<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/fs/fscache, branch linux-3.12.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>FS-Cache: Don't override netfs's primary_index if registering failed</title>
<updated>2016-02-24T08:45:13+00:00</updated>
<author>
<name>Kinglong Mee</name>
<email>kinglongmee@gmail.com</email>
</author>
<published>2015-11-04T15:20:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=607d88c10b989cab05c64db592a3794e0363e7e5'/>
<id>607d88c10b989cab05c64db592a3794e0363e7e5</id>
<content type='text'>
commit b130ed5998e62879a66bad08931a2b5e832da95c upstream.

Only override netfs-&gt;primary_index when registering success.

Signed-off-by: Kinglong Mee &lt;kinglongmee@gmail.com&gt;
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit b130ed5998e62879a66bad08931a2b5e832da95c upstream.

Only override netfs-&gt;primary_index when registering success.

Signed-off-by: Kinglong Mee &lt;kinglongmee@gmail.com&gt;
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>FS-Cache: Increase reference of parent after registering, netfs success</title>
<updated>2016-02-24T08:45:13+00:00</updated>
<author>
<name>Kinglong Mee</name>
<email>kinglongmee@gmail.com</email>
</author>
<published>2015-11-04T15:20:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=695c19b03c9362ceb191bbe15274ccaabeee6606'/>
<id>695c19b03c9362ceb191bbe15274ccaabeee6606</id>
<content type='text'>
commit 86108c2e34a26e4bec3c6ddb23390bf8cedcf391 upstream.

If netfs exist, fscache should not increase the reference of parent's
usage and n_children, otherwise, never be decreased.

v2: thanks David's suggest,
 move increasing reference of parent if success
 use kmem_cache_free() freeing primary_index directly

v3: don't move "netfs-&gt;primary_index-&gt;parent = &amp;fscache_fsdef_index;"

Signed-off-by: Kinglong Mee &lt;kinglongmee@gmail.com&gt;
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 86108c2e34a26e4bec3c6ddb23390bf8cedcf391 upstream.

If netfs exist, fscache should not increase the reference of parent's
usage and n_children, otherwise, never be decreased.

v2: thanks David's suggest,
 move increasing reference of parent if success
 use kmem_cache_free() freeing primary_index directly

v3: don't move "netfs-&gt;primary_index-&gt;parent = &amp;fscache_fsdef_index;"

Signed-off-by: Kinglong Mee &lt;kinglongmee@gmail.com&gt;
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>FS-Cache: Handle removal of unadded object to the fscache_object_list rb tree</title>
<updated>2014-04-03T08:32:20+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2014-02-17T15:01:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c8a3d3bcd7dc2893790c38695a8ecd79c4fbad99'/>
<id>c8a3d3bcd7dc2893790c38695a8ecd79c4fbad99</id>
<content type='text'>
commit 7026f1929e18921fd67bf478f475a8fdfdff16ae upstream.

When FS-Cache allocates an object, the following sequence of events can
occur:

 --&gt;fscache_alloc_object()
    --&gt;cachefiles_alloc_object() [via cache-&gt;ops-&gt;alloc_object]
    &lt;--[returns new object]
    --&gt;fscache_attach_object()
    &lt;--[failed]
    --&gt;cachefiles_put_object() [via cache-&gt;ops-&gt;put_object]
       --&gt;fscache_object_destroy()
          --&gt;fscache_objlist_remove()
             --&gt;rb_erase() to remove the object from fscache_object_list.

resulting in a crash in the rbtree code.

The problem is that the object is only added to fscache_object_list on
the success path of fscache_attach_object() where it calls
fscache_objlist_add().

So if fscache_attach_object() fails, the object won't have been added to
the objlist rbtree.  We do, however, unconditionally try to remove the
object from the tree.

Thanks to NeilBrown for finding this and suggesting this solution.

Reported-by: NeilBrown &lt;neilb@suse.de&gt;
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Tested-by: (a customer of) NeilBrown &lt;neilb@suse.de&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 7026f1929e18921fd67bf478f475a8fdfdff16ae upstream.

When FS-Cache allocates an object, the following sequence of events can
occur:

 --&gt;fscache_alloc_object()
    --&gt;cachefiles_alloc_object() [via cache-&gt;ops-&gt;alloc_object]
    &lt;--[returns new object]
    --&gt;fscache_attach_object()
    &lt;--[failed]
    --&gt;cachefiles_put_object() [via cache-&gt;ops-&gt;put_object]
       --&gt;fscache_object_destroy()
          --&gt;fscache_objlist_remove()
             --&gt;rb_erase() to remove the object from fscache_object_list.

resulting in a crash in the rbtree code.

