Ubuntu
linux package

Bug #1797314
Comment #0

Comment 0 for bug 1797314

Revision history for this message

Daniel Axtens (daxtens) wrote on 2018-10-11:

SRU Justification
-----------------

[Impact]

A kernel BUG is sometimes observed when using fscache:

    Jun 25 11:32:08 kernel: [4740718.880898] FS-Cache:
    Jun 25 11:32:08 kernel: [4740718.880920] FS-Cache: Assertion failed
    Jun 25 11:32:08 kernel: [4740718.880934] FS-Cache: 0 > 0 is false
    Jun 25 11:32:08 kernel: [4740718.881001] ------------[ cut here ]------------
    Jun 25 11:32:08 kernel: [4740718.881017] kernel BUG at /usr/src/linux-4.4.0/fs/fscache/operation.c:449!
    Jun 25 11:32:08 kernel: [4740718.881040] invalid opcode: 0000 [#1] SMP
    ...
    Jun 25 11:32:08 kernel: [4740718.892659] Call Trace:
    Jun 25 11:32:08 kernel: [4740718.893506] [<ffffffffc1464cf9>] cachefiles_read_copier+0x3a9/0x410 [cachefiles]
    Jun 25 11:32:08 kernel: [4740718.894374] [<ffffffffc037e272>] fscache_op_work_func+0x22/0x50 [fscache]
    Jun 25 11:32:08 kernel: [4740718.895180] [<ffffffff81096da0>] process_one_work+0x150/0x3f0
    Jun 25 11:32:08 kernel: [4740718.895966] [<ffffffff8109751a>] worker_thread+0x11a/0x470
    Jun 25 11:32:08 kernel: [4740718.896753] [<ffffffff81808e59>] ? __schedule+0x359/0x980
    Jun 25 11:32:08 kernel: [4740718.897783] [<ffffffff81097400>] ? rescuer_thread+0x310/0x310
    Jun 25 11:32:08 kernel: [4740718.898581] [<ffffffff8109cdd6>] kthread+0xd6/0xf0
    Jun 25 11:32:08 kernel: [4740718.899469] [<ffffffff8109cd00>] ? kthread_park+0x60/0x60
    Jun 25 11:32:08 kernel: [4740718.900477] [<ffffffff8180d0cf>] ret_from_fork+0x3f/0x70
    Jun 25 11:32:08 kernel: [4740718.901514] [<ffffffff8109cd00>] ? kthread_park+0x60/0x60

[Problem]

In include/fscache-cache.h, fscache_retrieval_complete reads, in part:

            atomic_sub(n_pages, &op->n_pages);
            if (atomic_read(&op->n_pages) <= 0)
                    fscache_op_complete(&op->op, true);

The code is using atomic_sub followed by an atomic_read. This causes two threads doing a decrement of pages to race with each other seeing the op->refcount <= 0 at same time,
and end up calling fscache_op_complete in both the threads leading to the OOPS.

[Fix]
The fix is trivial to use atomic_sub_return instead of two calls.

[Testcase]
The user has tested the patch successfully on their fscache/cachefiles setup.

[Regression Potential]
Limited to fscache. Small, comprehensible change.

SRU Justification
-----------------

[Impact]

A kernel BUG is sometimes observed when using fscache:

Jun 25 11:32:08  kernel: [4740718.880898] FS-Cache:
    Jun 25 11:32:08  kernel: [4740718.880920] FS-Cache: Assertion failed
    Jun 25 11:32:08  kernel: [4740718.880934] FS-Cache: 0 > 0 is false
    Jun 25 11:32:08  kernel: [4740718.881001] ------------[ cut here ]------------
    Jun 25 11:32:08  kernel: [4740718.881017] kernel BUG at /usr/src/linux-4.4.0/fs/fscache/operation.c:449!
    Jun 25 11:32:08  kernel: [4740718.881040] invalid opcode: 0000 [#1] SMP
    ...
    Jun 25 11:32:08  kernel: [4740718.892659] Call Trace:
    Jun 25 11:32:08  kernel: [4740718.893506]  [<ffffffffc1464cf9>] cachefiles_read_copier+0x3a9/0x410 [cachefiles]
    Jun 25 11:32:08  kernel: [4740718.894374]  [<ffffffffc037e272>] fscache_op_work_func+0x22/0x50 [fscache]
    Jun 25 11:32:08  kernel: [4740718.895180]  [<ffffffff81096da0>] process_one_work+0x150/0x3f0
    Jun 25 11:32:08  kernel: [4740718.895966]  [<ffffffff8109751a>] worker_thread+0x11a/0x470
    Jun 25 11:32:08  kernel: [4740718.896753]  [<ffffffff81808e59>] ? __schedule+0x359/0x980
    Jun 25 11:32:08  kernel: [4740718.897783]  [<ffffffff81097400>] ? rescuer_thread+0x310/0x310
    Jun 25 11:32:08  kernel: [4740718.898581]  [<ffffffff8109cdd6>] kthread+0xd6/0xf0
    Jun 25 11:32:08  kernel: [4740718.899469]  [<ffffffff8109cd00>] ? kthread_park+0x60/0x60
    Jun 25 11:32:08  kernel: [4740718.900477]  [<ffffffff8180d0cf>] ret_from_fork+0x3f/0x70
    Jun 25 11:32:08  kernel: [4740718.901514]  [<ffffffff8109cd00>] ? kthread_park+0x60/0x60
    
[Problem]

In include/fscache-cache.h, fscache_retrieval_complete reads, in part:

atomic_sub(n_pages, &op->n_pages);
            if (atomic_read(&op->n_pages) <= 0)
                    fscache_op_complete(&op->op, true);
    
The code is using atomic_sub followed by an atomic_read. This causes two threads doing a decrement of pages to race with each other seeing the op->refcount <= 0 at same time,
and end up calling fscache_op_complete in both the threads leading to the OOPS.
    
[Fix]
The fix is trivial to use atomic_sub_return instead of two calls.

[Testcase]
The user has tested the patch successfully on their fscache/cachefiles setup.

[Regression Potential]
Limited to fscache. Small, comprehensible change.

Ubuntulinux package

Comment 0 for bug 1797314

Ubuntu
linux package