wexu at redhat.com
2017-Dec-01 10:10 UTC
[PATCH net,stable v4 0/3] vhost: fix a few skb leaks
From: Wei Xu <wexu at redhat.com> Matthew found a roughly 40% tcp throughput regression with commit c67df11f(vhost_net: try batch dequing from skb array) as discussed in the following thread: https://www.mail-archive.com/netdev at vger.kernel.org/msg187936.html v4: - fix zero iov iterator count in tap/tap_do_read()(Jason) - don't put tun in case of EBADFD(Jason) - Replace msg->msg_control with new 'skb' when calling tun/tap_do_read() v3: - move freeing skb from vhost to tun/tap recvmsg() to not confuse the callers. v2: - add Matthew as the reporter, thanks matthew. - moving zero headcount check ahead instead of defer consuming skb due to jason and mst's comment. - add freeing skb in favor of recvmsg() fails. Wei Xu (3): vhost: fix skb leak in handle_rx() tun: free skb in early errors tap: free skb if flags error drivers/net/tap.c | 14 ++++++++++---- drivers/net/tun.c | 24 ++++++++++++++++++------ drivers/vhost/net.c | 20 ++++++++++---------- 3 files changed, 38 insertions(+), 20 deletions(-) -- 1.8.3.1
From: Wei Xu <wexu at redhat.com> Matthew found a roughly 40% tcp throughput regression with commit c67df11f(vhost_net: try batch dequing from skb array) as discussed in the following thread: https://www.mail-archive.com/netdev at vger.kernel.org/msg187936.html Eventually we figured out that it was a skb leak in handle_rx() when sending packets to the VM. This usually happens when a guest can not drain out vq as fast as vhost fills in, afterwards it sets off the traffic jam and leaks skb(s) which occurs as no headcount to send on the vq from vhost side. This can be avoided by making sure we have got enough headcount before actually consuming a skb from the batched rx array while transmitting, which is simply done by moving checking the zero headcount a bit ahead. Signed-off-by: Wei Xu <wexu at redhat.com> Reported-by: Matthew Rosato <mjrosato at linux.vnet.ibm.com> --- drivers/vhost/net.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c index 8d626d7..c7bdeb6 100644 --- a/drivers/vhost/net.c +++ b/drivers/vhost/net.c @@ -778,16 +778,6 @@ static void handle_rx(struct vhost_net *net) /* On error, stop handling until the next kick. */ if (unlikely(headcount < 0)) goto out; - if (nvq->rx_array) - msg.msg_control = vhost_net_buf_consume(&nvq->rxq); - /* On overrun, truncate and discard */ - if (unlikely(headcount > UIO_MAXIOV)) { - iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1); - err = sock->ops->recvmsg(sock, &msg, - 1, MSG_DONTWAIT | MSG_TRUNC); - pr_debug("Discarded rx packet: len %zd\n", sock_len); - continue; - } /* OK, now we need to know about added descriptors. */ if (!headcount) { if (unlikely(vhost_enable_notify(&net->dev, vq))) { @@ -800,6 +790,16 @@ static void handle_rx(struct vhost_net *net) * they refilled. */ goto out; } + if (nvq->rx_array) + msg.msg_control = vhost_net_buf_consume(&nvq->rxq); + /* On overrun, truncate and discard */ + if (unlikely(headcount > UIO_MAXIOV)) { + iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1); + err = sock->ops->recvmsg(sock, &msg, + 1, MSG_DONTWAIT | MSG_TRUNC); + pr_debug("Discarded rx packet: len %zd\n", sock_len); + continue; + } /* We don't need to be notified again. */ iov_iter_init(&msg.msg_iter, READ, vq->iov, in, vhost_len); fixup = msg.msg_iter; -- 1.8.3.1
From: Wei Xu <wexu at redhat.com> tun_recvmsg() supports accepting skb by msg_control after commit ac77cfd4258f ("tun: support receiving skb through msg_control"), the skb if presented should be freed no matter how far it can go along, otherwise it would be leaked. This patch fixes several missed cases. Signed-off-by: Wei Xu <wexu at redhat.com> Reported-by: Matthew Rosato <mjrosato at linux.vnet.ibm.com> --- drivers/net/tun.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 9574900..4f4a842 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -1952,8 +1952,11 @@ static ssize_t tun_do_read(struct tun_struct *tun, struct tun_file *tfile, tun_debug(KERN_INFO, tun, "tun_do_read\n"); - if (!iov_iter_count(to)) + if (!iov_iter_count(to)) { + if (skb) + kfree_skb(skb); return 0; + } if (!skb) { /* Read frames from ring */ @@ -2069,22 +2072,24 @@ static int tun_recvmsg(struct socket *sock, struct msghdr *m, size_t total_len, { struct tun_file *tfile = container_of(sock, struct tun_file, socket); struct tun_struct *tun = tun_get(tfile); + struct sk_buff *skb = m->msg_control; int ret; - if (!tun) - return -EBADFD; + if (!tun) { + ret = -EBADFD; + goto out_free_skb; + } if (flags & ~(MSG_DONTWAIT|MSG_TRUNC|MSG_ERRQUEUE)) { ret = -EINVAL; - goto out; + goto out_put_tun; } if (flags & MSG_ERRQUEUE) { ret = sock_recv_errqueue(sock->sk, m, total_len, SOL_PACKET, TUN_TX_TIMESTAMP); goto out; } - ret = tun_do_read(tun, tfile, &m->msg_iter, flags & MSG_DONTWAIT, - m->msg_control); + ret = tun_do_read(tun, tfile, &m->msg_iter, flags & MSG_DONTWAIT, skb); if (ret > (ssize_t)total_len) { m->msg_flags |= MSG_TRUNC; ret = flags & MSG_TRUNC ? ret : total_len; @@ -2092,6 +2097,13 @@ static int tun_recvmsg(struct socket *sock, struct msghdr *m, size_t total_len, out: tun_put(tun); return ret; + +out_put_tun: + tun_put(tun); +out_free_skb: + if (skb) + kfree_skb(skb); + return ret; } static int tun_peek_len(struct socket *sock) -- 1.8.3.1
From: Wei Xu <wexu at redhat.com> tap_recvmsg() supports accepting skb by msg_control after commit 3b4ba04acca8 ("tap: support receiving skb from msg_control"), the skb if presented should be freed within the function, otherwise it would be leaked. Signed-off-by: Wei Xu <wexu at redhat.com> Reported-by: Matthew Rosato <mjrosato at linux.vnet.ibm.com> --- drivers/net/tap.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/drivers/net/tap.c b/drivers/net/tap.c index e9489b8..0a886fda 100644 --- a/drivers/net/tap.c +++ b/drivers/net/tap.c @@ -829,8 +829,11 @@ static ssize_t tap_do_read(struct tap_queue *q, DEFINE_WAIT(wait); ssize_t ret = 0; - if (!iov_iter_count(to)) + if (!iov_iter_count(to)) { + if (skb) + kfree_skb(skb); return 0; + } if (skb) goto put; @@ -1154,11 +1157,14 @@ static int tap_recvmsg(struct socket *sock, struct msghdr *m, size_t total_len, int flags) { struct tap_queue *q = container_of(sock, struct tap_queue, sock); + struct sk_buff *skb = m->msg_control; int ret; - if (flags & ~(MSG_DONTWAIT|MSG_TRUNC)) + if (flags & ~(MSG_DONTWAIT|MSG_TRUNC)) { + if (skb) + kfree_skb(skb); return -EINVAL; - ret = tap_do_read(q, &m->msg_iter, flags & MSG_DONTWAIT, - m->msg_control); + } + ret = tap_do_read(q, &m->msg_iter, flags & MSG_DONTWAIT, skb); if (ret > total_len) { m->msg_flags |= MSG_TRUNC; ret = flags & MSG_TRUNC ? ret : total_len; -- 1.8.3.1
