[Kernel-packages] [Bug 1776277] Re: fscache cookie refcount updated incorrectly during fscache object allocation
** Tags added: cscc -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1776277 Title: fscache cookie refcount updated incorrectly during fscache object allocation Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Released Status in linux source package in Xenial: Fix Released Status in linux source package in Bionic: Fix Released Bug description: == SRU Justification == [Impact] Oops during heavy NFS + FSCache + Cachefiles use: kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/internal.h:321! kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/cookie.c:639! [Cause] 1)Two threads are trying to do operate on a cookie and two objects. 2a)One thread tries to unmount the filesystem and in process goes over a huge list of objects marking them dead and deleting the objects. cookie->usage is also decremented in following path nfs_fscache_release_super_cookie -> __fscache_relinquish_cookie ->__fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); 2b)second thread tries to lookup an object for reading data in following path fscache_alloc_object 1) cachefiles_alloc_object -> fscache_object_init -> assign cookie, but usage not bumped. 2) fscache_attach_object -> fails in cant_attach_object because the cookie's backing object or cookie's->parent object are going away 3)fscache_put_object -> cachefiles_put_object ->fscache_object_destroy ->fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); [Fix] Bump up the cookie usage in fscache_object_init, when it is first being assigned a cookie atomically such that the cookie is added and bumped up if its refcount is not zero. remove the assignment in the attach_object. [Testcase] A user has run ~100 hours of NFS stress tests and not seen this bug recur. [Regression Potential] - Limited to fscache/cachefiles. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1776277/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1776277] Re: fscache cookie refcount updated incorrectly during fscache object allocation
This bug was erroneously marked for verification in bionic; verification is not required and verification-needed-bionic is being removed. ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1776277 Title: fscache cookie refcount updated incorrectly during fscache object allocation Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Released Status in linux source package in Xenial: Fix Released Status in linux source package in Bionic: Fix Released Bug description: == SRU Justification == [Impact] Oops during heavy NFS + FSCache + Cachefiles use: kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/internal.h:321! kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/cookie.c:639! [Cause] 1)Two threads are trying to do operate on a cookie and two objects. 2a)One thread tries to unmount the filesystem and in process goes over a huge list of objects marking them dead and deleting the objects. cookie->usage is also decremented in following path nfs_fscache_release_super_cookie -> __fscache_relinquish_cookie ->__fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); 2b)second thread tries to lookup an object for reading data in following path fscache_alloc_object 1) cachefiles_alloc_object -> fscache_object_init -> assign cookie, but usage not bumped. 2) fscache_attach_object -> fails in cant_attach_object because the cookie's backing object or cookie's->parent object are going away 3)fscache_put_object -> cachefiles_put_object ->fscache_object_destroy ->fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); [Fix] Bump up the cookie usage in fscache_object_init, when it is first being assigned a cookie atomically such that the cookie is added and bumped up if its refcount is not zero. remove the assignment in the attach_object. [Testcase] A user has run ~100 hours of NFS stress tests and not seen this bug recur. [Regression Potential] - Limited to fscache/cachefiles. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1776277/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1776277] Re: fscache cookie refcount updated incorrectly during fscache object allocation
