Whamcloud Community JIRA https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 [LU-15615] memory leak on use_t10_grd path in tgt_checksum_niobuf_t10pi https://jira.whamcloud.com/browse/LU-15615 Lustre <p>It looks like tgt_checksum_niobuf_t10pi() can leak memory if we ever set rc to nonzero, some of the conditions appear to set it without any visible warnings:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>       req = cfs_crypto_hash_init(cfs_alg, NULL, 0);         if (IS_ERR(req)) {                 CERROR("%s: unable to initialize checksum hash %s\n",                        tgt_name(tgt), cfs_crypto_hash_name(cfs_alg));                 return PTR_ERR(req);         } ...                 if (use_t10_grd) {                         used = DIV_ROUND_UP(local_nb[i].lnb_len, sector_size);                         if (used &gt; (guard_number - used_number)) {                                 rc = -E2BIG;                                 break;                         } ...         if (rc)                 GOTO(out, rc); ...         rc = cfs_crypto_hash_final(req, (unsigned char *)&amp;cksum, &amp;bufsize);       if (rc == 0)                 *check_sum = cksum; out:         __free_page(__page);         return rc; } </pre> </div></div> <p>This not only leads to leaking the req, but also the allocated page might be tied in the crypto hash calcs I imagine (passed in as sg buffer with a reference to be potentially freed in the final?)</p> LU-15615 memory leak on use_t10_grd path in tgt_checksum_niobuf_t10pi Bug Minor Resolved Fixed Oleg Drokin Oleg Drokin Fri, 4 Mar 2022 06:40:47 +0000 Mon, 1 May 2023 06:31:57 +0000 Mon, 1 May 2023 06:31:45 +0000 Lustre 2.16.0 0 7 <p>It looks like the "<tt>if (use_t10_grd)</tt>" condition is only true if there are T10-PI hardware checksums enabled on the underlying storage because of the <tt>lnb_guard_disk</tt> check:</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> use_t10_grd = t10_cksum_type &amp;&amp; opc == OST_READ &amp;&amp; local_nb[i].lnb_len == PAGE_SIZE &amp;&amp; local_nb[i].lnb_guard_disk; </pre> </div></div> <p>and <tt>lnb_guard_disk</tt> should only be set if T10-PI is enabled in the hardware, but I could be wrong about the code flow.</p> <p>In either case, for a potential fix for the memory leak for both of the "<tt>if (rc) break;</tt>" conditions, something like the following should work:</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> out: bufsize = sizeof(cksum); rc2 = cfs_crypto_hash_final(req, (unsigned <span class="code-object">char</span> *)&amp;cksum, &amp;bufsize); <span class="code-keyword">if</span> (rc2 &amp;&amp; !rc) rc = rc2; <span class="code-keyword">if</span> (!rc) *check_sum = cksum; __free_page(__page); <span class="code-keyword">return</span> rc; </pre> </div></div> <p>However, that doesn't explain why this code path is being taken - it should never happen that there is not enough space for the GRD tag in the allocated buffer unless there is an error somewhere else in the code.</p> <p>It probably makes sense to add at least a CERROR() to this branch, similar to the one in <tt>obd_page_dif_generate_buffer()</tt>, since this is a "should never happen" code path:</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> CERROR(<span class="code-quote">"%s: unexpected used guard number of DIF %u/%u, data length %u, sector size %u: rc = %d\n"</span>, obd_name, used, guard_number, length, sector_size, rc); </pre> </div></div> <p>I see that there is also a separate path were there could be a leak <tt>kmap(page)</tt>, though this would at least print a <tt>CERROR()</tt>, and <tt>kmap()</tt> (AFAIK) cannot tolerate a large number of different pages being mapped at once:</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> <span class="code-object">int</span> obd_page_dif_generate_buffer(<span class="code-keyword">const</span> <span class="code-object">char</span> *obd_name, struct page *page, __u32 offset, __u32 length, __u16 *guard_start, <span class="code-object">int</span> guard_number, <span class="code-object">int</span> *used_number, <span class="code-object">int</span> sector_size, obd_dif_csum_fn *fn) { data_buf = kmap(page) + offset; <span class="code-keyword">while</span> (i &lt; end) { <span class="code-keyword">if</span> (used &gt;= guard_number) { CERROR(<span class="code-quote">"%s: unexpected used guard number of DIF %u/%u, "</span> <span class="code-quote">"data length %u, sector size %u: rc = %d\n"</span>, obd_name, used, guard_number, length, sector_size, -E2BIG); <span class="code-keyword">return</span> -E2BIG; } : } kunmap(page); *used_number = used; <span class="code-keyword">return</span> 0; } </pre> </div></div> <p>I don't think this is a primary concern, but should also be fixed to instead always call <tt>kunmap()</tt>, like:</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> GOTO(out_unmap, rc = -E2BIG); } : } *used_number = used; out_unmap: kunmap(page); <span class="code-keyword">return</span> rc; </pre> </div></div> <p>"Li Dongyang &lt;dongyangli@ddn.com&gt;" uploaded a new patch: <a href="https://review.whamcloud.com/c/fs/lustre-release/+/50539" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/c/fs/lustre-release/+/50539</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-15615" title="memory leak on use_t10_grd path in tgt_checksum_niobuf_t10pi" class="issue-link" data-issue-key="LU-15615"><del>LU-15615</del></a> target: Free t10pi crypto state on error<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: 1<br/> Commit: db8a8c405ebd70d93410847f07ebe033a622df83</p> <p>"Oleg Drokin &lt;green@whamcloud.com&gt;" merged in patch <a href="https://review.whamcloud.com/c/fs/lustre-release/+/50539/" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/c/fs/lustre-release/+/50539/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-15615" title="memory leak on use_t10_grd path in tgt_checksum_niobuf_t10pi" class="issue-link" data-issue-key="LU-15615"><del>LU-15615</del></a> target: Free t10pi crypto state on error<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: <br/> Commit: 6a88222bd6a1c0f5bd45fb40b88af226db8bd29a</p> <p>Landed for 2.16</p> Related LU-15598 Development Rank 1|i02jwf: Rank (Obsolete) 9223372036854775807 Severity