<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/fs/fscache, branch linux-3.10.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>FS-Cache: fix dereference of NULL user_key_payload</title>
<updated>2017-11-02T06:16:17+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@google.com</email>
</author>
<published>2017-10-09T19:40:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ba850927667f326ec400f3bb4e268a101639de1a'/>
<id>ba850927667f326ec400f3bb4e268a101639de1a</id>
<content type='text'>
commit d124b2c53c7bee6569d2a2d0b18b4a1afde00134 upstream.

When the file /proc/fs/fscache/objects (available with
CONFIG_FSCACHE_OBJECT_LIST=y) is opened, we request a user key with
description "fscache:objlist", then access its payload.  However, a
revoked key has a NULL payload, and we failed to check for this.
request_key() *does* skip revoked keys, but there is still a window
where the key can be revoked before we access its payload.

Fix it by checking for a NULL payload, treating it like a key which was
already revoked at the time it was requested.

Fixes: 4fbf4291aa15 ("FS-Cache: Allow the current state of all objects to be dumped")
Reviewed-by: James Morris &lt;james.l.morris@oracle.com&gt;
Cc: &lt;stable@vger.kernel.org&gt;    [v2.6.32+]
Signed-off-by: Eric Biggers &lt;ebiggers@google.com&gt;
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Signed-off-by: Willy Tarreau &lt;w@1wt.eu&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit d124b2c53c7bee6569d2a2d0b18b4a1afde00134 upstream.

When the file /proc/fs/fscache/objects (available with
CONFIG_FSCACHE_OBJECT_LIST=y) is opened, we request a user key with
description "fscache:objlist", then access its payload.  However, a
revoked key has a NULL payload, and we failed to check for this.
request_key() *does* skip revoked keys, but there is still a window
where the key can be revoked before we access its payload.

Fix it by checking for a NULL payload, treating it like a key which was
already revoked at the time it was requested.

Fixes: 4fbf4291aa15 ("FS-Cache: Allow the current state of all objects to be dumped")
Reviewed-by: James Morris &lt;james.l.morris@oracle.com&gt;
Cc: &lt;stable@vger.kernel.org&gt;    [v2.6.32+]
Signed-off-by: Eric Biggers &lt;ebiggers@google.com&gt;
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Signed-off-by: Willy Tarreau &lt;w@1wt.eu&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>FS-Cache: Increase reference of parent after registering, netfs success</title>
<updated>2016-02-19T22:22:41+00:00</updated>
<author>
<name>Kinglong Mee</name>
<email>kinglongmee@gmail.com</email>
</author>
<published>2015-11-04T15:20:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=669e0b00cba824568ebe800ee34c14254b917654'/>
<id>669e0b00cba824568ebe800ee34c14254b917654</id>
<content type='text'>
commit 86108c2e34a26e4bec3c6ddb23390bf8cedcf391 upstream.

If netfs exist, fscache should not increase the reference of parent's
usage and n_children, otherwise, never be decreased.

v2: thanks David's suggest,
 move increasing reference of parent if success
 use kmem_cache_free() freeing primary_index directly

v3: don't move "netfs-&gt;primary_index-&gt;parent = &amp;fscache_fsdef_index;"

Signed-off-by: Kinglong Mee &lt;kinglongmee@gmail.com&gt;
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 86108c2e34a26e4bec3c6ddb23390bf8cedcf391 upstream.

If netfs exist, fscache should not increase the reference of parent's
usage and n_children, otherwise, never be decreased.

v2: thanks David's suggest,
 move increasing reference of parent if success
 use kmem_cache_free() freeing primary_index directly

v3: don't move "netfs-&gt;primary_index-&gt;parent = &amp;fscache_fsdef_index;"

Signed-off-by: Kinglong Mee &lt;kinglongmee@gmail.com&gt;
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>fs/fscache/stats.c: fix memory leak</title>
<updated>2013-04-29T22:54:27+00:00</updated>
<author>
<name>Anurup m</name>
<email>anurup.m@huawei.com</email>
</author>
<published>2013-04-29T22:05:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ec686c9239b4d472052a271c505d04dae84214cc'/>
<id>ec686c9239b4d472052a271c505d04dae84214cc</id>
<content type='text'>
There is a kernel memory leak observed when the proc file
/proc/fs/fscache/stats is read.

The reason is that in fscache_stats_open, single_open is called and the
respective release function is not called during release.  Hence fix
with correct release function - single_release().

Addresses https://bugzilla.kernel.org/show_bug.cgi?id=57101

Signed-off-by: Anurup m &lt;anurup.m@huawei.com&gt;
Cc: shyju pv &lt;shyju.pv@huawei.com&gt;
Cc: Sanil kumar &lt;sanil.kumar@huawei.com&gt;
Cc: Nataraj m &lt;nataraj.m@huawei.com&gt;
Cc: Li Zefan &lt;lizefan@huawei.com&gt;
Cc: David Howells &lt;dhowells@redhat.com&gt;
Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
There is a kernel memory leak observed when the proc file
/proc/fs/fscache/stats is read.

The reason is that in fscache_stats_open, single_open is called and the
respective release function is not called during release.  Hence fix
with correct release function - single_release().

