From: Andrew Morton <akpm@zip.com.au>
To: "Martin J. Bligh" <Martin.Bligh@us.ibm.com>
Cc: Dave Hansen <haveblue@us.ibm.com>,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: truncate_list_pages() BUG and confusion
Date: Fri, 08 Mar 2002 16:17:55 -0800 [thread overview]
Message-ID: <3C8954B3.2543A503@zip.com.au> (raw)
In-Reply-To: <3C8932CC.761C8829@zip.com.au>, <3C880EFF.A0789715@zip.com.au>, <3C8809BA.4070003@us.ibm.com> <3C880EFF.A0789715@zip.com.au> <17920000.1015622098@flay> <3C8932CC.761C8829@zip.com.au> <67550000.1015632244@flay>
"Martin J. Bligh" wrote:
>
> ..
> > If the page_cache_release() in truncate_complete_page() is calling
> > __free_pages_ok() then something really horrid has happened.
>
> That's exactly what's happening.
>
> > Yes, it could be that the page has had its refcount incorrectly
> > decremented somewhere.
>
> I don't see you need that to make this bug happen.
> Say count is 0 when we enter truncate_list_pages.
It mustn't be zero! The page is *known* to be in the pagecache,
so its count must be at least 1.
> We increment it.
> It's now 1 when we call page_cache_release.
> put_page_testzero dec's it back to 0, and returns true.
> We do a __free_pages_ok. Page is still locked. BUG.
>
> No other process, nothing funky happening, no races, no other
> refcount decrements. Or that's the way I read it.
>
> > Or the page wasn't in the pagecache at all.
>
> The only thing I can think of was the pagecount shouldn't have been 0
> to start with (or the code path we're reading is wrong ;-) )
yup. You can stick an
if (page_count(page) == 0)
BUG();
at the top of truncate_list_pages...
Actually it might help to add some extra checks to
page_cache_release():
1: If the page is in the pagecache, that's one.
2: If the page has buffers, that's another.
so
void page_cache_release(struct page *page)
{
+ int expected = 0;
+
+ if (page->buffers)
+ expected++;
+ if (page->mapping) {
+ if (!list_empty(page->list))
+ BUG();
+ expected++;
+ }
+
+ expected++; /* The caller has a ref too */
+
+ if (page_count(page) < expected)
+ BUG();
+
if (!PageReserved(page) && put_page_testzero(page)) {
if (PageLRU(page))
lru_cache_del(page);
__free_pages_ok(page, 0);
}
}
The list_empty() check will require that remove_page_from_inode_queue()
use list_del_init() instead of list_del().
The above code (untested, and racy as hell on SMP and preempt) may
catch whoever is droppng the refcount at the wrong time.
-
prev parent reply other threads:[~2002-03-09 0:19 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-03-08 0:45 truncate_list_pages() BUG and confusion Dave Hansen
2002-03-08 1:08 ` Andrew Morton
2002-03-08 2:54 ` Dave Hansen
2002-03-08 2:55 ` Martin J. Bligh
2002-03-08 3:02 ` Andrew Morton
2002-03-08 3:04 ` Dave Hansen
2002-03-08 21:14 ` Martin J. Bligh
2002-03-08 21:53 ` Andrew Morton
2002-03-08 22:13 ` Dave Hansen
2002-03-08 22:35 ` Andrew Morton
2002-03-09 0:04 ` Martin J. Bligh
2002-03-09 0:17 ` Andrew Morton [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3C8954B3.2543A503@zip.com.au \
--to=akpm@zip.com.au \
--cc=Martin.Bligh@us.ibm.com \
--cc=haveblue@us.ibm.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox