs/nfs/nfs42proc.c > +++ b/fs/nfs/nfs42proc.c > @@ -1241,7 +1241,7 @@ static ssize_t _nfs42_proc_listxattrs(struct inode *inode, void *buf, > .rpc_resp = &res, > }; > u32 xdrlen; > - int ret, np; > + int ret, np, i; > > > res.scratch = alloc_page(GFP_KERNEL); > @@ -1253,10 +1253,14 @@ static ssize_t _nfs42_proc_listxattrs(struct inode *inode, void *buf, > xdrlen = server->lxasize; > np = xdrlen / PAGE_SIZE + 1; > > + ret = -ENOMEM; > pages = kcalloc(np, sizeof(struct page *), GFP_KERNEL); > - if (pages == NULL) { > - __free_page(res.scratch); > - return -ENOMEM; > + if (pages == NULL) > + goto out_free; > + for (i = 0; i < np; i++) { > + pages[i] = alloc_page(GFP_KERNEL); > + if (!pages[i]) > + goto out_free; > } > > arg.xattr_pages = pages; > @@ -1271,14 +1275,13 @@ static ssize_t _nfs42_proc_listxattrs(struct inode *inode, void *buf, > *eofp = res.eof; > } > > +out_free: > while (--np >= 0) { > if (pages[np]) > __free_page(pages[np]); > } > - > - __free_page(res.scratch); > kfree(pages); > - > + __free_page(res.scratch); > return ret; > > } > diff --git a/fs/nfs/nfs42xdr.c b/fs/nfs/nfs42xdr.c > index 6e060a88f98c..8432bd6b95f0 100644 > --- a/fs/nfs/nfs42xdr.c > +++ b/fs/nfs/nfs42xdr.c > @@ -1528,7 +1528,6 @@ static void nfs4_xdr_enc_listxattrs(struct rpc_rqst *req, > > rpc_prepare_reply_pages(req, args->xattr_pages, 0, args->count, > hdr.replen); > - req->rq_rcv_buf.flags |= XDRBUF_SPARSE_PAGES; > > encode_nops(&hdr); > } > > I can see why this is the simplest and most pragmatic solution, so it's fine with me. Why doesn't this happen with getxattr? Do we need to convert that too? The basic issue here is that the RPC code does not deal with inlined data that exceeds PAGE_SIZE. That can only be done with raw pages. Since the upper layer has already allocated a buffer in the case of listxattr and getxattr, I would love to be able to just XDR code in to that buffer, and void the whole alloc+copy situation. But sadly, it might be > PAGE_SIZE, so the XDR code doesn't allow it. It's not all bad, having to use pages allows them to be directly hooked in to the cache in the case of getxattr, but for listxattr, decoding directly in to the provided buffer would be nice. Hm, I wonder if that restriction actually holds for listxattr - the invidual XDR items (xattr names) should never exceed PAGE_SIZE.. - Frank