Received: by 2002:a25:23cc:0:0:0:0:0 with SMTP id j195csp704624ybj; Thu, 7 May 2020 05:51:12 -0700 (PDT) X-Google-Smtp-Source: APiQypLEb4zN2U2jZLlVzPNhnjNHJeSq1pVUx2T3kaOAJDutBL2f3EDVSDJKc6ie7/RKNdjToeVW X-Received: by 2002:aa7:cdce:: with SMTP id h14mr11638194edw.51.1588855872456; Thu, 07 May 2020 05:51:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588855872; cv=none; d=google.com; s=arc-20160816; b=tFdNQjgXxXOQJh2i0CAZcKXW7lO5NZGusNozpHXBhryle2l/7KlK2lDOGuCI/1BW07 vu5AD+c4wEN0UoBNuIf+/CpRnp6iWk0NUi6Ybqr5rJ5jeY5GeaqL5m8lUSgCu0tSfSXa KcXOAwXyUI9iK6DTcNFQupdRwBJLolOnW0RlYmqfyPrkNPFG79wyjH2maUVFdGvjIlkU 86BsokywH4pTe0aqo85DwguA3Z9nnN9x4dEYdozJRgm7gg5POminMy2K6+f3o406bOoV 9fxL4uWNCJogY6mhi4vnC8DIyaCSzZ6KPXEmeXegJZ7RR1Gl9p7W+kYgHn7k/ylkvpLU 7zmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=5VIIJVfPcPcxNCF5BNLslZGThASBdntF4ntG1HAVA18=; b=LHE9HhhHIAtH3b7FN3ZECUpIH7PsRwkZipRPN3DavPDdwhzogMpMjBlFhEGA4qJmY2 dVVOe7KpLb9nVWw5JygtcoPB/3QjLr0uUayEB0wVLTvSq8FWBGRa7wDuefCUlziefebW 7jZIFAO0987seNcVbJY4PGALvsg53JwXWljRD/+314F8gatlRiaPQMPmFW9vq/lajhWe r635nYQVLbkkw0PgBdFC5dr/rhaVjdPpDSYeT5A/cngOK/7bMxv45TT5x/uGYsz7klY3 IKpYiKDFnMxK+ByhrPgABKK0ob+TMXoR0RI7s5Ni6gB7GEMvKJDYuTw2uP2v4o2mWEsC R/Cg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=V2IgO8d0; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v10si3445744edl.365.2020.05.07.05.50.37; Thu, 07 May 2020 05:51:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=V2IgO8d0; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725953AbgEGMuc (ORCPT + 99 others); Thu, 7 May 2020 08:50:32 -0400 Received: from us-smtp-delivery-1.mimecast.com ([207.211.31.120]:20975 "EHLO us-smtp-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725857AbgEGMub (ORCPT ); Thu, 7 May 2020 08:50:31 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1588855830; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:in-reply-to:in-reply-to:references:references; bh=5VIIJVfPcPcxNCF5BNLslZGThASBdntF4ntG1HAVA18=; b=V2IgO8d0Noq7fcaPkzJM37ZGCUxEhw3vsagpQnGFJHJg2yNcdyJbNcOJHzrnH4CnWvFXlN YGkY9KDgEpUAFdDYMa29SDiN5vSxI5+8RIuOBdq4DAkRRGbzW1pCufNP/Ta7wH2kKo3y5e Y4IanEIfnSj4qKAs4wTGZT6q0Fi8mm0= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-7-3M9p_iYnPzqiIG8x0fkXww-1; Thu, 07 May 2020 08:50:28 -0400 X-MC-Unique: 3M9p_iYnPzqiIG8x0fkXww-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1F004189952A; Thu, 7 May 2020 12:50:27 +0000 (UTC) Received: from dwysocha.rdu.csb (ovpn-112-13.rdu2.redhat.com [10.10.112.13]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 965F062A9F; Thu, 7 May 2020 12:50:26 +0000 (UTC) From: Dave Wysochanski To: dhowells@redhat.com, kiran.modukuri@gmail.com, carmark.dlut@gmail.com Cc: linux-nfs@vger.kernel.org Subject: [PATCH 1/1] cachefiles: Fix race between read_waiter and read_copier involving op->to_do Date: Thu, 7 May 2020 08:50:22 -0400 Message-Id: <1588855822-5532-2-git-send-email-dwysocha@redhat.com> In-Reply-To: <1588855822-5532-1-git-send-email-dwysocha@redhat.com> References: <1588855822-5532-1-git-send-email-dwysocha@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org From: Lei Xue There is a potential race in fscache operation enqueuing for reading and copying multiple pages from cachefiles to netfs. The problem can be seen easily on a heavy loaded system (for example many processes reading files continually on an NFS share covered by fscache triggered this problem within a few minutes). The race is due to cachefiles_read_waiter() adding the op to the monitor to_do list and then then drop the object->work_lock spinlock before completing fscache_enqueue_operation(). Once the lock is dropped, cachefiles_read_copier() grabs the op, completes processing it, and makes it through fscache_retrieval_complete() which sets the op->state to the final state of FSCACHE_OP_ST_COMPLETE(4). When cachefiles_read_waiter() finally gets through the remainder of fscache_enqueue_operation() it sees the invalid state, and hits the ASSERTCMP and the following oops is seen: [ 2259.612361] FS-Cache: [ 2259.614785] FS-Cache: Assertion failed [ 2259.618639] FS-Cache: 4 == 5 is false [ 2259.622456] ------------[ cut here ]------------ [ 2259.627190] kernel BUG at fs/fscache/operation.c:70! ... [ 2259.791675] RIP: 0010:[] [] fscache_enqueue_operation+0xff/0x170 [fscache] [ 2259.802059] RSP: 0000:ffffa0263d543be0 EFLAGS: 00010046 [ 2259.807521] RAX: 0000000000000019 RBX: ffffa01a4d390480 RCX: 0000000000000006 [ 2259.814847] RDX: 0000000000000000 RSI: 0000000000000046 RDI: ffffa0263d553890 [ 2259.822176] RBP: ffffa0263d543be8 R08: 0000000000000000 R09: ffffa0263c2d8708 [ 2259.829502] R10: 0000000000001e7f R11: 0000000000000000 R12: ffffa01a4d390480 [ 2259.844483] R13: ffff9fa9546c5920 R14: ffffa0263d543c80 R15: ffffa0293ff9bf10 [ 2259.859554] FS: 00007f4b6efbd700(0000) GS:ffffa0263d540000(0000) knlGS:0000000000000000 [ 2259.875571] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2259.889117] CR2: 00007f49e1624ff0 CR3: 0000012b38b38000 CR4: 00000000007607e0 [ 2259.904015] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 2259.918764] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 2259.933449] PKRU: 55555554 [ 2259.943654] Call Trace: [ 2259.953592] [ 2259.955577] [] cachefiles_read_waiter+0x92/0xf0 [cachefiles] [ 2259.978039] [] __wake_up_common+0x82/0x120 [ 2259.991392] [] __wake_up_common_lock+0x83/0xc0 [ 2260.004930] [] ? task_rq_unlock+0x20/0x20 [ 2260.017863] [] __wake_up+0x13/0x20 [ 2260.030230] [] __wake_up_bit+0x50/0x70 [ 2260.042535] [] unlock_page+0x2b/0x30 [ 2260.054495] [] page_endio+0x29/0x90 [ 2260.066184] [] mpage_end_io+0x51/0x80 CPU1 cachefiles_read_waiter() 20 static int cachefiles_read_waiter(wait_queue_entry_t *wait, unsigned mode, 21 int sync, void *_key) 22 { ... 61 spin_lock(&object->work_lock); 62 list_add_tail(&monitor->op_link, &op->to_do); 63 spin_unlock(&object->work_lock); 64 65 fscache_enqueue_retrieval(op); 182 static inline void fscache_enqueue_retrieval(struct fscache_retrieval *op) 183 { 184 fscache_enqueue_operation(&op->op); 185 } 58 void fscache_enqueue_operation(struct fscache_operation *op) 59 { 60 struct fscache_cookie *cookie = op->object->cookie; 61 62 _enter("{OBJ%x OP%x,%u}", 63 op->object->debug_id, op->debug_id, atomic_read(&op->usage)); 64 65 ASSERT(list_empty(&op->pend_link)); 66 ASSERT(op->processor != NULL); 67 ASSERT(fscache_object_is_available(op->object)); 68 ASSERTCMP(atomic_read(&op->usage), >, 0); CPU2 cachefiles_read_copier() 168 while (!list_empty(&op->to_do)) { ... 202 fscache_end_io(op, monitor->netfs_page, error); 203 put_page(monitor->netfs_page); 204 fscache_retrieval_complete(op, 1); CPU1 58 void fscache_enqueue_operation(struct fscache_operation *op) 59 { ... 69 ASSERTIFCMP(op->state != FSCACHE_OP_ST_IN_PROGRESS, 70 op->state, ==, FSCACHE_OP_ST_CANCELLED); Signed-off-by: Lei Xue Signed-off-by: Dave Wysochanski --- fs/cachefiles/rdwr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/cachefiles/rdwr.c b/fs/cachefiles/rdwr.c index d3d78176b23c..e7726f5f1241 100644 --- a/fs/cachefiles/rdwr.c +++ b/fs/cachefiles/rdwr.c @@ -60,9 +60,9 @@ static int cachefiles_read_waiter(wait_queue_entry_t *wait, unsigned mode, object = container_of(op->op.object, struct cachefiles_object, fscache); spin_lock(&object->work_lock); list_add_tail(&monitor->op_link, &op->to_do); + fscache_enqueue_retrieval(op); spin_unlock(&object->work_lock); - fscache_enqueue_retrieval(op); fscache_put_retrieval(op); return 0; } -- 1.8.3.1