From: Theodore Ts'o <tytso@mit.edu>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Jiang Biao <jiang.biao2@zte.com.cn>,
linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org,
ebiggers@google.com, jack@suse.cz, zhong.weidong@zte.com.cn
Subject: Re: [PATCH v2] fs/mbcache: make sure mb_cache_count() not return negative value.
Date: Tue, 9 Jan 2018 23:26:01 -0500 [thread overview]
Message-ID: <20180110042600.GC5809@thunk.org> (raw)
In-Reply-To: <20180108161304.f4be912fb6e20cdf56ae78ef@linux-foundation.org>
On Mon, Jan 08, 2018 at 04:13:04PM -0800, Andrew Morton wrote:
> I agree with Jan's comment. We need to figure out how ->c_entry_count
> went negative. mb_cache_count() says this state is "Unlikely, but not
> impossible", but from a quick read I can't see how this happens - it
> appears that coherency between ->c_list and ->c_entry_count is always
> maintained under ->c_list_lock?
I think I see the problem; and I think this should fix it. Andrew,
Jan, can you review and double check my analysis?
Thanks,
- Ted
commit 18fb3649c7cd9e70f05045656c1888459d96dfe4
Author: Theodore Ts'o <tytso@mit.edu>
Date: Tue Jan 9 23:24:53 2018 -0500
mbcache: fix potential double counting when removing entry
Entries are removed from the mb_cache entry in two places:
mb_cache_shrink() and mb_cache_entry_delete(). The mb_cache_shrink()
function finds the entry to delete via the cache->c_list pointer,
while mb_cache_entry_delete() finds the entry via the hash lists.
If the two functions race with each other, trying to delete an entry
at the same time, it's possible for cache->c_entry_count to get
decremented twice for that one entry. Fix this by checking to see if
entry is still on the cache list before removing it and dropping
c_entry_count.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
diff --git a/fs/mbcache.c b/fs/mbcache.c
index 49c5b25bfa8c..0851af5c1c3d 100644
--- a/fs/mbcache.c
+++ b/fs/mbcache.c
@@ -290,8 +290,10 @@ static unsigned long mb_cache_shrink(struct mb_cache *cache,
list_move_tail(&entry->e_list, &cache->c_list);
continue;
}
- list_del_init(&entry->e_list);
- cache->c_entry_count--;
+ if (!list_empty(&entry->e_list)) {
+ list_del_init(&entry->e_list);
+ cache->c_entry_count--;
+ }
/*
* We keep LRU list reference so that entry doesn't go away
* from under us.
next prev parent reply other threads:[~2018-01-10 4:26 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-08 23:38 [PATCH v2] fs/mbcache: make sure mb_cache_count() not return negative value Jiang Biao
2018-01-09 0:13 ` Andrew Morton
2018-01-10 4:26 ` Theodore Ts'o [this message]
2018-01-10 15:02 ` Jan Kara
2018-01-10 20:11 ` Theodore Ts'o
2018-01-11 9:04 ` Jan Kara
2018-01-10 4:58 ` Theodore Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180110042600.GC5809@thunk.org \
--to=tytso@mit.edu \
--cc=akpm@linux-foundation.org \
--cc=ebiggers@google.com \
--cc=jack@suse.cz \
--cc=jiang.biao2@zte.com.cn \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=zhong.weidong@zte.com.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.