On Thu, Feb 2, 2023 at 11:12 AM Li Zhijian <lizhijian@xxxxxxxxxxx> wrote:
>
> As the mention in commmit f7452a7e96c1 ("RDMA/rtrs-srv: fix memory leak by missing kobject free"),
> it was intended to remove the kobject_del for srv_path->kobj.
>
> f7452a7e96c1 said:
> >This patch moves kobject_del() into free_sess() so that the kobject of
> > rtrs_srv_sess can be freed.
>
> This patch also move rtrs_srv_destroy_once_sysfs_root_folders back to
> 'if (srv_path->kobj.state_in_sysfs)' block to avoid a 'held lock freed!'
>
> A kernel panic will be triggered by following script
> -----------------------
> $ while true
> do
> echo "sessname=foo path=ip:<ip address> device_path=/dev/nvme0n1" > /sys/devices/virtual/rnbd-client/ctl/map_device
> echo "normal" > /sys/block/rnbd0/rnbd/unmap_device
> done
> -----------------------
> The bisection pointed to commit 6af4609c18b3 ("RDMA/rtrs-srv: Fix several issues in rtrs_srv_destroy_path_files")
> at last.
>
> rnbd_server L777: </dev/nvme0n1@foo>: Opened device 'nvme0n1'
> general protection fault, probably for non-canonical address 0x765f766564753aea: 0000 [#1] PREEMPT SMP PTI
> CPU: 0 PID: 3558 Comm: systemd-udevd Kdump: loaded Not tainted 6.1.0-rc3-roce-flush+ #51
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
> RIP: 0010:kernfs_dop_revalidate+0x36/0x180
> Code: 00 00 41 55 41 54 55 53 48 8b 47 68 48 89 fb 48 85 c0 0f 84 db 00 00 00 48 8b a8 60 04 00 00 48 8b 45 30 48 85 c0 48 0f 44 c5 <4c> 8b 60 78 49 81 c4 d8 00 00 00 4c 89 e7 e8 b7 78 7b 00 8b 05 3d
> RSP: 0018:ffffaf1700b67c78 EFLAGS: 00010206
> RAX: 765f766564753a72 RBX: ffff89e2830849c0 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff89e2830849c0
> RBP: ffff89e280361bd0 R08: 0000000000000000 R09: 0000000000000001
> R10: 0000000000000065 R11: 0000000000000000 R12: ffff89e2830849c0
> R13: ffff89e283084888 R14: d0d0d0d0d0d0d0d0 R15: 2f2f2f2f2f2f2f2f
> FS: 00007f13fbce7b40(0000) GS:ffff89e2bbc00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f93e055d340 CR3: 0000000104664002 CR4: 00000000001706f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> lookup_fast+0x7b/0x100
> walk_component+0x21/0x160
> link_path_walk.part.0+0x24d/0x390
> path_openat+0xad/0x9a0
> do_filp_open+0xa9/0x150
> ? lock_release+0x13c/0x2e0
> ? _raw_spin_unlock+0x29/0x50
> ? alloc_fd+0x124/0x1f0
> do_sys_openat2+0x9b/0x160
> __x64_sys_openat+0x54/0xa0
> do_syscall_64+0x3b/0x90
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7f13fc9d701b
> Code: 25 00 00 41 00 3d 00 00 41 00 74 4b 64 8b 04 25 18 00 00 00 85 c0 75 67 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 91 00 00 00 48 8b 54 24 28 64 48 2b 14 25
> RSP: 002b:00007ffddf242640 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f13fc9d701b
> RDX: 0000000000080000 RSI: 00007ffddf2427c0 RDI: 00000000ffffff9c
> RBP: 00007ffddf2427c0 R08: 00007f13fcc5b440 R09: 21b2131aa64b1ef2
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000080000
> R13: 00007ffddf2427c0 R14: 000055ed13be8db0 R15: 0000000000000000
>
> Fixes: 6af4609c18b3 ("RDMA/rtrs-srv: Fix several issues in rtrs_srv_destroy_path_files")
> Acked-by: Guoqing Jiang <guoqing.jiang@xxxxxxxxx>
> Signed-off-by: Li Zhijian <lizhijian@xxxxxxxxxxx>
Acked-by: Jack Wang <jinpu.wang@xxxxxxxxx>
Thx!
> ---
> V2: Call rtrs_srv_destroy_once_sysfs_root_folders in condition to avoid
> a 'held lock freed!'
> ---
> drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c b/drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c
> index c76ba29da1e2..5adba0f754b6 100644
> --- a/drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c
> +++ b/drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c
> @@ -312,9 +312,8 @@ void rtrs_srv_destroy_path_files(struct rtrs_srv_path *srv_path)
>
> if (srv_path->kobj.state_in_sysfs) {
> sysfs_remove_group(&srv_path->kobj, &rtrs_srv_path_attr_group);
> - kobject_del(&srv_path->kobj);
> kobject_put(&srv_path->kobj);
> + rtrs_srv_destroy_once_sysfs_root_folders(srv_path);
> }
>
> - rtrs_srv_destroy_once_sysfs_root_folders(srv_path);
> }
> --
> 1.8.3.1
>
