From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Olivier Bonvalet <ob@daevel.fr>,
Alex Elder <elder@linaro.org>, Sage Weil <sage@inktank.com>,
Ilya Dryomov <ilya.dryomov@inktank.com>
Subject: [PATCH 3.10 16/16] rbd: drop an unsafe assertion
Date: Tue, 24 Feb 2015 18:10:08 -0800 [thread overview]
Message-ID: <20150225020812.149746297@linuxfoundation.org> (raw)
In-Reply-To: <20150225020811.453644010@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Elder <elder@linaro.org>
commit 638c323c4d1f8eaf25224946e21ce8818f1bcee1 upstream.
Olivier Bonvalet reported having repeated crashes due to a failed
assertion he was hitting in rbd_img_obj_callback():
Assertion failure in rbd_img_obj_callback() at line 2165:
rbd_assert(which >= img_request->next_completion);
With a lot of help from Olivier with reproducing the problem
we were able to determine the object and image requests had
already been completed (and often freed) at the point the
assertion failed.
There was a great deal of discussion on the ceph-devel mailing list
about this. The problem only arose when there were two (or more)
object requests in an image request, and the problem was always
seen when the second request was being completed.
The problem is due to a race in the window between setting the
"done" flag on an object request and checking the image request's
next completion value. When the first object request completes, it
checks to see if its successor request is marked "done", and if
so, that request is also completed. In the process, the image
request's next_completion value is updated to reflect that both
the first and second requests are completed. By the time the
second request is able to check the next_completion value, it
has been set to a value *greater* than its own "which" value,
which caused an assertion to fail.
Fix this problem by skipping over any completion processing
unless the completing object request is the next one expected.
Test only for inequality (not >=), and eliminate the bad
assertion.
Tested-by: Olivier Bonvalet <ob@daevel.fr>
Signed-off-by: Alex Elder <elder@linaro.org>
Reviewed-by: Sage Weil <sage@inktank.com>
Reviewed-by: Ilya Dryomov <ilya.dryomov@inktank.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/rbd.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -2149,7 +2149,6 @@ static void rbd_img_obj_callback(struct
rbd_assert(img_request->obj_request_count > 0);
rbd_assert(which != BAD_WHICH);
rbd_assert(which < img_request->obj_request_count);
- rbd_assert(which >= img_request->next_completion);
spin_lock_irq(&img_request->completion_lock);
if (which != img_request->next_completion)
next prev parent reply other threads:[~2015-02-25 2:16 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-25 2:09 [PATCH 3.10 00/16] 3.10.70-stable review Greg Kroah-Hartman
2015-02-25 2:09 ` [PATCH 3.10 01/16] ip: zero sockaddr returned on error queue Greg Kroah-Hartman
2015-02-25 2:09 ` [PATCH 3.10 02/16] net: rps: fix cpu unplug Greg Kroah-Hartman
2015-02-25 2:09 ` [PATCH 3.10 03/16] ipv6: stop sending PTB packets for MTU < 1280 Greg Kroah-Hartman
2015-02-25 2:09 ` [PATCH 3.10 04/16] netxen: fix netxen_nic_poll() logic Greg Kroah-Hartman
2015-02-25 2:09 ` [PATCH 3.10 05/16] net: sctp: fix slab corruption from use after free on INIT collisions Greg Kroah-Hartman
2015-02-25 2:09 ` [PATCH 3.10 06/16] ipv4: try to cache dst_entries which would cause a redirect Greg Kroah-Hartman
2015-02-25 2:09 ` [PATCH 3.10 07/16] udp_diag: Fix socket skipping within chain Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.10 08/16] ping: Fix race in free in receive path Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.10 09/16] ipv6: replacing a rt6_info needs to purge possible propagated rt6_infos too Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.10 10/16] bridge: dont send notification when skb->len == 0 in rtnl_bridge_notify Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.10 11/16] tcp: ipv4: initialize unicast_sock sk_pacing_rate Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.10 12/16] ipv4: tcp: get rid of ugly unicast_sock Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.10 13/16] ppp: deflate: never return len larger than output buffer Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.10 14/16] net: sctp: fix passing wrong parameter header to param_type2af in sctp_process_param Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.10 15/16] [media] media/rc: Send sync space information on the lirc device Greg Kroah-Hartman
2015-02-25 2:10 ` Greg Kroah-Hartman [this message]
2015-02-25 16:44 ` [PATCH 3.10 00/16] 3.10.70-stable review Guenter Roeck
2015-02-25 20:55 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150225020812.149746297@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=elder@linaro.org \
--cc=ilya.dryomov@inktank.com \
--cc=linux-kernel@vger.kernel.org \
--cc=ob@daevel.fr \
--cc=sage@inktank.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox