fscache: bad refcounting in fscache_op_complete leads to OOPS
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Medium
|
Daniel Axtens | ||
Xenial |
Fix Released
|
Medium
|
Unassigned | ||
Bionic |
Fix Released
|
Medium
|
Unassigned | ||
Cosmic |
Fix Released
|
Medium
|
Daniel Axtens |
Bug Description
SRU Justification
-----------------
[Impact]
A kernel BUG is sometimes observed when using fscache:
[4740718.
[4740718.
[4740718.
[4740718.
[4740718.
[4740718.
[4740718.
[4740718.
[4740718.
[4740718.
[4740718.
[4740718.
[4740718.
[4740718.
[4740718.
[4740718.
[4740718.
[Problem]
In include/
if (atomic_
The code is using atomic_sub followed by an atomic_read. This causes two threads doing a decrement of pages to race with each other seeing the op->refcount <= 0 at same time, and end up calling fscache_op_complete in both the threads leading to the OOPS.
[Fix]
The fix is trivial to use atomic_sub_return instead of two calls.
[Testcase]
I believe the user has tested the patch successfully on their fscache/cachefiles setup.
[Regression Potential]
Limited to fscache. Small, comprehensible change.
CVE References
description: | updated |
description: | updated |
Changed in linux (Ubuntu Xenial): | |
status: | New → In Progress |
Changed in linux (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in linux (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Cosmic): | |
importance: | Undecided → Medium |
status: | Incomplete → In Progress |
assignee: | nobody → Daniel Axtens (daxtens) |
Changed in linux (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Xenial): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Cosmic): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu): | |
status: | In Progress → Fix Released |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1797314
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.