The problem is that the object is only added to fscache_object_list on
the success path of fscache_attach_object() where it calls
fscache_objlist_add().

So if fscache_attach_object() fails, the object won't have been added to
the objlist rbtree.  We do, however, unconditionally try to remove the
object from the tree.

Thanks to NeilBrown for finding this and suggesting this solution.

Reported-by: NeilBrown &lt;neilb@suse.de&gt;
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Tested-by: (a customer of) NeilBrown &lt;neilb@suse.de&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client</title>
<updated>2013-09-19T17:50:37+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2013-09-19T17:50:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e9ff04dd94d46c817bbb103531cdef6e7bd5d022'/>
<id>e9ff04dd94d46c817bbb103531cdef6e7bd5d022</id>
<content type='text'>
Pull ceph fixes from Sage Weil:
 "These fix several bugs with RBD from 3.11 that didn't get tested in
  time for the merge window: some error handling, a use-after-free, and
  a sequencing issue when unmapping and image races with a notify
  operation.

  There is also a patch fixing a problem with the new ceph + fscache
  code that just went in"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
  fscache: check consistency does not decrement refcount
  rbd: fix error handling from rbd_snap_name()
  rbd: ignore unmapped snapshots that no longer exist
  rbd: fix use-after free of rbd_dev-&gt;disk
  rbd: make rbd_obj_notify_ack() synchronous
  rbd: complete notifies before cleaning up osd_client and rbd_dev
  libceph: add function to ensure notifies are complete
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull ceph fixes from Sage Weil:
 "These fix several bugs with RBD from 3.11 that didn't get tested in
  time for the merge window: some error handling, a use-after-free, and
  a sequencing issue when unmapping and image races with a notify
  operation.

  There is also a patch fixing a problem with the new ceph + fscache
  code that just went in"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
  fscache: check consistency does not decrement refcount
  rbd: fix error handling from rbd_snap_name()
  rbd: ignore unmapped snapshots that no longer exist
  rbd: fix use-after free of rbd_dev-&gt;disk
  rbd: make rbd_obj_notify_ack() synchronous
  rbd: complete notifies before cleaning up osd_client and rbd_dev
  libceph: add function to ensure notifies are complete
</pre>
</div>
</content>
</entry>
<entry>
<title>lib/radix-tree.c: make radix_tree_node_alloc() work correctly within interrupt</title>
<updated>2013-09-11T22:59:36+00:00</updated>
<author>
<name>Jan Kara</name>
<email>jack@suse.cz</email>
</author>
<published>2013-09-11T21:26:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5e4c0d974139a98741b829b27cf38dc8f9284490'/>
<id>5e4c0d974139a98741b829b27cf38dc8f9284490</id>
<content type='text'>
With users of radix_tree_preload() run from interrupt (block/blk-ioc.c is
one such possible user), the following race can happen:

radix_tree_preload()
...
radix_tree_insert()
  radix_tree_node_alloc()
    if (rtp-&gt;nr) {
      ret = rtp-&gt;nodes[rtp-&gt;nr - 1];
&lt;interrupt&gt;
...
radix_tree_preload()
...
radix_tree_insert()
  radix_tree_node_alloc()
    if (rtp-&gt;nr) {
      ret = rtp-&gt;nodes[rtp-&gt;nr - 1];

And we give out one radix tree node twice.  That clearly results in radix
tree corruption with different results (usually OOPS) depending on which
two users of radix tree race.

We fix the problem by making radix_tree_node_alloc() always allocate fresh
radix tree nodes when in interrupt.  Using preloading when in interrupt
doesn't make sense since all the allocations have to be atomic anyway and
we cannot steal nodes from process-context users because some users rely
on radix_tree_insert() succeeding after radix_tree_preload().
in_interrupt() check is somewhat ugly but we cannot simply key off passed
gfp_mask as that is acquired from root_gfp_mask() and thus the same for
all preload users.

Another part of the fix is to avoid node preallocation in
radix_tree_preload() when passed gfp_mask doesn't allow waiting.  Again,
preallocation in such case doesn't make sense and when preallocation would
happen in interrupt we could possibly leak some allocated nodes.  However,
some users of radix_tree_preload() require following radix_tree_insert()
to succeed.  To avoid unexpected effects for these users,
radix_tree_preload() only warns if passed gfp mask doesn't allow waiting
and we provide a new function radix_tree_maybe_preload() for those users
which get different gfp mask from different call sites and which are
prepared to handle radix_tree_insert() failure.

Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
Cc: Jens Axboe &lt;jaxboe@fusionio.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
With users of radix_tree_preload() run from interrupt (block/blk-ioc.c is
one such possible user), the following race can happen:

radix_tree_preload()
...
radix_tree_insert()
  radix_tree_node_alloc()
    if (rtp-&gt;nr) {
      ret = rtp-&gt;nodes[rtp-&gt;nr - 1];
&lt;interrupt&gt;
...
radix_tree_preload()
...
radix_tree_insert()
  radix_tree_node_alloc()
    if (rtp-&gt;nr) {
      ret = rtp-&gt;nodes[rtp-&gt;nr - 1];

And we give out one radix tree node twice.  That clearly results in radix
tree corruption with different results (usually OOPS) depending on which
two users of radix tree race.

We fix the problem by making radix_tree_node_alloc() always allocate fresh
radix tree nodes when in interrupt.  Using preloading when in interrupt
doesn't make sense since all the allocations have to be atomic anyway and
we cannot steal nodes from process-context users because some users rely
on radix_tree_insert() succeeding after radix_tree_preload().
in_interrupt() check is somewhat ugly but we cannot simply key off passed
gfp_mask as that is acquired from root_gfp_mask() and thus the same for
all preload users.

Another part of the fix is to avoid node preallocation in
radix_tree_preload() when passed gfp_mask doesn't allow waiting.  Again,
preallocation in such case doesn't make sense and when preallocation would
happen in interrupt we could possibly leak some allocated nodes.  However,
some users of radix_tree_preload() require following radix_tree_insert()
to succeed.  To avoid unexpected effects for these users,
radix_tree_preload() only warns if passed gfp mask doesn't allow waiting
and we provide a new function radix_tree_maybe_preload() for those users
which get different gfp mask from different call sites and which are
prepared to handle radix_tree_insert() failure.

Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
Cc: Jens Axboe &lt;jaxboe@fusionio.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fscache: check consistency does not decrement refcount</title>
<updated>2013-09-10T16:04:46+00:00</updated>
<author>
<name>Milosz Tanski</name>
<email>milosz@adfin.com</email>
</author>
<published>2013-09-09T18:28:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9c89d62948c4740e379a7e0085dd8d7c1561f53f'/>
<id>9c89d62948c4740e379a7e0085dd8d7c1561f53f</id>
<content type='text'>
__fscache_check_consistency() does not decrement the count of operations
active after it finishes in the success case. This leads to a hung tasks on
cookie de-registration (commonly in inode eviction).

INFO: task kworker/1:2:4214 blocked for more than 120 seconds.
kworker/1:2     D ffff880443513fc0     0  4214      2 0x00000000
Workqueue: ceph-msgr con_work [libceph]
  ...
Call Trace:
 [&lt;ffffffff81569fc6&gt;] ? _raw_spin_unlock_irqrestore+0x16/0x20
 [&lt;ffffffffa0016570&gt;] ? fscache_wait_bit_interruptible+0x30/0x30 [fscache]
 [&lt;ffffffff81568d09&gt;] schedule+0x29/0x70
 [&lt;ffffffffa001657e&gt;] fscache_wait_atomic_t+0xe/0x20 [fscache]
 [&lt;ffffffff815665cf&gt;] out_of_line_wait_on_atomic_t+0x9f/0xe0
 [&lt;ffffffff81083560&gt;] ? autoremove_wake_function+0x40/0x40
 [&lt;ffffffffa0015a9c&gt;] __fscache_relinquish_cookie+0x15c/0x310 [fscache]
 [&lt;ffffffffa00a4fae&gt;] ceph_fscache_unregister_inode_cookie+0x3e/0x50 [ceph]
 [&lt;ffffffffa007e373&gt;] ceph_destroy_inode+0x33/0x200 [ceph]
 [&lt;ffffffff811c13ae&gt;] ? __fsnotify_inode_delete+0xe/0x10
 [&lt;ffffffff8119ba1c&gt;] destroy_inode+0x3c/0x70
 [&lt;ffffffff8119bb69&gt;] evict+0x119/0x1b0

Signed-off-by: Milosz Tanski &lt;milosz@adfin.com&gt;
Acked-by: David Howells &lt;dhowells@redhat.com&gt;
Signed-off-by: Sage Weil &lt;sage@inktank.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
__fscache_check_consistency() does not decrement the count of operations
active after it finishes in the success case. This leads to a hung tasks on
cookie de-registration (commonly in inode eviction).

