From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756213AbaGVPvM (ORCPT ); Tue, 22 Jul 2014 11:51:12 -0400 Received: from mail-qa0-f53.google.com ([209.85.216.53]:34423 "EHLO mail-qa0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756080AbaGVPvJ (ORCPT ); Tue, 22 Jul 2014 11:51:09 -0400 Message-ID: <53CE886B.6030306@adfin.com> Date: Tue, 22 Jul 2014 11:51:07 -0400 From: Milosz Tanski User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: linux-cachefs@redhat.com CC: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, "David Howells" , "NeilBrown" , "Shantanu Goel" Subject: [PATCH 3/3] FS-Cache: refcount becomes corrupt under vma preasure. References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In rare cases under heavy VMA preasure the ref count for fscache cookies becomes corrupt. In this case we decrement ref count even if fail before incrememnt the refcount. FS-Cache: Assertion failed bnode-eca5f9c6/syslog 0 > 0 is false ------------[ cut here ]------------ kernel BUG at fs/fscache/cookie.c:519! invalid opcode: 0000 [#1] SMP Call Trace: [] __fscache_relinquish_cookie+0x50/0x220 [fscache] [] ceph_fscache_unregister_inode_cookie+0x3e/0x50 [ceph] [] ceph_destroy_inode+0x33/0x200 [ceph] [] ? __fsnotify_inode_delete+0xe/0x10 [] destroy_inode+0x3c/0x70 [] evict+0x111/0x180 [] iput+0x103/0x190 [] __dentry_kill+0x1c8/0x220 [] shrink_dentry_list+0xf1/0x250 [] prune_dcache_sb+0x4c/0x60 [] super_cache_scan+0xff/0x170 [] shrink_slab_node+0x140/0x2c0 [] shrink_slab+0x8a/0x130 [] balance_pgdat+0x3e2/0x5d0 [] kswapd+0x16a/0x4a0 [] ? __wake_up_sync+0x20/0x20 [] ? balance_pgdat+0x5d0/0x5d0 [] kthread+0xc9/0xe0 [] ? ftrace_raw_event_xen_mmu_release_ptpage+0x70/0x90 [] ? flush_kthread_worker+0xb0/0xb0 [] ret_from_fork+0x7c/0xb0 [] ? flush_kthread_worker+0xb0/0xb0 RIP [] __fscache_disable_cookie+0x1db/0x210 [fscache] RSP ---[ end trace 254d0d7c74a01f25 ]--- --- fs/fscache/page.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/fs/fscache/page.c b/fs/fscache/page.c index 84e11aa..c83dd89 100644 --- a/fs/fscache/page.c +++ b/fs/fscache/page.c @@ -195,7 +195,7 @@ int __fscache_attr_changed(struct fscache_cookie *cookie) { struct fscache_operation *op; struct fscache_object *object; - bool wake_cookie; + bool wake_cookie = false; _enter("%p", cookie); @@ -225,15 +225,16 @@ int __fscache_attr_changed(struct fscache_cookie *cookie) __fscache_use_cookie(cookie); if (fscache_submit_exclusive_op(object, op) < 0) - goto nobufs; + goto nobufs_dec; spin_unlock(&cookie->lock); fscache_stat(&fscache_n_attr_changed_ok); fscache_put_operation(op); _leave(" = 0"); return 0; -nobufs: +nobufs_dec: wake_cookie = __fscache_unuse_cookie(cookie); +nobufs: spin_unlock(&cookie->lock); kfree(op); if (wake_cookie) -- 1.7.9.5 From mboxrd@z Thu Jan 1 00:00:00 1970 From: Milosz Tanski Subject: [PATCH 3/3] FS-Cache: refcount becomes corrupt under vma preasure. Date: Tue, 22 Jul 2014 11:51:07 -0400 Message-ID: <53CE886B.6030306@adfin.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Cc: linux-fsdevel@vger.kernel.org, NeilBrown , linux-kernel@vger.kernel.org, Shantanu Goel To: linux-cachefs@redhat.com Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-cachefs-bounces@redhat.com Errors-To: linux-cachefs-bounces@redhat.com List-Id: linux-fsdevel.vger.kernel.org In rare cases under heavy VMA preasure the ref count for fscache cookies becomes corrupt. In this case we decrement ref count even if fail before incrememnt the refcount. FS-Cache: Assertion failed bnode-eca5f9c6/syslog 0 > 0 is false ------------[ cut here ]------------ kernel BUG at fs/fscache/cookie.c:519! invalid opcode: 0000 [#1] SMP Call Trace: [] __fscache_relinquish_cookie+0x50/0x220 [fscache] [] ceph_fscache_unregister_inode_cookie+0x3e/0x50 [ceph] [] ceph_destroy_inode+0x33/0x200 [ceph] [] ? __fsnotify_inode_delete+0xe/0x10 [] destroy_inode+0x3c/0x70 [] evict+0x111/0x180 [] iput+0x103/0x190 [] __dentry_kill+0x1c8/0x220 [] shrink_dentry_list+0xf1/0x250 [] prune_dcache_sb+0x4c/0x60 [] super_cache_scan+0xff/0x170 [] shrink_slab_node+0x140/0x2c0 [] shrink_slab+0x8a/0x130 [] balance_pgdat+0x3e2/0x5d0 [] kswapd+0x16a/0x4a0 [] ? __wake_up_sync+0x20/0x20 [] ? balance_pgdat+0x5d0/0x5d0 [] kthread+0xc9/0xe0 [] ? ftrace_raw_event_xen_mmu_release_ptpage+0x70/0x90 [] ? flush_kthread_worker+0xb0/0xb0 [] ret_from_fork+0x7c/0xb0 [] ? flush_kthread_worker+0xb0/0xb0 RIP [] __fscache_disable_cookie+0x1db/0x210 [fscache] RSP ---[ end trace 254d0d7c74a01f25 ]--- --- fs/fscache/page.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/fs/fscache/page.c b/fs/fscache/page.c index 84e11aa..c83dd89 100644 --- a/fs/fscache/page.c +++ b/fs/fscache/page.c @@ -195,7 +195,7 @@ int __fscache_attr_changed(struct fscache_cookie *cookie) { struct fscache_operation *op; struct fscache_object *object; - bool wake_cookie; + bool wake_cookie = false; _enter("%p", cookie); @@ -225,15 +225,16 @@ int __fscache_attr_changed(struct fscache_cookie *cookie) __fscache_use_cookie(cookie); if (fscache_submit_exclusive_op(object, op) < 0) - goto nobufs; + goto nobufs_dec; spin_unlock(&cookie->lock); fscache_stat(&fscache_n_attr_changed_ok); fscache_put_operation(op); _leave(" = 0"); return 0; -nobufs: +nobufs_dec: wake_cookie = __fscache_unuse_cookie(cookie); +nobufs: spin_unlock(&cookie->lock); kfree(op); if (wake_cookie) -- 1.7.9.5