Michael S. Tsirkin
2017-Dec-01 14:47 UTC
[PATCH net,stable v4 0/3] vhost: fix a few skb leaks
On Fri, Dec 01, 2017 at 05:10:35AM -0500, wexu at redhat.com wrote:> From: Wei Xu <wexu at redhat.com> > > Matthew found a roughly 40% tcp throughput regression with commit > c67df11f(vhost_net: try batch dequing from skb array) as discussed > in the following thread: > https://www.mail-archive.com/netdev at vger.kernel.org/msg187936.htmlSeries Acked-by: Michael S. Tsirkin <mst at redhat.com>> v4: > - fix zero iov iterator count in tap/tap_do_read()(Jason) > - don't put tun in case of EBADFD(Jason) > - Replace msg->msg_control with new 'skb' when calling tun/tap_do_read() > > v3: > - move freeing skb from vhost to tun/tap recvmsg() to not > confuse the callers. > > v2: > - add Matthew as the reporter, thanks matthew. > - moving zero headcount check ahead instead of defer consuming skb > due to jason and mst's comment. > - add freeing skb in favor of recvmsg() fails. > > Wei Xu (3): > vhost: fix skb leak in handle_rx() > tun: free skb in early errors > tap: free skb if flags error > > drivers/net/tap.c | 14 ++++++++++---- > drivers/net/tun.c | 24 ++++++++++++++++++------ > drivers/vhost/net.c | 20 ++++++++++---------- > 3 files changed, 38 insertions(+), 20 deletions(-) > > -- > 1.8.3.1
On Fri, Dec 01, 2017 at 05:10:36AM -0500, wexu at redhat.com wrote:> From: Wei Xu <wexu at redhat.com> > > Matthew found a roughly 40% tcp throughput regression with commit > c67df11f(vhost_net: try batch dequing from skb array) as discussed > in the following thread: > https://www.mail-archive.com/netdev at vger.kernel.org/msg187936.html > > Eventually we figured out that it was a skb leak in handle_rx() > when sending packets to the VM. This usually happens when a guest > can not drain out vq as fast as vhost fills in, afterwards it sets > off the traffic jam and leaks skb(s) which occurs as no headcount > to send on the vq from vhost side. > > This can be avoided by making sure we have got enough headcount > before actually consuming a skb from the batched rx array while > transmitting, which is simply done by moving checking the zero > headcount a bit ahead. > > Signed-off-by: Wei Xu <wexu at redhat.com> > Reported-by: Matthew Rosato <mjrosato at linux.vnet.ibm.com>Acked-by: Michael S. Tsirkin <mst at redhat.com>> --- > drivers/vhost/net.c | 20 ++++++++++---------- > 1 file changed, 10 insertions(+), 10 deletions(-) > > diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c > index 8d626d7..c7bdeb6 100644 > --- a/drivers/vhost/net.c > +++ b/drivers/vhost/net.c > @@ -778,16 +778,6 @@ static void handle_rx(struct vhost_net *net) > /* On error, stop handling until the next kick. */ > if (unlikely(headcount < 0)) > goto out; > - if (nvq->rx_array) > - msg.msg_control = vhost_net_buf_consume(&nvq->rxq); > - /* On overrun, truncate and discard */ > - if (unlikely(headcount > UIO_MAXIOV)) { > - iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1); > - err = sock->ops->recvmsg(sock, &msg, > - 1, MSG_DONTWAIT | MSG_TRUNC); > - pr_debug("Discarded rx packet: len %zd\n", sock_len); > - continue; > - } > /* OK, now we need to know about added descriptors. */ > if (!headcount) { > if (unlikely(vhost_enable_notify(&net->dev, vq))) { > @@ -800,6 +790,16 @@ static void handle_rx(struct