INFO: task kworker/1:2:4214 blocked for more than 120 seconds.
kworker/1:2     D ffff880443513fc0     0  4214      2 0x00000000
Workqueue: ceph-msgr con_work [libceph]
  ...
Call Trace:
 [&lt;ffffffff81569fc6&gt;] ? _raw_spin_unlock_irqrestore+0x16/0x20
 [&lt;ffffffffa0016570&gt;] ? fscache_wait_bit_interruptible+0x30/0x30 [fscache]
 [&lt;ffffffff81568d09&gt;] schedule+0x29/0x70
 [&lt;ffffffffa001657e&gt;] fscache_wait_atomic_t+0xe/0x20 [fscache]
 [&lt;ffffffff815665cf&gt;] out_of_line_wait_on_atomic_t+0x9f/0xe0
 [&lt;ffffffff81083560&gt;] ? autoremove_wake_function+0x40/0x40
 [&lt;ffffffffa0015a9c&gt;] __fscache_relinquish_cookie+0x15c/0x310 [fscache]
 [&lt;ffffffffa00a4fae&gt;] ceph_fscache_unregister_inode_cookie+0x3e/0x50 [ceph]
 [&lt;ffffffffa007e373&gt;] ceph_destroy_inode+0x33/0x200 [ceph]
 [&lt;ffffffff811c13ae&gt;] ? __fsnotify_inode_delete+0xe/0x10
 [&lt;ffffffff8119ba1c&gt;] destroy_inode+0x3c/0x70
 [&lt;ffffffff8119bb69&gt;] evict+0x119/0x1b0

Signed-off-by: Milosz Tanski &lt;milosz@adfin.com&gt;
Acked-by: David Howells &lt;dhowells@redhat.com&gt;
Signed-off-by: Sage Weil &lt;sage@inktank.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fscache: Netfs function for cleanup post readpages</title>
<updated>2013-09-06T08:17:30+00:00</updated>
<author>
<name>Milosz Tanski</name>
<email>milosz@adfin.com</email>
</author>
<published>2013-08-21T21:30:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5a6f282a2052bb13171b53f03b34501cf72c33f1'/>
<id>5a6f282a2052bb13171b53f03b34501cf72c33f1</id>
<content type='text'>
Currently the fscache code expect the netfs to call fscache_readpages_or_alloc
inside the aops readpages callback.  It marks all the pages in the list
provided by readahead with PG_private_2.  In the cases that the netfs fails to
read all the pages (which is legal) it ends up returning to the readahead and
triggering a BUG.  This happens because the page list still contains marked
pages.

This patch implements a simple fscache_readpages_cancel function that the netfs
should call before returning from readpages.  It will revoke the pages from the
underlying cache backend and unmark them.

The problem was originally worked out in the Ceph devel tree, but it also
occurs in CIFS.  It appears that NFS, AFS and 9P are okay as read_cache_pages()
will clean up the unprocessed pages in the case of an error.

This can be used to address the following oops:

[12410647.597278] BUG: Bad page state in process petabucket  pfn:3d504e
[12410647.597292] page:ffffea000f541380 count:0 mapcount:0 mapping:
	(null) index:0x0
[12410647.597298] page flags: 0x200000000001000(private_2)

...

[12410647.597334] Call Trace:
[12410647.597345]  [&lt;ffffffff815523f2&gt;] dump_stack+0x19/0x1b
[12410647.597356]  [&lt;ffffffff8111def7&gt;] bad_page+0xc7/0x120
[12410647.597359]  [&lt;ffffffff8111e49e&gt;] free_pages_prepare+0x10e/0x120
[12410647.597361]  [&lt;ffffffff8111fc80&gt;] free_hot_cold_page+0x40/0x170
[12410647.597363]  [&lt;ffffffff81123507&gt;] __put_single_page+0x27/0x30
[12410647.597365]  [&lt;ffffffff81123df5&gt;] put_page+0x25/0x40
[12410647.597376]  [&lt;ffffffffa02bdcf9&gt;] ceph_readpages+0x2e9/0x6e0 [ceph]
[12410647.597379]  [&lt;ffffffff81122a8f&gt;] __do_page_cache_readahead+0x1af/0x260
[12410647.597382]  [&lt;ffffffff81122ea1&gt;] ra_submit+0x21/0x30
[12410647.597384]  [&lt;ffffffff81118f64&gt;] filemap_fault+0x254/0x490
[12410647.597387]  [&lt;ffffffff8113a74f&gt;] __do_fault+0x6f/0x4e0
[12410647.597391]  [&lt;ffffffff810125bd&gt;] ? __switch_to+0x16d/0x4a0
[12410647.597395]  [&lt;ffffffff810865ba&gt;] ? finish_task_switch+0x5a/0xc0
[12410647.597398]  [&lt;ffffffff8113d856&gt;] handle_pte_fault+0xf6/0x930
[12410647.597401]  [&lt;ffffffff81008c33&gt;] ? pte_mfn_to_pfn+0x93/0x110
[12410647.597403]  [&lt;ffffffff81008cce&gt;] ? xen_pmd_val+0xe/0x10
[12410647.597405]  [&lt;ffffffff81005469&gt;] ? __raw_callee_save_xen_pmd_val+0x11/0x1e
[12410647.597407]  [&lt;ffffffff8113f361&gt;] handle_mm_fault+0x251/0x370
[12410647.597411]  [&lt;ffffffff812b0ac4&gt;] ? call_rwsem_down_read_failed+0x14/0x30
[12410647.597414]  [&lt;ffffffff8155bffa&gt;] __do_page_fault+0x1aa/0x550
[12410647.597418]  [&lt;ffffffff8108011d&gt;] ? up_write+0x1d/0x20
[12410647.597422]  [&lt;ffffffff8113141c&gt;] ? vm_mmap_pgoff+0xbc/0xe0
[12410647.597425]  [&lt;ffffffff81143bb8&gt;] ? SyS_mmap_pgoff+0xd8/0x240
[12410647.597427]  [&lt;ffffffff8155c3ae&gt;] do_page_fault+0xe/0x10
[12410647.597431]  [&lt;ffffffff81558818&gt;] page_fault+0x28/0x30

