All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dave Chinner <david@fromorbit.com>
To: William Dauchy <wdauchy@gmail.com>
Cc: stable@vger.kernel.org, Dave Chinner <dchinner@redhat.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Ben Hutchings <ben@decadent.org.uk>,
	linux-kernel@vger.kernel.org, Mark Tinguely <tinguely@sgi.com>,
	Ben Myers <bpm@sgi.com>
Subject: Re: xfs: fix buffer lookup race on allocation failure
Date: Tue, 16 Oct 2012 10:21:47 +1100	[thread overview]
Message-ID: <20121015232147.GG2739@dastard> (raw)
In-Reply-To: <CAJ75kXZsBfhydOSF1Tjpp_OOndWs=jbC_YvrZ9Fw22+Q4rp1yw@mail.gmail.com>

On Mon, Oct 15, 2012 at 11:27:58AM +0200, William Dauchy wrote:
> Hello,
> 
> I believe, the commit fe2429b fixes the attached kernel trace.
> I tested it both on top of 3.2 and 3.4 stable tree.
> Could we consider adding this patch in stable tree at least for 3.2 and 3.4?
> 
> commit fe2429b0966a7ec42b5fe3bf96f0f10de0a3b536
> Author: Dave Chinner <dchinner@redhat.com>
> Date:   Mon Apr 23 15:58:45 2012 +1000
> 
>     xfs: fix buffer lookup race on allocation failure
> 
>     When memory allocation fails to add the page array or tht epages to
>     a buffer during xfs_buf_get(), the buffer is left in the cache in a
>     partially initialised state. There is enough state left for the next
>     lookup on that buffer to find the buffer, and for the buffer to then
>     be used without finishing the initialisation.  As a result, when an
>     attempt to do IO on the buffer occurs, it fails with EIO because
>     there are no pages attached to the buffer.
> 
>     We cannot remove the buffer from the cache immediately and free it,
>     because there may already be a racing lookup that is blocked on the
>     buffer lock. Hence the moment we unlock the buffer to then free it,
>     the other user is woken and we have a use-after-free situation.
> 
>     To avoid this race condition altogether, allocate the pages for the
>     buffer before we insert it into the cache.  This then means that we
>     don't have an allocation  failure case to deal after the buffer is
>     already present in the cache, and hence avoid the problem
>     altogether.  In most cases we won't have racing inserts for the same
>     buffer, and so won't increase the memory pressure allocation before
>     insertion may entail.
> 
>     Signed-off-by: Dave Chinner <dchinner@redhat.com>
>     Reviewed-by: Mark Tinguely <tinguely@sgi.com>
>     Signed-off-by: Ben Myers <bpm@sgi.com>
> 
> 
> XFS: Assertion failed: bp->b_bn != XFS_BUF_DADDR_NULL, file:
> fs/xfs/xfs_buf.c, line: 598

You're running a CONFIG_XFS_DEBUG kernel. If you can reproduce the
problem with CONFIG_XFS_DEBUG, then it probably should be
backported.

If you are using CONFIG_XFS_DEBUG on production systems, then you
shouldn't be because it does nasty things to allocation patterns,
not to mention a 25-30% CPU overhead and will panic in places where
errors are recoverable but as a developer we want to try to find out
what went wrong.

In this case, you'll get a transient EIO error when the I/O is
issued on the malformed buffer, but other than that the system can
continue alon just fine and the next read ofthe buffer will work
prefectly...

Cheers,

Dave.
-- 
Dave Chinner
david@fromorbit.com

  reply	other threads:[~2012-10-15 23:22 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-10-15  9:27 xfs: fix buffer lookup race on allocation failure William Dauchy
2012-10-15 23:21 ` Dave Chinner [this message]
2012-10-16  9:27   ` William Dauchy
2012-10-16 20:46     ` Dave Chinner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20121015232147.GG2739@dastard \
    --to=david@fromorbit.com \
    --cc=ben@decadent.org.uk \
    --cc=bpm@sgi.com \
    --cc=dchinner@redhat.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=tinguely@sgi.com \
    --cc=wdauchy@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.