Re: [PATCH net,stable] vhost: fix skb leak in handle_rx()
From: Jason Wang
Date: Wed Nov 29 2017 - 00:06:42 EST
On 2017å11æ29æ 09:53, Jason Wang wrote:
On 2017ÃÂÂ11ÃÅË29Ãâ 01:17, wexu@xxxxxxxxxx wrote:
From: Wei Xu <wexu@xxxxxxxxxx>
Matthew found a roughly 40% tcp throughput regression with commit
c67df11f(vhost_net: try batch dequing from skb array) as discussed
in the following thread:
https://www.mail-archive.com/netdev@xxxxxxxxxxxxxxx/msg187936.html
Eventually we figured out that it was a skb leak in handle_rx()
when sending packets to the VM. This usually happens when a guest
can not drain out vq as fast as vhost fills in, afterwards it sets
off the traffic jam and leaks skb(s) which occurs as no headcount
to send on the vq from vhost side.
This can be avoided by making sure we have got enough headcount
before actually consuming a skb from the batched rx array while
transmitting, which is simply done by deferring it a moment later
in this patch.
Signed-off-by: Wei Xu <wexu@xxxxxxxxxx>
---
 drivers/vhost/net.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 8d626d7..e76535e 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -778,8 +778,6 @@ static void handle_rx(struct vhost_net *net)
ÂÂÂÂÂÂÂÂÂ /* On error, stop handling until the next kick. */
ÂÂÂÂÂÂÂÂÂ if (unlikely(headcount < 0))
ÂÂÂÂÂÂÂÂÂÂÂÂÂ goto out;
-ÂÂÂÂÂÂÂ if (nvq->rx_array)
-ÂÂÂÂÂÂÂÂÂÂÂ msg.msg_control = vhost_net_buf_consume(&nvq->rxq);
ÂÂÂÂÂÂÂÂÂ /* On overrun, truncate and discard */
ÂÂÂÂÂÂÂÂÂ if (unlikely(headcount > UIO_MAXIOV)) {
You need do msg.msg_control = vhost_net_buf_consume() here too,
otherwise we may still get it leaked.
Thanks
Not a leak actually, but the packet won't be consumed and we will hit
UIO_MAXIOV forever in this case.
Thanks