Hi,


* On Mon, Sep 03, 2012 at 06:15:21AM +0530, Raghavendra D Prabhu <raghu.prabhu13@gmail.com> wrote:
>Hi,
>
>
>* On Fri, Aug 17, 2012 at 01:15:43PM -0500, Eric Sandeen <sandeen@sandeen.net> wrote:
>>On 8/17/12 1:02 PM, Christoph Hellwig wrote:
>>>I'd be this is my new code added to xfs_buf_item_unpin, but I don't
>>>quite understand why.  It's been a long time since I wrote that code,
>>>but I had to add that code to make sure we clear all buffers during
>>>a forced shutdown.  Can you test if things go away if you just remove it
>>>(even if causes other hangs?)
>>
>>It does go away AFAIK, since the bisect found it.
>>
>>Sadly it's been on the back burner for me, under other deadline pressure.
>>
>>-Eric
>>
>>_______________________________________________
>>xfs mailing list
>>xfs@oss.sgi.com
>>http://oss.sgi.com/mailman/listinfo/xfs
>
>I hit the same bug on xfstest 137 while testing and it is indeed 
>POISON_FREE.
>
>Here are the intermediate backtraces:  http://sprunge.us/HZeD
>
>I am also attaching the full backtrace.
>
>
>git head:
>
>commit b686d1f79acb65c6a34473c15fcfa2ee54aed8e2
> Author: Jeff Liu <jeff.liu@oracle.com>
> Date:   Tue Aug 21 17:12:18 2012 +0800
>

With DEBUG_PAGEALLOC enabled, I got following:

[  182.925026]  [<ffffffff815813ce>] ? xfs_buf_iodone_work+0x43/0xb7
[  182.925026]  [<ffffffff8166c7b5>] xfs_buf_iodone_callbacks+0x4d2/0x5aa
[  182.925026]  [<ffffffff8166d041>] ? xfs_buf_item_unpin+0x7b4/0x812
[  182.925026]  [<ffffffff815813ce>] xfs_buf_iodone_work+0x43/0xb7
[  182.925026]  [<ffffffff81581ccc>] xfs_buf_ioend+0x29a/0x2fc
[  182.925026]  [<ffffffff8166d041>] xfs_buf_item_unpin+0x7b4/0x812
[  182.925026]  [<ffffffff8165bfe4>] xfs_trans_committed_bulk+0x223/0x6d1
[  182.925026]  [<ffffffff81317583>] ? __slab_free+0xa46/0xc2f
[  182.925026]  [<ffffffff81665edc>] ? xlog_write+0x18b/0x95c
[  182.925026]  [<ffffffff8116f30b>] ? debug_check_no_locks_freed+0x121/0x17b
[  182.925026]  [<ffffffff81318ab0>] ? kmem_cache_free+0x338/0x491
[  182.925026]  [<ffffffff81661dcf>] ? xfs_log_ticket_put+0xaf/0xbc
[  182.925026]  [<ffffffff81667fe7>] xlog_cil_committed+0x3b/0x1fa
[  182.925026]  [<ffffffff816691e1>] xlog_cil_push+0x6ca/0x6f6
[  182.925026]  [<ffffffff81170c84>] ? __lock_release+0x64/0xb6
[  182.925026]  [<ffffffff81669389>] xlog_cil_push_foreground+0x17c/0x1fa
[  182.925026]  [<ffffffff816697d1>] xlog_cil_force_lsn+0x90/0x27e
[  182.925026]  [<ffffffff813a4a42>] ? sync_inodes_sb+0x23e/0x26c
[  182.925026]  [<ffffffff81664c3c>] _xfs_log_force+0x67/0x620
[  182.925026]  [<ffffffff81db7f97>] ? wait_for_common+0x231/0x3ac
[  182.925026]  [<ffffffff81665359>] xfs_log_force+0x164/0x1c2
[  182.925026]  [<ffffffff815ac8cc>] xfs_quiesce_data+0x21/0x9f
[  182.925026]  [<ffffffff815a6780>] xfs_fs_sync_fs+0x5a/0xe0
[  182.925026]  [<ffffffff813af269>] __sync_filesystem+0x9e/0xc2
[  182.925026]  [<ffffffff813af357>] sync_filesystem+0xca/0x12d
[  182.925026]  [<ffffffff8134c95f>] generic_shutdown_super+0x61/0x203
[  182.925026]  [<ffffffff8134cb42>] kill_block_super+0x41/0x1a6
[  182.925026]  [<ffffffff8134dbf4>] deactivate_locked_super+0x9b/0x104
[  182.925026]  [<ffffffff8134f0a7>] deactivate_super+0x147/0x187
[  182.925026]  [<ffffffff8138f1d4>] mntput_no_expire+0x308/0x32a
[  182.925026]  [<ffffffff81391bc5>] sys_umount+0x1a6/0x1e4
[  182.925026]  [<ffffffff81dcb3e9>] system_call_fastpath+0x16/0x1b

Full here -- http://sprunge.us/CPKW 

One more thing, in xfs_buf_do_callbacks,


	while ((lip = bp->b_fspriv) != NULL) {
		bp->b_fspriv = lip->li_bio_list;
		ASSERT(lip->li_cb != NULL);

     In the loop before the crash, lip->li_bio_list is NULL which 
     explains the use-after-free.


>_______________________________________________
>xfs mailing list
>xfs@oss.sgi.com
>http://oss.sgi.com/mailman/listinfo/xfs





Regards,
-- 
Raghavendra Prabhu
GPG Id : 0xD72BE977
Fingerprint: B93F EBCB 8E05 7039 CD3C A4B8 A616 DCA1 D72B E977
www: wnohang.net