On Wed, Nov 28, 2018 at 11:45:46AM +0300, Vasily Averin wrote: > Dear all, we have found memory leak on OpenVz7 node and believe it > affects mainline too. > > sunrpc_cache_lookup() removes exprired cache_head from hash, however > if it waits for reply on submitted cache_request both of them can leak > forever, nobody cleans unhashed cache_heads. > > Originally we had claim on busy loop device of stopped container, that > had executed nfs server inside. Device was kept by mount that was > detached from already destroyed mount namespace. By using crash > search we have found some structure with path struct related to our > mount. Finally we have found that it was alive svc_export struct used > by to alive cache_request, however both of them pointed to already > freed cache_detail. > > We decided that cache_detail was correctly freed during destroy of net > namespace, however svc_export with taken path struct, cache_request > and some other structures seems was leaked forever. > > This could happen only if cache_head of svc_export was removed from > hash on cache_detail before its destroy. Finally we have found that it > could happen when sunrpc_cache_lookup() removes expired cache_head > from hash. > > Usually it works correctly and cache_put(freeme) frees expired > cache_head. However in our case cache_head have an extra reference > counter from stalled cache_request. Becasue of cache_head was removed > from hash of cache_detail it cannot be found in cache_clean() and its > cache_request cannot be freed in cache_dequeue(). Memory leaks > forever, exactly like we observed. > > After may attempts we have reproduced this situation on OpenVz7 > kernel, however our reproducer is quite long and complex. > Unfortunately we still did not reproduced this problem on mainline > kernel and did not validated the patch yet. > > It would be great if someone advised us some simple way to trigger > described scenario. I think you should be able to produce hung upcalls by flushing the cache (exportfs -f), then stopping mountd, then trying to access the filesystem from a client. Does that help? > We are not sure that our patch is correct, please let us know if our > analyze missed something. It looks OK to me, but it would be helpful to have Neil's review too. I think I'd also copy some of the above into the changelog--e.g. it might be useful to document that this can manifest as a stray reference cuont on a mount. --b.