Addresses https://bugzilla.kernel.org/show_bug.cgi?id=57101

Signed-off-by: Anurup m &lt;anurup.m@huawei.com&gt;
Cc: shyju pv &lt;shyju.pv@huawei.com&gt;
Cc: Sanil kumar &lt;sanil.kumar@huawei.com&gt;
Cc: Nataraj m &lt;nataraj.m@huawei.com&gt;
Cc: Li Zefan &lt;lizefan@huawei.com&gt;
Cc: David Howells &lt;dhowells@redhat.com&gt;
Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>hlist: drop the node parameter from iterators</title>
<updated>2013-02-28T03:10:24+00:00</updated>
<author>
<name>Sasha Levin</name>
<email>sasha.levin@oracle.com</email>
</author>
<published>2013-02-28T01:06:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b67bfe0d42cac56c512dd5da4b1b347a23f4b70a'/>
<id>b67bfe0d42cac56c512dd5da4b1b347a23f4b70a</id>
<content type='text'>
I'm not sure why, but the hlist for each entry iterators were conceived

        list_for_each_entry(pos, head, member)

The hlist ones were greedy and wanted an extra parameter:

        hlist_for_each_entry(tpos, pos, head, member)

Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.

Besides the semantic patch, there was some manual work required:

 - Fix up the actual hlist iterators in linux/list.h
 - Fix up the declaration of other iterators based on the hlist ones.
 - A very small amount of places were using the 'node' parameter, this
 was modified to use 'obj-&gt;member' instead.
 - Coccinelle didn't handle the hlist_for_each_entry_safe iterator
 properly, so those had to be fixed up manually.

The semantic patch which is mostly the work of Peter Senna Tschudin is here:

@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;

type T;
expression a,c,d,e;
identifier b;
statement S;
@@

-T b;
    &lt;+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
    ...+&gt;

[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin &lt;peter.senna@gmail.com&gt;
Acked-by: Paul E. McKenney &lt;paulmck@linux.vnet.ibm.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
Cc: Wu Fengguang &lt;fengguang.wu@intel.com&gt;
Cc: Marcelo Tosatti &lt;mtosatti@redhat.com&gt;
Cc: Gleb Natapov &lt;gleb@redhat.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
I'm not sure why, but the hlist for each entry iterators were conceived

        list_for_each_entry(pos, head, member)

The hlist ones were greedy and wanted an extra parameter:

        hlist_for_each_entry(tpos, pos, head, member)

Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.

Besides the semantic patch, there was some manual work required:

 - Fix up the actual hlist iterators in linux/list.h
 - Fix up the declaration of other iterators based on the hlist ones.
 - A very small amount of places were using the 'node' parameter, this
 was modified to use 'obj-&gt;member' instead.
 - Coccinelle didn't handle the hlist_for_each_entry_safe iterator
 properly, so those had to be fixed up manually.

The semantic patch which is mostly the work of Peter Senna Tschudin is here:

@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;

type T;
expression a,c,d,e;
identifier b;
statement S;
@@

-T b;
    &lt;+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
    ...+&gt;

[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin &lt;peter.senna@gmail.com&gt;
Acked-by: Paul E. McKenney &lt;paulmck@linux.vnet.ibm.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
Cc: Wu Fengguang &lt;fengguang.wu@intel.com&gt;
Cc: Marcelo Tosatti &lt;mtosatti@redhat.com&gt;
Cc: Gleb Natapov &lt;gleb@redhat.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>FS-Cache: Clear remaining page count on retrieval cancellation</title>
<updated>2012-12-20T22:35:15+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2012-12-14T11:02:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=91c7fbbf63f33c77d8d28de624834a21888842bb'/>
<id>91c7fbbf63f33c77d8d28de624834a21888842bb</id>
<content type='text'>
Provide fscache_cancel_op() with a pointer to a function it should invoke under
lock if it cancels an operation.

Use this to clear the remaining page count upon cancellation of a pending
retrieval operation so that fscache_release_retrieval_op() doesn't get an
assertion failure (see below).  This can happen when a signal occurs, say from
CTRL-C being pressed during data retrieval.