Signed-off-by: Milosz Tanski &lt;milosz@adfin.com&gt;
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Currently the fscache code expect the netfs to call fscache_readpages_or_alloc
inside the aops readpages callback.  It marks all the pages in the list
provided by readahead with PG_private_2.  In the cases that the netfs fails to
read all the pages (which is legal) it ends up returning to the readahead and
triggering a BUG.  This happens because the page list still contains marked
pages.

This patch implements a simple fscache_readpages_cancel function that the netfs
should call before returning from readpages.  It will revoke the pages from the
underlying cache backend and unmark them.

The problem was originally worked out in the Ceph devel tree, but it also
occurs in CIFS.  It appears that NFS, AFS and 9P are okay as read_cache_pages()
will clean up the unprocessed pages in the case of an error.

This can be used to address the following oops:

[12410647.597278] BUG: Bad page state in process petabucket  pfn:3d504e
[12410647.597292] page:ffffea000f541380 count:0 mapcount:0 mapping:
	(null) index:0x0
[12410647.597298] page flags: 0x200000000001000(private_2)

...

[12410647.597334] Call Trace:
[12410647.597345]  [&lt;ffffffff815523f2&gt;] dump_stack+0x19/0x1b
[12410647.597356]  [&lt;ffffffff8111def7&gt;] bad_page+0xc7/0x120
[12410647.597359]  [&lt;ffffffff8111e49e&gt;] free_pages_prepare+0x10e/0x120
[12410647.597361]  [&lt;ffffffff8111fc80&gt;] free_hot_cold_page+0x40/0x170
[12410647.597363]  [&lt;ffffffff81123507&gt;] __put_single_page+0x27/0x30
[12410647.597365]  [&lt;ffffffff81123df5&gt;] put_page+0x25/0x40
[12410647.597376]  [&lt;ffffffffa02bdcf9&gt;] ceph_readpages+0x2e9/0x6e0 [ceph]
[12410647.597379]  [&lt;ffffffff81122a8f&gt;] __do_page_cache_readahead+0x1af/0x260
[12410647.597382]  [&lt;ffffffff81122ea1&gt;] ra_submit+0x21/0x30
[12410647.597384]  [&lt;ffffffff81118f64&gt;] filemap_fault+0x254/0x490
[12410647.597387]  [&lt;ffffffff8113a74f&gt;] __do_fault+0x6f/0x4e0
[12410647.597391]  [&lt;ffffffff810125bd&gt;] ? __switch_to+0x16d/0x4a0
[12410647.597395]  [&lt;ffffffff810865ba&gt;] ? finish_task_switch+0x5a/0xc0
[12410647.597398]  [&lt;ffffffff8113d856&gt;] handle_pte_fault+0xf6/0x930
[12410647.597401]  [&lt;ffffffff81008c33&gt;] ? pte_mfn_to_pfn+0x93/0x110
[12410647.597403]  [&lt;ffffffff81008cce&gt;] ? xen_pmd_val+0xe/0x10
[12410647.597405]  [&lt;ffffffff81005469&gt;] ? __raw_callee_save_xen_pmd_val+0x11/0x1e
[12410647.597407]  [&lt;ffffffff8113f361&gt;] handle_mm_fault+0x251/0x370
[12410647.597411]  [&lt;ffffffff812b0ac4&gt;] ? call_rwsem_down_read_failed+0x14/0x30
[12410647.597414]  [&lt;ffffffff8155bffa&gt;] __do_page_fault+0x1aa/0x550
[12410647.597418]  [&lt;ffffffff8108011d&gt;] ? up_write+0x1d/0x20
[12410647.597422]  [&lt;ffffffff8113141c&gt;] ? vm_mmap_pgoff+0xbc/0xe0
[12410647.597425]  [&lt;ffffffff81143bb8&gt;] ? SyS_mmap_pgoff+0xd8/0x240
[12410647.597427]  [&lt;ffffffff8155c3ae&gt;] do_page_fault+0xe/0x10
[12410647.597431]  [&lt;ffffffff81558818&gt;] page_fault+0x28/0x30

Signed-off-by: Milosz Tanski &lt;milosz@adfin.com&gt;
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>FS-Cache: Add interface to check consistency of a cached object</title>
<updated>2013-09-06T08:17:30+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2013-08-21T21:29:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=da9803bc8812f5bd3b26baaa90e515b843c65ff7'/>
<id>da9803bc8812f5bd3b26baaa90e515b843c65ff7</id>
<content type='text'>
Extend the fscache netfs API so that the netfs can ask as to whether a cache
object is up to date with respect to its corresponding netfs object:

	int fscache_check_consistency(struct fscache_cookie *cookie)

This will call back to the netfs to check whether the auxiliary data associated
with a cookie is correct.  It returns 0 if it is and -ESTALE if it isn't; it
may also return -ENOMEM and -ERESTARTSYS.

The backends now have to implement a mandatory operation pointer:

	int (*check_consistency)(struct fscache_object *object)

that corresponds to the above API call.  FS-Cache takes care of pinning the
object and the cookie in memory and managing this call with respect to the
object state.

Original-author: Hongyi Jia &lt;jiayisuse@gmail.com&gt;
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
cc: Hongyi Jia &lt;jiayisuse@gmail.com&gt;
cc: Milosz Tanski &lt;milosz@adfin.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Extend the fscache netfs API so that the netfs can ask as to whether a cache
object is up to date with respect to its corresponding netfs object:

	int fscache_check_consistency(struct fscache_cookie *cookie)

This will call back to the netfs to check whether the auxiliary data associated
with a cookie is correct.  It returns 0 if it is and -ESTALE if it isn't; it
may also return -ENOMEM and -ERESTARTSYS.

The backends now have to implement a mandatory operation pointer:

	int (*check_consistency)(struct fscache_object *object)

that corresponds to the above API call.  FS-Cache takes care of pinning the
object and the cookie in memory and managing this call with respect to the
object state.

Original-author: Hongyi Jia &lt;jiayisuse@gmail.com&gt;
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
cc: Hongyi Jia &lt;jiayisuse@gmail.com&gt;
cc: Milosz Tanski &lt;milosz@adfin.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>FS-Cache: Don't use spin_is_locked() in assertions</title>
<updated>2013-06-19T13:16:47+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2013-05-24T11:45:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=dcfae32f892f03dee9896b19d1960c1ecd3f0583'/>
<id>dcfae32f892f03dee9896b19d1960c1ecd3f0583</id>
<content type='text'>
Under certain circumstances, spin_is_locked() is hardwired to 0 - even when the
code would normally be in a locked section where it should return 1.  This
means it cannot be used for an assertion that checks that a spinlock is locked.

Remove such usages from FS-Cache.

The following oops might otherwise be observed:

FS-Cache: Assertion failed
BUG: failure at fs/fscache/operation.c:270/fscache_start_operations()!
Kernel panic - not syncing: BUG!
CPU: 0 PID: 10 Comm: kworker/u2:1 Not tainted 3.10.0-rc1-00133-ge7ebb75 #2
Workqueue: fscache_operation fscache_op_work_func [fscache]
7f091c48 603c8947 7f090000 7f9b1361 7f25f080 00000001 7f26d440 7f091c90
60299eb8 7f091d90 602951c5 7f26d440 3000000008 7f091da0 7f091cc0 7f091cd0
00000007 00000007 00000006 7f091ae0 00000010 0000010e 7f9af330 7f091ae0
Call Trace:
7f091c88: [&lt;60299eb8&gt;] dump_stack+0x17/0x19
7f091c98: [&lt;602951c5&gt;] panic+0xf4/0x1e9
7f091d38: [&lt;6002b10e&gt;] set_signals+0x1e/0x40
7f091d58: [&lt;6005b89e&gt;] __wake_up+0x4e/0x70
7f091d98: [&lt;7f9aa003&gt;] fscache_start_operations+0x43/0x50 [fscache]
7f091da8: [&lt;7f9aa1e3&gt;] fscache_op_complete+0x1d3/0x220 [fscache]
7f091db8: [&lt;60082985&gt;] unlock_page+0x55/0x60
7f091de8: [&lt;7fb25bb0&gt;] cachefiles_read_copier+0x250/0x330 [cachefiles]
7f091e58: [&lt;7f9ab03c&gt;] fscache_op_work_func+0xac/0x120 [fscache]
7f091e88: [&lt;6004d5b0&gt;] process_one_work+0x250/0x3a0
7f091ef8: [&lt;6004edc7&gt;] worker_thread+0x177/0x2a0
7f091f38: [&lt;6004ec50&gt;] worker_thread+0x0/0x2a0
7f091f58: [&lt;60054418&gt;] kthread+0xd8/0xe0
7f091f68: [&lt;6005bb27&gt;] finish_task_switch.isra.64+0x37/0xa0
7f091fd8: [&lt;600185cf&gt;] new_thread_handler+0x8f/0xb0