vhost_net *net) > * they refilled. */ > goto out; > } > + if (nvq->rx_array) > + msg.msg_control = vhost_net_buf_consume(&nvq->rxq); > + /* On overrun, truncate and discard */ > + if (unlikely(headcount > UIO_MAXIOV)) { > + iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1); > + err = sock->ops->recvmsg(sock, &msg, > + 1, MSG_DONTWAIT | MSG_TRUNC); > + pr_debug("Discarded rx packet: len %zd\n", sock_len); > + continue; > + } > /* We don't need to be notified again. */ > iov_iter_init(&msg.msg_iter, READ, vq->iov, in, vhost_len); > fixup = msg.msg_iter; > -- > 1.8.3.1
On Fri, Dec 01, 2017 at 05:10:37AM -0500, wexu at redhat.com wrote:> From: Wei Xu <wexu at redhat.com> > > tun_recvmsg() supports accepting skb by msg_control after > commit ac77cfd4258f ("tun: support receiving skb through msg_control"), > the skb if presented should be freed no matter how far it can go > along, otherwise it would be leaked. > > This patch fixes several missed cases. > > Signed-off-by: Wei Xu <wexu at redhat.com> > Reported-by: Matthew Rosato <mjrosato at linux.vnet.ibm.com>Acked-by: Michael S. Tsirkin <mst at redhat.com>> --- > drivers/net/tun.c | 24 ++++++++++++++++++------ > 1 file changed, 18 insertions(+), 6 deletions(-) > > diff --git a/drivers/net/tun.c b/drivers/net/tun.c > index 9574900..4f4a842 100644 > --- a/drivers/net/tun.c > +++ b/drivers/net/tun.c > @@ -1952,8 +1952,11 @@ static ssize_t tun_do_read(struct tun_struct *tun, struct tun_file *tfile, > > tun_debug(KERN_INFO, tun, "tun_do_read\n"); > > - if (!iov_iter_count(to)) > + if (!iov_iter_count(to)) { > + if (skb) > + kfree_skb(skb); > return 0; > + } > > if (!skb) { > /* Read frames from ring */ > @@ -2069,22 +2072,24 @@ static int tun_recvmsg(struct socket *sock, struct msghdr *m, size_t total_len, > { > struct tun_file *tfile = container_of(sock, struct tun_file, socket); > struct tun_struct *tun = tun_get(tfile); > + struct sk_buff *skb = m->msg_control; > int ret; > > - if (!tun) > - return -EBADFD; > + if (!tun) { > + ret = -EBADFD; > + goto out_free_skb; > + } > > if (flags & ~(MSG_DONTWAIT|MSG_TRUNC|MSG_ERRQUEUE)) { > ret = -EINVAL; > - goto out; > + goto out_put_tun; > } > if (flags & MSG_ERRQUEUE) { > ret = sock_recv_errqueue(sock->sk, m, total_len, > SOL_PACKET, TUN_TX_TIMESTAMP); > goto out; > } > - ret = tun_do_read(tun, tfile, &m->msg_iter, flags & MSG_DONTWAIT, > - m->msg_control); > + ret = tun_do_read(tun, tfile, &m->msg_iter, flags & MSG_DONTWAIT, skb); > if (ret > (ssize_t)total_len) { > m->msg_flags |= MSG_TRUNC; > ret = flags & MSG_TRUNC ? ret : total_len; > @@ -2092,6 +2097,13 @@ static int tun_recvmsg(struct socket *sock, struct msghdr *m, size_t total_len, > out: > tun_put(tun); > return ret; > + > +out_put_tun: > + tun_put(tun); > +out_free_skb: > + if (skb) > + kfree_skb(skb); > + return ret; > } > > static int tun_peek_len(struct socket *sock) > -- > 1.8.3.1
On Fri, Dec 01, 2017 at 05:10:38AM -0500, wexu at redhat.com wrote:> From: Wei Xu <wexu at redhat.com> > > tap_recvmsg() supports accepting skb by msg_control after > commit 3b4ba04acca8 ("tap: support receiving skb from msg_control"), > the skb if presented should be freed within the function, otherwise > it would be leaked. > > Signed-off-by: Wei Xu <wexu at redhat.com> > Reported-by: Matthew Rosato <mjrosato at linux.vnet.ibm.com>Acked-by: Michael S. Tsirkin <mst at redhat.com>> --- > drivers/net/tap.c | 14 ++++++++++---- > 1 file changed, 10 insertions(+), 4 deletions(-) > > diff --git a/drivers/net/tap.c b/drivers/net/tap.c > index e9489b8..0a886fda 100644 > --- a/drivers/net/tap.c > +++ b/drivers/net/tap.c > @@ -829,8 +829,11 @@ static ssize_t tap_do_read(struct tap_queue *q, > DEFINE_WAIT(wait); > ssize_t ret = 0; > > - if (!iov_iter_count(to)) > + if (!iov_iter_count(to)) { > + if (skb) > + kfree_skb(skb); > return 0; > + } > > if (skb) > goto put; > @@ -1154,11 +1157,14 @@ static int tap_recvmsg(struct socket *sock, struct msghdr *m, > size_t total_len, int flags) > { > struct tap_queue *q = container_of(sock, struct tap_queue, sock); > + struct sk_buff *skb = m->msg_control; > int ret; > - if (flags & ~(MSG_DONTWAIT|MSG_TRUNC)) > + if (flags & ~(MSG_DONTWAIT|MSG_TRUNC)) { > + if (skb) > + kfree_skb(skb); > return -EINVAL; > - ret = tap_do_read(q, &m->msg_iter, flags & MSG_DONTWAIT, > - m->msg_control); > + } > + ret = tap_do_read(q, &m->msg_iter, flags & MSG_DONTWAIT, skb); > if (ret > total_len) { > m->msg_flags |= MSG_TRUNC; > ret = flags & MSG_TRUNC ? ret : total_len; > -- > 1.8.3.1
On 12/01/2017 09:47 AM, Michael S. Tsirkin wrote:> On Fri, Dec 01, 2017 at 05:10:35AM -0500, wexu at redhat.com wrote: >> From: Wei Xu <wexu at redhat.com> >> >> Matthew found a roughly 40% tcp throughput regression with commit >> c67df11f(vhost_net: try batch dequing from skb array) as discussed >> in the following thread: >> https://www.mail-archive.com/netdev at vger.kernel.org/msg187936.html > > Series > > Acked-by: Michael S. Tsirkin <mst at redhat.com>Tested this series on a z13 (s390x) on top of net-next using 4GB/4vcpu guests. Verified that both the reported TCP throughput regression and memory leak are resolved. net-next: 19.83 Gb/s net-next+: 35.02 Gb/s Thanks all! Matt> > >> v4: >> - fix zero iov iterator count in tap/tap_do_read()(Jason) >> - don't put tun in case of EBADFD(Jason) >> - Replace msg->msg_control with new 'skb' when calling tun/tap_do_read() >> >> v3: >> - move freeing skb from vhost to tun/tap recvmsg() to not >> confuse the callers. >> >> v2: >> - add Matthew as the reporter, thanks matthew. >> - moving zero headcount check ahead instead of defer consuming skb >> due to jason and mst's comment. >> - add freeing skb in favor of recvmsg() fails. >> >> Wei Xu (3): >> vhost: fix skb leak in handle_rx() >> tun: free skb in early errors >> tap: free skb if flags error >> >> drivers/net/tap.c | 14 ++++++++++---- >> drivers/net/tun.c | 24 ++++++++++++++++++------ >> drivers/vhost/net.c | 20 ++++++++++---------- >> 3 files changed, 38 insertions(+), 20 deletions(-) >> >> -- >> 1.8.3.1 >
From: wexu at redhat.com Date: Fri, 1 Dec 2017 05:10:35 -0500> Matthew found a roughly 40% tcp throughput regression with commit > c67df11f(vhost_net: try batch dequing from skb array) as discussed > in the following thread: > https://www.mail-archive.com/netdev at vger.kernel.org/msg187936.htmlSeries applied and queued up for -stable.
Possibly Parallel Threads
- [PATCH net,stable v4 0/3] vhost: fix a few skb leaks
- [PATCH net,stable v3] vhost: fix a few skb leaks
- [PATCH net,stable v3] vhost: fix a few skb leaks
- [PATCH net,stable v2] vhost: fix skb leak in handle_rx()
- [PATCH net,stable v2] vhost: fix skb leak in handle_rx()