FS-Cache: Assertion failed
3 == 0 is false
------------[ cut here ]------------
kernel BUG at fs/fscache/page.c:237!
invalid opcode: 0000 [#641] SMP
Modules linked in: cachefiles(F) nfsv4(F) nfsv3(F) nfsv2(F) nfs(F) fscache(F) auth_rpcgss(F) nfs_acl(F) lockd(F) sunrpc(F)
CPU 0
Pid: 6075, comm: slurp-q Tainted: GF     D      3.7.0-rc8-fsdevel+ #411                  /DG965RY
RIP: 0010:[&lt;ffffffffa007f328&gt;]  [&lt;ffffffffa007f328&gt;] fscache_release_retrieval_op+0x75/0xff [fscache]
RSP: 0000:ffff88001c6d7988  EFLAGS: 00010296
RAX: 000000000000000f RBX: ffff880014cdfe00 RCX: ffffffff6c102000
RDX: ffffffff8102d1ad RSI: ffffffff6c102000 RDI: ffffffff8102d1d6
RBP: ffff88001c6d7998 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffe00
R13: ffff88001c6d7ab4 R14: ffff88001a8638a0 R15: ffff88001552b190
FS:  00007f877aaf0700(0000) GS:ffff88003bc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00007fff11378fd2 CR3: 000000001c6c6000 CR4: 00000000000007f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process slurp-q (pid: 6075, threadinfo ffff88001c6d6000, task ffff88001c6c4080)
Stack:
 ffffffffa007ec07 ffff880014cdfe00 ffff88001c6d79c8 ffffffffa007db4d
 ffffffffa007ec07 ffff880014cdfe00 00000000fffffe00 ffff88001c6d7ab4
 ffff88001c6d7a38 ffffffffa008116d 0000000000000000 ffff88001c6c4080
Call Trace:
 [&lt;ffffffffa007ec07&gt;] ? fscache_cancel_op+0x194/0x1cf [fscache]
 [&lt;ffffffffa007db4d&gt;] fscache_put_operation+0x135/0x2ed [fscache]
 [&lt;ffffffffa007ec07&gt;] ? fscache_cancel_op+0x194/0x1cf [fscache]
 [&lt;ffffffffa008116d&gt;] __fscache_read_or_alloc_pages+0x413/0x4bc [fscache]
 [&lt;ffffffff810ac8ae&gt;] ? __alloc_pages_nodemask+0x195/0x75c
 [&lt;ffffffffa00aab0f&gt;] __nfs_readpages_from_fscache+0x86/0x13d [nfs]
 [&lt;ffffffffa00a5fe0&gt;] nfs_readpages+0x186/0x1bd [nfs]
 [&lt;ffffffff810d23c8&gt;] ? alloc_pages_current+0xc7/0xe4
 [&lt;ffffffff810a68b5&gt;] ? __page_cache_alloc+0x84/0x91
 [&lt;ffffffff810af912&gt;] ? __do_page_cache_readahead+0xa6/0x2e0
 [&lt;ffffffff810afaa3&gt;] __do_page_cache_readahead+0x237/0x2e0
 [&lt;ffffffff810af912&gt;] ? __do_page_cache_readahead+0xa6/0x2e0
 [&lt;ffffffff810afe3e&gt;] ra_submit+0x1c/0x20
 [&lt;ffffffff810b019b&gt;] ondemand_readahead+0x359/0x382
 [&lt;ffffffff810b0279&gt;] page_cache_sync_readahead+0x38/0x3a
 [&lt;ffffffff810a77b5&gt;] generic_file_aio_read+0x26b/0x637
 [&lt;ffffffffa00f1852&gt;] ? nfs_mark_delegation_referenced+0xb/0xb [nfsv4]
 [&lt;ffffffffa009cc85&gt;] nfs_file_read+0xaa/0xcf [nfs]
 [&lt;ffffffff810db5b3&gt;] do_sync_read+0x91/0xd1
 [&lt;ffffffff810dbb8b&gt;] vfs_read+0x9b/0x144
 [&lt;ffffffff810dbc78&gt;] sys_read+0x44/0x75
 [&lt;ffffffff81422892&gt;] system_call_fastpath+0x16/0x1b

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Provide fscache_cancel_op() with a pointer to a function it should invoke under
lock if it cancels an operation.

Use this to clear the remaining page count upon cancellation of a pending
retrieval operation so that fscache_release_retrieval_op() doesn't get an
assertion failure (see below).  This can happen when a signal occurs, say from
CTRL-C being pressed during data retrieval.

FS-Cache: Assertion failed
3 == 0 is false
------------[ cut here ]------------
kernel BUG at fs/fscache/page.c:237!
invalid opcode: 0000 [#641] SMP
Modules linked in: cachefiles(F) nfsv4(F) nfsv3(F) nfsv2(F) nfs(F) fscache(F) auth_rpcgss(F) nfs_acl(F) lockd(F) sunrpc(F)
CPU 0
Pid: 6075, comm: slurp-q Tainted: GF     D      3.7.0-rc8-fsdevel+ #411                  /DG965RY
RIP: 0010:[&lt;ffffffffa007f328&gt;]  [&lt;ffffffffa007f328&gt;] fscache_release_retrieval_op+0x75/0xff [fscache]
RSP: 0000:ffff88001c6d7988  EFLAGS: 00010296
RAX: 000000000000000f RBX: ffff880014cdfe00 RCX: ffffffff6c102000
RDX: ffffffff8102d1ad RSI: ffffffff6c102000 RDI: ffffffff8102d1d6
RBP: ffff88001c6d7998 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffe00
R13: ffff88001c6d7ab4 R14: ffff88001a8638a0 R15: ffff88001552b190
FS:  00007f877aaf0700(0000) GS:ffff88003bc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00007fff11378fd2 CR3: 000000001c6c6000 CR4: 00000000000007f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process slurp-q (pid: 6075, threadinfo ffff88001c6d6000, task ffff88001c6c4080)
Stack:
 ffffffffa007ec07 ffff880014cdfe00 ffff88001c6d79c8 ffffffffa007db4d
 ffffffffa007ec07 ffff880014cdfe00 00000000fffffe00 ffff88001c6d7ab4
 ffff88001c6d7a38 ffffffffa008116d 0000000000000000 ffff88001c6c4080
Call Trace:
 [&lt;ffffffffa007ec07&gt;] ? fscache_cancel_op+0x194/0x1cf [fscache]
 [&lt;ffffffffa007db4d&gt;] fscache_put_operation+0x135/0x2ed [fscache]
 [&lt;ffffffffa007ec07&gt;] ? fscache_cancel_op+0x194/0x1cf [fscache]
 [&lt;ffffffffa008116d&gt;] __fscache_read_or_alloc_pages+0x413/0x4bc [fscache]
 [&lt;ffffffff810ac8ae&gt;] ? __alloc_pages_nodemask+0x195/0x75c
 [&lt;ffffffffa00aab0f&gt;] __nfs_readpages_from_fscache+0x86/0x13d [nfs]
 [&lt;ffffffffa00a5fe0&gt;] nfs_readpages+0x186/0x1bd [nfs]
 [&lt;ffffffff810d23c8&gt;] ? alloc_pages_current+0xc7/0xe4
 [&lt;ffffffff810a68b5&gt;] ? __page_cache_alloc+0x84/0x91
 [&lt;ffffffff810af912&gt;] ? __do_page_cache_readahead+0xa6/0x2e0
 [&lt;ffffffff810afaa3&gt;] __do_page_cache_readahead+0x237/0x2e0
 [&lt;ffffffff810af912&gt;] ? __do_page_cache_readahead+0xa6/0x2e0
 [&lt;ffffffff810afe3e&gt;] ra_submit+0x1c/0x20
 [&lt;ffffffff810b019b&gt;] ondemand_readahead+0x359/0x382
 [&lt;ffffffff810b0279&gt;] page_cache_sync_readahead+0x38/0x3a
 [&lt;ffffffff810a77b5&gt;] generic_file_aio_read+0x26b/0x637
 [&lt;ffffffffa00f1852&gt;] ? nfs_mark_delegation_referenced+0xb/0xb [nfsv4]
 [&lt;ffffffffa009cc85&gt;] nfs_file_read+0xaa/0xcf [nfs]
 [&lt;ffffffff810db5b3&gt;] do_sync_read+0x91/0xd1
 [&lt;ffffffff810dbb8b&gt;] vfs_read+0x9b/0x144
 [&lt;ffffffff810dbc78&gt;] sys_read+0x44/0x75
 [&lt;ffffffff81422892&gt;] system_call_fastpath+0x16/0x1b

