From: David Howells <dhowells@redhat.com>
To: gregkh@linux-foundation.org
Cc: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>,
viro@zeniv.linux.org.uk, sandeen@redhat.com, dhowells@redhat.com,
linux-cachefs@redhat.com, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 2/4] fscache: Fix race in fscache_op_complete() due to split atomic_sub & read
Date: Wed, 17 Oct 2018 15:23:38 +0100 [thread overview]
Message-ID: <153978621809.8478.2198040871218302573.stgit@warthog.procyon.org.uk> (raw)
In-Reply-To: <153978619457.8478.3813964117489247515.stgit@warthog.procyon.org.uk>
From: kiran.modukuri <kiran.modukuri@gmail.com>
The code in fscache_retrieval_complete is using atomic_sub followed by an
atomic_read:
atomic_sub(n_pages, &op->n_pages);
if (atomic_read(&op->n_pages) <= 0)
fscache_op_complete(&op->op, true);
This causes two threads doing a decrement of n_pages to race with each
other seeing the op->refcount 0 at same time - and they end up calling
fscache_op_complete() in both the threads leading to an assertion failure.
Fix this by using atomic_sub_return() instead of two calls.
The oops looks something like:
FS-Cache: Assertion failed
FS-Cache: 0 > 0 is false
...
kernel BUG at /usr/src/linux-4.4.0/fs/fscache/operation.c:449!
...
Workqueue: fscache_operation fscache_op_work_func [fscache]
...
RIP: 0010:[<ffffffffc037eacd>] fscache_op_complete+0x10d/0x180 [fscache]
...
Call Trace:
[<ffffffffc1464cf9>] cachefiles_read_copier+0x3a9/0x410 [cachefiles]
[<ffffffffc037e272>] fscache_op_work_func+0x22/0x50 [fscache]
[<ffffffff81096da0>] process_one_work+0x150/0x3f0
[<ffffffff8109751a>] worker_thread+0x11a/0x470
[<ffffffff81808e59>] ? __schedule+0x359/0x980
[<ffffffff81097400>] ? rescuer_thread+0x310/0x310
[<ffffffff8109cdd6>] kthread+0xd6/0xf0
[<ffffffff8109cd00>] ? kthread_park+0x60/0x60
[<ffffffff8180d0cf>] ret_from_fork+0x3f/0x70
[<ffffffff8109cd00>] ? kthread_park+0x60/0x60
This seen this in 4.4.x kernels and the same bug affects fscache in latest
upstreams kernels.
Fixes: 1bb4b7f98f36 ("FS-Cache: The retrieval remaining-pages counter needs to be atomic_t")
Signed-off-by: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
---
include/linux/fscache-cache.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/fscache-cache.h b/include/linux/fscache-cache.h
index 34cf0fdd7dc7..bf98ed803af2 100644
--- a/include/linux/fscache-cache.h
+++ b/include/linux/fscache-cache.h
@@ -196,11 +196,11 @@ static inline void fscache_enqueue_retrieval(struct fscache_retrieval *op)
static inline void fscache_retrieval_complete(struct fscache_retrieval *op,
int n_pages)
{
- atomic_sub(n_pages, &op->n_pages);
- if (atomic_read(&op->n_pages) <= 0)
+ if (atomic_sub_return(n_pages, &op->n_pages) <= 0)
fscache_op_complete(&op->op, false);
}
+
/**
* fscache_put_retrieval - Drop a reference to a retrieval operation
* @op: The retrieval operation affected
next prev parent reply other threads:[~2018-10-17 14:23 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-17 14:23 [PATCH 0/4] FS-Cache: Miscellaneous fixes David Howells
2018-10-17 14:23 ` [PATCH 1/4] cachefiles: fix the race between cachefiles_bury_object() and rmdir(2) David Howells
2018-10-17 14:23 ` David Howells [this message]
2018-10-17 15:11 ` [PATCH 2/4] fscache: Fix race in fscache_op_complete() due to split atomic_sub & read Andrea Parri
2018-10-17 15:32 ` David Howells
2018-10-17 16:48 ` Andrea Parri
2018-11-26 16:26 ` David Howells
2018-11-26 16:56 ` Andrea Parri
2018-11-28 14:43 ` David Howells
2018-11-28 20:45 ` Andrea Parri
2018-10-17 14:23 ` [PATCH 3/4] fscache: Fix incomplete initialisation of inline key space David Howells
2018-10-17 14:23 ` [PATCH 4/4] fscache: Fix out of bound read in long cookie keys David Howells
2018-10-18 10:03 ` [PATCH 0/4] FS-Cache: Miscellaneous fixes Greg KH
-- strict thread matches above, loose matches on Subject: below --
2018-10-17 14:16 David Howells
2018-10-17 14:17 ` [PATCH 2/4] fscache: Fix race in fscache_op_complete() due to split atomic_sub & read David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=153978621809.8478.2198040871218302573.stgit@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=gregkh@linux-foundation.org \
--cc=kiran.modukuri@gmail.com \
--cc=linux-cachefs@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sandeen@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.