Reported-by: Milosz Tanski &lt;milosz@adfin.com&gt;
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Reviewed-and-tested-By: Milosz Tanski &lt;milosz@adfin.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Under certain circumstances, spin_is_locked() is hardwired to 0 - even when the
code would normally be in a locked section where it should return 1.  This
means it cannot be used for an assertion that checks that a spinlock is locked.

Remove such usages from FS-Cache.

The following oops might otherwise be observed:

FS-Cache: Assertion failed
BUG: failure at fs/fscache/operation.c:270/fscache_start_operations()!
Kernel panic - not syncing: BUG!
CPU: 0 PID: 10 Comm: kworker/u2:1 Not tainted 3.10.0-rc1-00133-ge7ebb75 #2
Workqueue: fscache_operation fscache_op_work_func [fscache]
7f091c48 603c8947 7f090000 7f9b1361 7f25f080 00000001 7f26d440 7f091c90
60299eb8 7f091d90 602951c5 7f26d440 3000000008 7f091da0 7f091cc0 7f091cd0
00000007 00000007 00000006 7f091ae0 00000010 0000010e 7f9af330 7f091ae0
Call Trace:
7f091c88: [&lt;60299eb8&gt;] dump_stack+0x17/0x19
7f091c98: [&lt;602951c5&gt;] panic+0xf4/0x1e9
7f091d38: [&lt;6002b10e&gt;] set_signals+0x1e/0x40
7f091d58: [&lt;6005b89e&gt;] __wake_up+0x4e/0x70
7f091d98: [&lt;7f9aa003&gt;] fscache_start_operations+0x43/0x50 [fscache]
7f091da8: [&lt;7f9aa1e3&gt;] fscache_op_complete+0x1d3/0x220 [fscache]
7f091db8: [&lt;60082985&gt;] unlock_page+0x55/0x60
7f091de8: [&lt;7fb25bb0&gt;] cachefiles_read_copier+0x250/0x330 [cachefiles]
7f091e58: [&lt;7f9ab03c&gt;] fscache_op_work_func+0xac/0x120 [fscache]
7f091e88: [&lt;6004d5b0&gt;] process_one_work+0x250/0x3a0
7f091ef8: [&lt;6004edc7&gt;] worker_thread+0x177/0x2a0
7f091f38: [&lt;6004ec50&gt;] worker_thread+0x0/0x2a0
7f091f58: [&lt;60054418&gt;] kthread+0xd8/0xe0
7f091f68: [&lt;6005bb27&gt;] finish_task_switch.isra.64+0x37/0xa0
7f091fd8: [&lt;600185cf&gt;] new_thread_handler+0x8f/0xb0

Reported-by: Milosz Tanski &lt;milosz@adfin.com&gt;
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Reviewed-and-tested-By: Milosz Tanski &lt;milosz@adfin.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>FS-Cache: The retrieval remaining-pages counter needs to be atomic_t</title>
<updated>2013-06-19T13:16:47+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2013-05-21T12:44:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1bb4b7f98f361132ea322834515334d95b93c184'/>
<id>1bb4b7f98f361132ea322834515334d95b93c184</id>
<content type='text'>
struct fscache_retrieval contains a count of the number of pages that still
need some processing (n_pages).  This is decremented as the pages are
processed.

However, this needs to be atomic as fscache_retrieval_complete() (I think) just
occasionally may be called from cachefiles_read_backing_file() and
cachefiles_read_copier() simultaneously.

This happens when an fscache_read_or_alloc_pages() request containing a lot of
pages (say a couple of hundred) is being processed.  The read on each backing
page is dispatched individually because we need to insert a monitor into the
waitqueue to catch when the read completes.  However, under low-memory
conditions, we might be forced to wait in the allocator - and this gives the
I/O on the backing page a chance to complete first.

When the I/O completes, fscache_enqueue_retrieval() chucks the retrieval onto
the workqueue without waiting for the operation to finish the initial I/O
dispatch (we want to release any pages we can as soon as we can), thus both can
end up running simultaneously and potentially attempting to partially complete
the retrieval simultaneously (ENOMEM may occur, backing pages may already be in
the page cache).

This was demonstrated by parallelling the non-atomic counter with an atomic
counter and printing both of them when the assertion fails.  At this point, the
atomic counter has reached zero, but the non-atomic counter has not.

To fix this, make the counter an atomic_t.

This results in the following bug appearing

	FS-Cache: Assertion failed
	3 == 5 is false
	------------[ cut here ]------------
	kernel BUG at fs/fscache/operation.c:421!

or

	FS-Cache: Assertion failed
	3 == 5 is false
	------------[ cut here ]------------
	kernel BUG at fs/fscache/operation.c:414!

With a backtrace like the following:

RIP: 0010:[&lt;ffffffffa0211b1d&gt;] fscache_put_operation+0x1ad/0x240 [fscache]
Call Trace:
 [&lt;ffffffffa0213185&gt;] fscache_retrieval_work+0x55/0x270 [fscache]
 [&lt;ffffffffa0213130&gt;] ? fscache_retrieval_work+0x0/0x270 [fscache]
 [&lt;ffffffff81090b10&gt;] worker_thread+0x170/0x2a0
 [&lt;ffffffff81096d10&gt;] ? autoremove_wake_function+0x0/0x40
 [&lt;ffffffff810909a0&gt;] ? worker_thread+0x0/0x2a0
 [&lt;ffffffff81096966&gt;] kthread+0x96/0xa0
 [&lt;ffffffff8100c0ca&gt;] child_rip+0xa/0x20
 [&lt;ffffffff810968d0&gt;] ? kthread+0x0/0xa0
 [&lt;ffffffff8100c0c0&gt;] ? child_rip+0x0/0x20

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Reviewed-and-tested-By: Milosz Tanski &lt;milosz@adfin.com&gt;
Acked-by: Jeff Layton &lt;jlayton@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
struct fscache_retrieval contains a count of the number of pages that still
need some processing (n_pages).  This is decremented as the pages are
processed.

However, this needs to be atomic as fscache_retrieval_complete() (I think) just
occasionally may be called from cachefiles_read_backing_file() and
cachefiles_read_copier() simultaneously.

This happens when an fscache_read_or_alloc_pages() request containing a lot of
pages (say a couple of hundred) is being processed.  The read on each backing
page is dispatched individually because we need to insert a monitor into the
waitqueue to catch when the read completes.  However, under low-memory
conditions, we might be forced to wait in the allocator - and this gives the
I/O on the backing page a chance to complete first.

When the I/O completes, fscache_enqueue_retrieval() chucks the retrieval onto
the workqueue without waiting for the operation to finish the initial I/O
dispatch (we want to release any pages we can as soon as we can), thus both can
end up running simultaneously and potentially attempting to partially complete
the retrieval simultaneously (ENOMEM may occur, backing pages may already be in
the page cache).

This was demonstrated by parallelling the non-atomic counter with an atomic
counter and printing both of them when the assertion fails.  At this point, the
atomic counter has reached zero, but the non-atomic counter has not.

To fix this, make the counter an atomic_t.

This results in the following bug appearing

	FS-Cache: Assertion failed
	3 == 5 is false
	------------[ cut here ]------------
	kernel BUG at fs/fscache/operation.c:421!

or

	FS-Cache: Assertion failed
	3 == 5 is false
	------------[ cut here ]------------
	kernel BUG at fs/fscache/operation.c:414!

With a backtrace like the following:

RIP: 0010:[&lt;ffffffffa0211b1d&gt;] fscache_put_operation+0x1ad/0x240 [fscache]
Call Trace:
 [&lt;ffffffffa0213185&gt;] fscache_retrieval_work+0x55/0x270 [fscache]
 [&lt;ffffffffa0213130&gt;] ? fscache_retrieval_work+0x0/0x270 [fscache]
 [&lt;ffffffff81090b10&gt;] worker_thread+0x170/0x2a0
 [&lt;ffffffff81096d10&gt;] ? autoremove_wake_function+0x0/0x40
 [&lt;ffffffff810909a0&gt;] ? worker_thread+0x0/0x2a0
 [&lt;ffffffff81096966&gt;] kthread+0x96/0xa0
 [&lt;ffffffff8100c0ca&gt;] child_rip+0xa/0x20
 [&lt;ffffffff810968d0&gt;] ? kthread+0x0/0xa0
 [&lt;ffffffff8100c0c0&gt;] ? child_rip+0x0/0x20

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Reviewed-and-tested-By: Milosz Tanski &lt;milosz@adfin.com&gt;
Acked-by: Jeff Layton &lt;jlayton@redhat.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
