I have a user who confirms the 4.15.0-39 kernel fixes this issue: # uname -a Linux <hostname> 4.15.0-39-generic #42~16.04.1-Ubuntu SMP Wed Oct 24 17:09:54 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
# cat /proc/fs/fscache/stats FS-Cache statistics Cookies: idx=2 dat=283731 spc=0 Objects: alc=278557 nal=0 avl=278557 ded=220831 ChkAux : non=0 ok=278555 upd=0 obs=0 Pages : mrk=347998933 unc=323161526 Acquire: n=283733 nul=0 noc=0 ok=283733 nbf=0 oom=0 Lookups: n=278557 neg=0 pos=278557 crt=0 tmo=0 Invals : n=0 run=0 Updates: n=0 nul=0 run=0 Relinqs: n=226008 nul=0 wcr=0 rtr=0 AttrChg: n=0 ok=0 nbf=0 oom=0 run=0 Allocs : n=0 ok=0 wt=0 nbf=0 int=0 Allocs : ops=0 owt=0 abt=0 Retrvls: n=960948 ok=960948 wt=24031 nod=0 nbf=0 int=0 oom=0 Retrvls: ops=960948 owt=51 abt=0 Stores : n=0 ok=0 agn=0 nbf=0 oom=0 Stores : ops=0 run=0 pgs=0 rxd=0 olm=0 VmScan : nos=323161526 gon=0 bsy=0 can=0 wt=0 Ops : pend=51 run=960948 enq=379179023 can=0 rej=0 Ops : ini=960948 dfr=15 rel=960948 gc=15 CacheOp: alo=0 luo=0 luc=0 gro=0 CacheOp: inv=0 upo=0 dro=0 pto=0 atc=0 syn=0 CacheOp: rap=0 ras=0 alp=0 als=0 wrp=0 ucp=0 dsp=0 CacheEv: nsp=0 stl=0 rtr=0 cul=0 Marking verification done for Bionic. ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1797314 Title: fscache: bad refcounting in fscache_op_complete leads to OOPS Status in linux package in Ubuntu: In Progress Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: In Progress Bug description: SRU Justification ----------------- [Impact] A kernel BUG is sometimes observed when using fscache: [4740718.880898] FS-Cache: [4740718.880920] FS-Cache: Assertion failed [4740718.880934] FS-Cache: 0 > 0 is false [4740718.881001] ------------[ cut here ]------------ [4740718.881017] kernel BUG at /usr/src/linux-4.4.0/fs/fscache/operation.c:449! [4740718.881040] invalid opcode: 0000 [#1] SMP [4740718.892659] Call Trace: [4740718.893506] [<ffffffffc1464cf9>] cachefiles_read_copier+0x3a9/0x410 [cachefiles] [4740718.894374] [<ffffffffc037e272>] fscache_op_work_func+0x22/0x50 [fscache] [4740718.895180] [<ffffffff81096da0>] process_one_work+0x150/0x3f0 [4740718.895966] [<ffffffff8109751a>] worker_thread+0x11a/0x470 [4740718.896753] [<ffffffff81808e59>] ? __schedule+0x359/0x980 [4740718.897783] [<ffffffff81097400>] ? rescuer_thread+0x310/0x310 [4740718.898581] [<ffffffff8109cdd6>] kthread+0xd6/0xf0 [4740718.899469] [<ffffffff8109cd00>] ? kthread_park+0x60/0x60 [4740718.900477] [<ffffffff8180d0cf>] ret_from_fork+0x3f/0x70 [4740718.901514] [<ffffffff8109cd00>] ? kthread_park+0x60/0x60 [Problem] In include/linux/fscache-cache.h, fscache_retrieval_complete reads, in part: atomic_sub(n_pages, &op->n_pages); if (atomic_read(&op->n_pages) <= 0) fscache_op_complete(&op->op, true); The code is using atomic_sub followed by an atomic_read. This causes two threads doing a decrement of pages to race with each other seeing the op->refcount <= 0 at same time, and end up calling fscache_op_complete in both the threads leading to the OOPS. [Fix] The fix is trivial to use atomic_sub_return instead of two calls. [Testcase] I believe the user has tested the patch successfully on their fscache/cachefiles setup. [Regression Potential] Limited to fscache. Small, comprehensible change. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1797314/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