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>FS-Cache: Mark cancellation of in-progress operation</title>
<updated>2012-12-20T22:34:00+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2012-12-13T20:03:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1f372dff1da37e2b36ae9085368fa46896398598'/>
<id>1f372dff1da37e2b36ae9085368fa46896398598</id>
<content type='text'>
Mark as cancelled an operation that is in progress rather than pending at the
time it is cancelled, and call fscache_complete_op() to cancel an operation so
that blocked ops can be started.

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Mark as cancelled an operation that is in progress rather than pending at the
time it is cancelled, and call fscache_complete_op() to cancel an operation so
that blocked ops can be started.

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>FS-Cache: One of the write operation paths doesn't set the object state</title>
<updated>2012-12-20T22:20:40+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2012-12-07T10:41:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7ef001e937e8b9cbedb2fc1c31dd681ac3b31927'/>
<id>7ef001e937e8b9cbedb2fc1c31dd681ac3b31927</id>
<content type='text'>
In fscache_write_op(), if the object is determined to have become inactive or
to have lost its cookie, we don't move the operation state from in-progress,
and so an assertion in fscache_put_operation() fails with an assertion (see
below).

Instrumenting fscache_op_work_func() indicates that it called
fscache_write_op() before calling fscache_put_operation() - where the assertion
failed.  The assertion at line 433 indicates that the operation state is
IN_PROGRESS rather than being COMPLETE or CANCELLED.

Instrumenting fscache_write_op() showed that it was being called on an object
that had had its cookie removed and that this was due to relinquishment of the
cookie by the netfs.  At this point fscache no longer has access to the pages
of netfs data that were requested to be written, and so simply cancelling the
operation is the thing to do.

FS-Cache: Assertion failed
3 == 5 is false
------------[ cut here ]------------
kernel BUG at fs/fscache/operation.c:433!
invalid opcode: 0000 [#1] SMP
Modules linked in: cachefiles(F) nfsv4(F) nfsv3(F) nfsv2(F) nfs(F) fscache(F) auth_rpcgss(F) nfs_acl(F) lockd(F) sunrpc(F)
CPU 0
Pid: 1035, comm: kworker/u:3 Tainted: GF            3.7.0-rc8-fsdevel+ #411                  /DG965RY
RIP: 0010:[&lt;ffffffffa007db22&gt;]  [&lt;ffffffffa007db22&gt;] fscache_put_operation+0x11a/0x2ed [fscache]
RSP: 0018:ffff88003e32bcf8  EFLAGS: 00010296
RAX: 000000000000000f RBX: ffff88001818eb78 RCX: ffffffff6c102000
RDX: ffffffff8102d1ad RSI: ffffffff6c102000 RDI: ffffffff8102d1d6
RBP: ffff88003e32bd18 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffa00811da
R13: 0000000000000001 R14: 0000000100625d26 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88003bc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00007fff7dd31c68 CR3: 000000003d730000 CR4: 00000000000007f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process kworker/u:3 (pid: 1035, threadinfo ffff88003e32a000, task ffff88003bb38080)
Stack:
 ffffffff8102d1ad ffff88001818eb78 ffffffffa00811da 0000000000000001
 ffff88003e32bd48 ffffffffa007f0ad ffff88001818eb78 ffffffff819583c0
 ffff88003df24e00 ffff88003882c3e0 ffff88003e32bde8 ffffffff81042de0
Call Trace:
 [&lt;ffffffff8102d1ad&gt;] ? vprintk_emit+0x3c6/0x41a
 [&lt;ffffffffa00811da&gt;] ? __fscache_read_or_alloc_pages+0x4bc/0x4bc [fscache]
 [&lt;ffffffffa007f0ad&gt;] fscache_op_work_func+0xec/0x123 [fscache]
 [&lt;ffffffff81042de0&gt;] process_one_work+0x21c/0x3b0
 [&lt;ffffffff81042d82&gt;] ? process_one_work+0x1be/0x3b0
 [&lt;ffffffffa007efc1&gt;] ? fscache_operation_gc+0x23e/0x23e [fscache]
 [&lt;ffffffff8104332e&gt;] worker_thread+0x202/0x2df
 [&lt;ffffffff8104312c&gt;] ? rescuer_thread+0x18e/0x18e
 [&lt;ffffffff81047c1c&gt;] kthread+0xd0/0xd8
 [&lt;ffffffff81421bfa&gt;] ? _raw_spin_unlock_irq+0x29/0x3e
 [&lt;ffffffff81047b4c&gt;] ? __init_kthread_worker+0x55/0x55
 [&lt;ffffffff814227ec&gt;] ret_from_fork+0x7c/0xb0
 [&lt;ffffffff81047b4c&gt;] ? __init_kthread_worker+0x55/0x55

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In fscache_write_op(), if the object is determined to have become inactive or
to have lost its cookie, we don't move the operation state from in-progress,
and so an assertion in fscache_put_operation() fails with an assertion (see
below).

Instrumenting fscache_op_work_func() indicates that it called
fscache_write_op() before calling fscache_put_operation() - where the assertion
failed.  The assertion at line 433 indicates that the operation state is
IN_PROGRESS rather than being COMPLETE or CANCELLED.

Instrumenting fscache_write_op() showed that it was being called on an object
that had had its cookie removed and that this was due to relinquishment of the
cookie by the netfs.  At this point fscache no longer has access to the pages
of netfs data that were requested to be written, and so simply cancelling the
operation is the thing to do.

FS-Cache: Assertion failed
3 == 5 is false
------------[ cut here ]------------
kernel BUG at fs/fscache/operation.c:433!
invalid opcode: 0000 [#1] SMP
Modules linked in: cachefiles(F) nfsv4(F) nfsv3(F) nfsv2(F) nfs(F) fscache(F) auth_rpcgss(F) nfs_acl(F) lockd(F) sunrpc(F)
CPU 0
Pid: 1035, comm: kworker/u:3 Tainted: GF            3.7.0-rc8-fsdevel+ #411                  /DG965RY
RIP: 0010:[&lt;ffffffffa007db22&gt;]  [&lt;ffffffffa007db22&gt;] fscache_put_operation+0x11a/0x2ed [fscache]
RSP: 0018:ffff88003e32bcf8  EFLAGS: 00010296
RAX: 000000000000000f RBX: ffff88001818eb78 RCX: ffffffff6c102000
RDX: ffffffff8102d1ad RSI: ffffffff6c102000 RDI: ffffffff8102d1d6
RBP: ffff88003e32bd18 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffa00811da
R13: 0000000000000001 R14: 0000000100625d26 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88003bc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00007fff7dd31c68 CR3: 000000003d730000 CR4: 00000000000007f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process kworker/u:3 (pid: 1035, threadinfo ffff88003e32a000, task ffff88003bb38080)
Stack:
 ffffffff8102d1ad ffff88001818eb78 ffffffffa00811da 0000000000000001
 ffff88003e32bd48 ffffffffa007f0ad ffff88001818eb78 ffffffff819583c0
 ffff88003df24e00 ffff88003882c3e0 ffff88003e32bde8 ffffffff81042de0
Call Trace:
 [&lt;ffffffff8102d1ad&gt;] ? vprintk_emit+0x3c6/0x41a
 [&lt;ffffffffa00811da&gt;] ? __fscache_read_or_alloc_pages+0x4bc/0x4bc [fscache]
 [&lt;ffffffffa007f0ad&gt;] fscache_op_work_func+0xec/0x123 [fscache]
 [&lt;ffffffff81042de0&gt;] process_one_work+0x21c/0x3b0
 [&lt;ffffffff81042d82&gt;] ? process_one_work+0x1be/0x3b0
 [&lt;ffffffffa007efc1&gt;] ? fscache_operation_gc+0x23e/0x23e [fscache]
 [&lt;ffffffff8104332e&gt;] worker_thread+0x202/0x2df
 [&lt;ffffffff8104312c&gt;] ? rescuer_thread+0x18e/0x18e
 [&lt;ffffffff81047c1c&gt;] kthread+0xd0/0xd8
 [&lt;ffffffff81421bfa&gt;] ? _raw_spin_unlock_irq+0x29/0x3e
 [&lt;ffffffff81047b4c&gt;] ? __init_kthread_worker+0x55/0x55
 [&lt;ffffffff814227ec&gt;] ret_from_fork+0x7c/0xb0
 [&lt;ffffffff81047b4c&gt;] ? __init_kthread_worker+0x55/0x55

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>FS-Cache: Fix signal handling during waits</title>
<updated>2012-12-20T22:20:23+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2012-12-07T18:08:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9c04caa81b876faee5f1cc6eaad76dd7021ab8ff'/>
<id>9c04caa81b876faee5f1cc6eaad76dd7021ab8ff</id>
<content type='text'>
wait_on_bit() with TASK_INTERRUPTIBLE returns 1 rather than a negative error
code, so change what we check for.  This means that the signal handling in
fscache_wait_for_retrieval_activation()  should now work properly.

Without this, the following bug can be seen if CTRL-C is pressed during
fscache read operation:

FS-Cache: Assertion failed
2 == 3 is false
------------[ cut here ]------------
kernel BUG at fs/fscache/page.c:347!
invalid opcode: 0000 [#1] SMP
Modules linked in: cachefiles(F) nfsv4(F) nfsv3(F) nfsv2(F) nfs(F) fscache(F) auth_rpcgss(F) nfs_acl(F) lockd(F) sunrpc(F)
CPU 1
Pid: 15006, comm: slurp-q Tainted: GF            3.7.0-rc8-fsdevel+ #411                  /DG965RY
RIP: 0010:[&lt;ffffffffa007fcb4&gt;]  [&lt;ffffffffa007fcb4&gt;] fscache_wait_for_retrieval_activation+0x167/0x177 [fscache]
RSP: 0018:ffff88002a4c39a8  EFLAGS: 00010292
RAX: 000000000000001a RBX: ffff88002d3dc158 RCX: 0000000000008685
RDX: ffffffff8102ccd6 RSI: 0000000000000001 RDI: ffffffff8102d1d6
RBP: ffff88002a4c39c8 R08: 0000000000000002 R09: 0000000000000000
R10: ffffffff8163afa0 R11: ffff88003bd11900 R12: ffffffffa00868c8
R13: ffff880028306458 R14: ffff88002d3dc1b0 R15: ffff88001372e538
FS:  00007f17426a0700(0000) GS:ffff88003bd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00007f1742494a44 CR3: 0000000031bd7000 CR4: 00000000000007e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process slurp-q (pid: 15006, threadinfo ffff88002a4c2000, task ffff880023de3040)
Stack:
 ffff88002d3dc158 ffff88001372e538 ffff88002a4c3ab4 ffff8800283064e0
 ffff88002a4c3a38 ffffffffa0080f6d 0000000000000000 ffff880023de3040
 ffff88002a4c3ac8 ffffffff810ac8ae ffff880028306458 ffff88002a4c3bc8
Call Trace:
 [&lt;ffffffffa0080f6d&gt;] __fscache_read_or_alloc_pages+0x24f/0x4bc [fscache]
 [&lt;ffffffff810ac8ae&gt;] ? __alloc_pages_nodemask+0x195/0x75c
 [&lt;ffffffffa00aab0f&gt;] __nfs_readpages_from_fscache+0x86/0x13d [nfs]
 [&lt;ffffffffa00a5fe0&gt;] nfs_readpages+0x186/0x1bd [nfs]
 [&lt;ffffffff810d23c8&gt;] ? alloc_pages_current+0xc7/0xe4
 [&lt;ffffffff810a68b5&gt;] ? __page_cache_alloc+0x84/0x91
 [&lt;ffffffff810af912&gt;] ? __do_page_cache_readahead+0xa6/0x2e0
 [&lt;ffffffff810afaa3&gt;] __do_page_cache_readahead+0x237/0x2e0
 [&lt;ffffffff810af912&gt;] ? __do_page_cache_readahead+0xa6/0x2e0
 [&lt;ffffffff810afe3e&gt;] ra_submit+0x1c/0x20
 [&lt;ffffffff810b019b&gt;] ondemand_readahead+0x359/0x382
 [&lt;ffffffff810b0279&gt;] page_cache_sync_readahead+0x38/0x3a
 [&lt;ffffffff810a77b5&gt;] generic_file_aio_read+0x26b/0x637
 [&lt;ffffffffa00f1852&gt;] ? nfs_mark_delegation_referenced+0xb/0xb [nfsv4]
 [&lt;ffffffffa009cc85&gt;] nfs_file_read+0xaa/0xcf [nfs]
 [&lt;ffffffff810db5b3&gt;] do_sync_read+0x91/0xd1
 [&lt;ffffffff810dbb8b&gt;] vfs_read+0x9b/0x144
 [&lt;ffffffff810dbc78&gt;] sys_read+0x44/0x75
 [&lt;ffffffff81422892&gt;] system_call_fastpath+0x16/0x1b

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
wait_on_bit() with TASK_INTERRUPTIBLE returns 1 rather than a negative error
code, so change what we check for.  This means that the signal handling in
fscache_wait_for_retrieval_activation()  should now work properly.

Without this, the following bug can be seen if CTRL-C is pressed during
fscache read operation:

FS-Cache: Assertion failed
2 == 3 is false
------------[ cut here ]------------
kernel BUG at fs/fscache/page.c:347!
invalid opcode: 0000 [#1] SMP
Modules linked in: cachefiles(F) nfsv4(F) nfsv3(F) nfsv2(F) nfs(F) fscache(F) auth_rpcgss(F) nfs_acl(F) lockd(F) sunrpc(F)
CPU 1
Pid: 15006, comm: slurp-q Tainted: GF            3.7.0-rc8-fsdevel+ #411                  /DG965RY
RIP: 0010:[&lt;ffffffffa007fcb4&gt;]  [&lt;ffffffffa007fcb4&gt;] fscache_wait_for_retrieval_activation+0x167/0x177 [fscache]
RSP: 0018:ffff88002a4c39a8  EFLAGS: 00010292
RAX: 000000000000001a RBX: ffff88002d3dc158 RCX: 0000000000008685
RDX: ffffffff8102ccd6 RSI: 0000000000000001 RDI: ffffffff8102d1d6
RBP: ffff88002a4c39c8 R08: 0000000000000002 R09: 0000000000000000
R10: ffffffff8163afa0 R11: ffff88003bd11900 R12: ffffffffa00868c8
R13: ffff880028306458 R14: ffff88002d3dc1b0 R15: ffff88001372e538
FS:  00007f17426a0700(0000) GS:ffff88003bd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00007f1742494a44 CR3: 0000000031bd7000 CR4: 00000000000007e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process slurp-q (pid: 15006, threadinfo ffff88002a4c2000, task ffff880023de3040)
Stack:
 ffff88002d3dc158 ffff88001372e538 ffff88002a4c3ab4 ffff8800283064e0
 ffff88002a4c3a38 ffffffffa0080f6d 0000000000000000 ffff880023de3040
 ffff88002a4c3ac8 ffffffff810ac8ae ffff880028306458 ffff88002a4c3bc8
Call Trace:
 [&lt;ffffffffa0080f6d&gt;] __fscache_read_or_alloc_pages+0x24f/0x4bc [fscache]
 [&lt;ffffffff810ac8ae&gt;] ? __alloc_pages_nodemask+0x195/0x75c
 [&lt;ffffffffa00aab0f&gt;] __nfs_readpages_from_fscache+0x86/0x13d [nfs]
 [&lt;ffffffffa00a5fe0&gt;] nfs_readpages+0x186/0x1bd [nfs]
 [&lt;ffffffff810d23c8&gt;] ? alloc_pages_current+0xc7/0xe4
 [&lt;ffffffff810a68b5&gt;] ? __page_cache_alloc+0x84/0x91
 [&lt;ffffffff810af912&gt;] ? __do_page_cache_readahead+0xa6/0x2e0
 [&lt;ffffffff810afaa3&gt;] __do_page_cache_readahead+0x237/0x2e0
 [&lt;ffffffff810af912&gt;] ? __do_page_cache_readahead+0xa6/0x2e0
 [&lt;ffffffff810afe3e&gt;] ra_submit+0x1c/0x20
 [&lt;ffffffff810b019b&gt;] ondemand_readahead+0x359/0x382
 [&lt;ffffffff810b0279&gt;] page_cache_sync_readahead+0x38/0x3a
 [&lt;ffffffff810a77b5&gt;] generic_file_aio_read+0x26b/0x637
 [&lt;ffffffffa00f1852&gt;] ? nfs_mark_delegation_referenced+0xb/0xb [nfsv4]
 [&lt;ffffffffa009cc85&gt;] nfs_file_read+0xaa/0xcf [nfs]
 [&lt;ffffffff810db5b3&gt;] do_sync_read+0x91/0xd1
 [&lt;ffffffff810dbb8b&gt;] vfs_read+0x9b/0x144
 [&lt;ffffffff810dbc78&gt;] sys_read+0x44/0x75
 [&lt;ffffffff81422892&gt;] system_call_fastpath+0x16/0x1b

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>FS-Cache: Add transition to handle invalidate immediately after lookup </title>
<updated>2012-12-20T22:19:22+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2012-12-05T13:34:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=969695215f9a865cbf64c4ce3742ac9fc57fffed'/>
<id>969695215f9a865cbf64c4ce3742ac9fc57fffed</id>
<content type='text'>
Add a missing transition to the FS-Cache object state machine to handle an
invalidation event occuring between the back end completing the object lookup
by calling fscache_obtained_object() (which moves to state OBJECT_AVAILABLE)
and the backend returning to fscache_lookup_object() and thence to
fscache_object_state_machine() which then does a goto lookup_transit to handle
the transition - but lookup_transit doesn't handle EV_INVALIDATE.

Without this, the following BUG can be logged:

	FS-Cache: Unsupported event 2 [5/f7] in state OBJECT_AVAILABLE
	------------[ cut here ]------------
	kernel BUG at fs/fscache/object.c:357!

Where event 2 is EV_INVALIDATE.

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add a missing transition to the FS-Cache object state machine to handle an
invalidation event occuring between the back end completing the object lookup
by calling fscache_obtained_object() (which moves to state OBJECT_AVAILABLE)
and the backend returning to fscache_lookup_object() and thence to
fscache_object_state_machine() which then does a goto lookup_transit to handle
the transition - but lookup_transit doesn't handle EV_INVALIDATE.

Without this, the following BUG can be logged:

	FS-Cache: Unsupported event 2 [5/f7] in state OBJECT_AVAILABLE
	------------[ cut here ]------------
	kernel BUG at fs/fscache/object.c:357!

Where event 2 is EV_INVALIDATE.

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>NFS: nfs_migrate_page() does not wait for FS-Cache to finish with a page</title>
<updated>2012-12-20T22:12:03+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2012-12-05T13:34:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8c209ce721444a61b61d9e772746c721e4d8d1e8'/>
<id>8c209ce721444a61b61d9e772746c721e4d8d1e8</id>
<content type='text'>
nfs_migrate_page() does not wait for FS-Cache to finish with a page, probably
leading to the following bad-page-state:

 BUG: Bad page state in process python-bin  pfn:17d39b
 page:ffffea00053649e8 flags:004000000000100c count:0 mapcount:0 mapping:(null)
index:38686 (Tainted: G    B      ---------------- )
 Pid: 31053, comm: python-bin Tainted: G    B      ----------------
2.6.32-71.24.1.el6.x86_64 #1
 Call Trace:
 [&lt;ffffffff8111bfe7&gt;] bad_page+0x107/0x160
 [&lt;ffffffff8111ee69&gt;] free_hot_cold_page+0x1c9/0x220
 [&lt;ffffffff8111ef19&gt;] __pagevec_free+0x59/0xb0
 [&lt;ffffffff8104b988&gt;] ? flush_tlb_others_ipi+0x128/0x130
 [&lt;ffffffff8112230c&gt;] release_pages+0x21c/0x250
 [&lt;ffffffff8115b92a&gt;] ? remove_migration_pte+0x28a/0x2b0
 [&lt;ffffffff8115f3f8&gt;] ? mem_cgroup_get_reclaim_stat_from_page+0x18/0x70
 [&lt;ffffffff81122687&gt;] ____pagevec_lru_add+0x167/0x180
 [&lt;ffffffff811226f8&gt;] __lru_cache_add+0x58/0x70
 [&lt;ffffffff81122731&gt;] lru_cache_add_lru+0x21/0x40
 [&lt;ffffffff81123f49&gt;] putback_lru_page+0x69/0x100
 [&lt;ffffffff8115c0bd&gt;] migrate_pages+0x13d/0x5d0
 [&lt;ffffffff81122687&gt;] ? ____pagevec_lru_add+0x167/0x180
 [&lt;ffffffff81152ab0&gt;] ? compaction_alloc+0x0/0x370
 [&lt;ffffffff8115255c&gt;] compact_zone+0x4cc/0x600
 [&lt;ffffffff8111cfac&gt;] ? get_page_from_freelist+0x15c/0x820
 [&lt;ffffffff810672f4&gt;] ? check_preempt_wakeup+0x1c4/0x3c0
 [&lt;ffffffff8115290e&gt;] compact_zone_order+0x7e/0xb0
 [&lt;ffffffff81152a49&gt;] try_to_compact_pages+0x109/0x170
 [&lt;ffffffff8111e94d&gt;] __alloc_pages_nodemask+0x5ed/0x850
 [&lt;ffffffff814c9136&gt;] ? thread_return+0x4e/0x778
 [&lt;ffffffff81150d43&gt;] alloc_pages_vma+0x93/0x150
 [&lt;ffffffff81167ea5&gt;] do_huge_pmd_anonymous_page+0x135/0x340
 [&lt;ffffffff814cb6f6&gt;] ? rwsem_down_read_failed+0x26/0x30
 [&lt;ffffffff81136755&gt;] handle_mm_fault+0x245/0x2b0
 [&lt;ffffffff814ce383&gt;] do_page_fault+0x123/0x3a0
 [&lt;ffffffff814cbdf5&gt;] page_fault+0x25/0x30

nfs_migrate_page() calls nfs_fscache_release_page() which doesn't actually wait
- even if __GFP_WAIT is set.  The reason that doesn't wait is that
fscache_maybe_release_page() might deadlock the allocator as the work threads
writing to the cache may all end up sleeping on memory allocation.

However, I wonder if that is actually a problem.  There are a number of things
I can do to deal with this:

 (1) Make nfs_migrate_page() wait.

 (2) Make fscache_maybe_release_page() honour the __GFP_WAIT flag.

 (3) Set a timeout around the wait.

 (4) Make nfs_migrate_page() return an error if the page is still busy.

For the moment, I'll select (2) and (4).

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Acked-by: Jeff Layton &lt;jlayton@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
nfs_migrate_page() does not wait for FS-Cache to finish with a page, probably
leading to the following bad-page-state:

 BUG: Bad page state in process python-bin  pfn:17d39b
 page:ffffea00053649e8 flags:004000000000100c count:0 mapcount:0 mapping:(null)
index:38686 (Tainted: G    B      ---------------- )
 Pid: 31053, comm: python-bin Tainted: G    B      ----------------
2.6.32-71.24.1.el6.x86_64 #1
 Call Trace:
 [&lt;ffffffff8111bfe7&gt;] bad_page+0x107/0x160
 [&lt;ffffffff8111ee69&gt;] free_hot_cold_page+0x1c9/0x220
 [&lt;ffffffff8111ef19&gt;] __pagevec_free+0x59/0xb0
 [&lt;ffffffff8104b988&gt;] ? flush_tlb_others_ipi+0x128/0x130
 [&lt;ffffffff8112230c&gt;] release_pages+0x21c/0x250
 [&lt;ffffffff8115b92a&gt;] ? remove_migration_pte+0x28a/0x2b0
 [&lt;ffffffff8115f3f8&gt;] ? mem_cgroup_get_reclaim_stat_from_page+0x18/0x70
 [&lt;ffffffff81122687&gt;] ____pagevec_lru_add+0x167/0x180
 [&lt;ffffffff811226f8&gt;] __lru_cache_add+0x58/0x70
 [&lt;ffffffff81122731&gt;] lru_cache_add_lru+0x21/0x40
 [&lt;ffffffff81123f49&gt;] putback_lru_page+0x69/0x100
 [&lt;ffffffff8115c0bd&gt;] migrate_pages+0x13d/0x5d0
 [&lt;ffffffff81122687&gt;] ? ____pagevec_lru_add+0x167/0x180
 [&lt;ffffffff81152ab0&gt;] ? compaction_alloc+0x0/0x370
 [&lt;ffffffff8115255c&gt;] compact_zone+0x4cc/0x600
 [&lt;ffffffff8111cfac&gt;] ? get_page_from_freelist+0x15c/0x820
 [&lt;ffffffff810672f4&gt;] ? check_preempt_wakeup+0x1c4/0x3c0
 [&lt;ffffffff8115290e&gt;] compact_zone_order+0x7e/0xb0
 [&lt;ffffffff81152a49&gt;] try_to_compact_pages+0x109/0x170
 [&lt;ffffffff8111e94d&gt;] __alloc_pages_nodemask+0x5ed/0x850
 [&lt;ffffffff814c9136&gt;] ? thread_return+0x4e/0x778
 [&lt;ffffffff81150d43&gt;] alloc_pages_vma+0x93/0x150
 [&lt;ffffffff81167ea5&gt;] do_huge_pmd_anonymous_page+0x135/0x340
 [&lt;ffffffff814cb6f6&gt;] ? rwsem_down_read_failed+0x26/0x30
 [&lt;ffffffff81136755&gt;] handle_mm_fault+0x245/0x2b0
 [&lt;ffffffff814ce383&gt;] do_page_fault+0x123/0x3a0
 [&lt;ffffffff814cbdf5&gt;] page_fault+0x25/0x30

nfs_migrate_page() calls nfs_fscache_release_page() which doesn't actually wait
- even if __GFP_WAIT is set.  The reason that doesn't wait is that
fscache_maybe_release_page() might deadlock the allocator as the work threads
writing to the cache may all end up sleeping on memory allocation.

However, I wonder if that is actually a problem.  There are a number of things
I can do to deal with this:

 (1) Make nfs_migrate_page() wait.

 (2) Make fscache_maybe_release_page() honour the __GFP_WAIT flag.

 (3) Set a timeout around the wait.

 (4) Make nfs_migrate_page() return an error if the page is still busy.

For the moment, I'll select (2) and (4).

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Acked-by: Jeff Layton &lt;jlayton@redhat.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