** Tags removed: verification-needed-bionic ** Tags added: kernel-fixup-verification-needed-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1776277 Title: fscache cookie refcount updated incorrectly during fscache object allocation Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Released Status in linux source package in Xenial: Fix Released Status in linux source package in Bionic: Fix Released Bug description: == SRU Justification == [Impact] Oops during heavy NFS + FSCache + Cachefiles use: kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/internal.h:321! kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/cookie.c:639! [Cause] 1)Two threads are trying to do operate on a cookie and two objects. 2a)One thread tries to unmount the filesystem and in process goes over a huge list of objects marking them dead and deleting the objects. cookie->usage is also decremented in following path nfs_fscache_release_super_cookie -> __fscache_relinquish_cookie ->__fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); 2b)second thread tries to lookup an object for reading data in following path fscache_alloc_object 1) cachefiles_alloc_object -> fscache_object_init -> assign cookie, but usage not bumped. 2) fscache_attach_object -> fails in cant_attach_object because the cookie's backing object or cookie's->parent object are going away 3)fscache_put_object -> cachefiles_put_object ->fscache_object_destroy ->fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); [Fix] Bump up the cookie usage in fscache_object_init, when it is first being assigned a cookie atomically such that the cookie is added and bumped up if its refcount is not zero. remove the assignment in the attach_object. [Testcase] A user has run ~100 hours of NFS stress tests and not seen this bug recur. [Regression Potential] - Limited to fscache/cachefiles. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1776277/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1776277] Re: fscache cookie refcount updated incorrectly during fscache object allocation
This bug was fixed in the package linux - 4.4.0-135.161 --- linux (4.4.0-135.161) xenial; urgency=medium * linux: 4.4.0-135.161 -proposed tracker (LP: #1788766) * [Regression] APM Merlin boards fail to recover link after interface down/up (LP: #1785739) - net: phylib: fix interrupts re-enablement in phy_start - net: phy: fix phy_start to consider PHY_IGNORE_INTERRUPT * qeth: don't clobber buffer on async TX completion (LP: #1786057) - s390/qeth: don't clobber buffer on async TX completion * nvme: avoid cqe corruption (LP: #1788035) - nvme: avoid cqe corruption when update at the same time as read * CacheFiles: Error: Overlong wait for old active object to go away. (LP: #1776254) - cachefiles: Fix missing clear of the CACHEFILES_OBJECT_ACTIVE flag - cachefiles: Wait rather than BUG'ing on "Unexpected object collision" * fscache cookie refcount updated incorrectly during fscache object allocation (LP: #1776277) // fscache cookie refcount updated incorrectly during fscache object allocation (LP: #1776277) - fscache: Fix reference overput in fscache_attach_object() error handling * FS-Cache: Assertion failed: FS-Cache: 6 == 5 is false (LP: #1774336) - Revert "UBUNTU: SAUCE: CacheFiles: fix a read_waiter/read_copier race" - fscache: Allow cancelled operations to be enqueued - cachefiles: Fix refcounting bug in backing-file read monitoring * linux-cloud-tools-common: Ensure hv-kvp-daemon.service starts before walinuxagent.service (LP: #1739107) - [Debian] hyper-v -- Ensure that hv-kvp-daemon.service starts before walinuxagent.service -- Khalid Elmously Sun, 26 Aug 2018 23:56:50 -0400 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1776277 Title: fscache cookie refcount updated incorrectly during fscache object allocation Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Released Status in linux source package in Xenial: Fix Released Status in linux source package in Bionic: Fix Released Bug description: == SRU Justification == [Impact] Oops during heavy NFS + FSCache + Cachefiles use: kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/internal.h:321! kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/cookie.c:639! [Cause] 1)Two threads are trying to do operate on a cookie and two objects. 2a)One thread tries to unmount the filesystem and in process goes over a huge list of objects marking them dead and deleting the objects. cookie->usage is also decremented in following path nfs_fscache_release_super_cookie -> __fscache_relinquish_cookie ->__fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); 2b)second thread tries to lookup an object for reading data in following path fscache_alloc_object 1) cachefiles_alloc_object -> fscache_object_init -> assign cookie, but usage not bumped. 2) fscache_attach_object -> fails in cant_attach_object because the cookie's backing object or cookie's->parent object are going away 3)fscache_put_object -> cachefiles_put_object ->fscache_object_destroy ->fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); [Fix] Bump up the cookie usage in fscache_object_init, when it is first being assigned a cookie atomically such that the cookie is added and bumped up if its refcount is not zero. remove the assignment in the attach_object. [Testcase] A user has run ~100 hours of NFS stress tests and not seen this bug recur. [Regression Potential] - Limited to fscache/cachefiles. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1776277/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1776277] Re: fscache cookie refcount updated incorrectly during fscache object allocation
This bug was fixed in the package linux - 3.13.0-158.208 --- linux (3.13.0-158.208) trusty; urgency=medium * linux: 3.13.0-158.208 -proposed tracker (LP: #1788764) * CVE-2018-3620 // CVE-2018-3646 - SAUCE: x86/fremap: Invert the offset when converting to/from a PTE * BUG: scheduling while atomic (Kernel : Ubuntu-3.13 + VMware: 6.0 and late) (LP: #1780470) - VSOCK: sock_put wasn't safe to call in interrupt context - VSOCK: Fix lockdep issue. - VSOCK: Detach QP check should filter out non matching QPs. * CacheFiles: Error: Overlong wait for old active object to go away. (LP: #1776254) - cachefiles: Fix missing clear of the CACHEFILES_OBJECT_ACTIVE flag - cachefiles: Wait rather than BUG'ing on "Unexpected object collision" * fscache cookie refcount updated incorrectly during fscache object allocation (LP: #1776277) - fscache: Fix reference overput in fscache_attach_object() error handling * FS-Cache: Assertion failed: FS-Cache: 6 == 5 is false (LP: #1774336) - Revert "UBUNTU: SAUCE: CacheFiles: fix a read_waiter/read_copier race" - fscache: Allow cancelled operations to be enqueued - cachefiles: Fix refcounting bug in backing-file read monitoring -- Kleber Sacilotto de Souza Fri, 24 Aug 2018 15:08:23 + ** Changed in: linux (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1776277 Title: fscache cookie refcount updated incorrectly during fscache object allocation Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Released Status in linux source package in Xenial: Fix Released Status in linux source package in Bionic: Fix Released Bug description: == SRU Justification == [Impact] Oops during heavy NFS + FSCache + Cachefiles use: kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/internal.h:321! kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/cookie.c:639! [Cause] 1)Two threads are trying to do operate on a cookie and two objects. 2a)One thread tries to unmount the filesystem and in process goes over a huge list of objects marking them dead and deleting the objects. cookie->usage is also decremented in following path nfs_fscache_release_super_cookie -> __fscache_relinquish_cookie ->__fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); 2b)second thread tries to lookup an object for reading data in following path fscache_alloc_object 1) cachefiles_alloc_object -> fscache_object_init -> assign cookie, but usage not bumped. 2) fscache_attach_object -> fails in cant_attach_object because the cookie's backing object or cookie's->parent object are going away 3)fscache_put_object -> cachefiles_put_object ->fscache_object_destroy ->fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); [Fix] Bump up the cookie usage in fscache_object_init, when it is first being assigned a cookie atomically such that the cookie is added and bumped up if its refcount is not zero. remove the assignment in the attach_object. [Testcase] A user has run ~100 hours of NFS stress tests and not seen this bug recur. [Regression Potential] - Limited to fscache/cachefiles. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1776277/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1776277] Re: fscache cookie refcount updated incorrectly during fscache object allocation
This bug was fixed in the package linux - 4.15.0-34.37 --- linux (4.15.0-34.37) bionic; urgency=medium * linux: 4.15.0-34.37 -proposed tracker (LP: #1788744) * Bionic update: upstream stable patchset 2018-08-09 (LP: #1786352) - MIPS: c-r4k: Fix data corruption related to cache coherence - MIPS: ptrace: Expose FIR register through FP regset - MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs - KVM: Fix spelling mistake: "cop_unsuable" -> "cop_unusable" - affs_lookup(): close a race with affs_remove_link() - fs: don't scan the inode cache before SB_BORN is set - aio: fix io_destroy(2) vs. lookup_ioctx() race - ALSA: timer: Fix pause event notification - do d_instantiate/unlock_new_inode combinations safely - mmc: sdhci-iproc: remove hard coded mmc cap 1.8v - mmc: sdhci-iproc: fix 32bit writes for TRANSFER_MODE register - mmc: sdhci-iproc: add SDHCI_QUIRK2_HOST_OFF_CARD_ON for cygnus - libata: Blacklist some Sandisk SSDs for NCQ - libata: blacklist Micron 500IT SSD with MU01 firmware - xen-swiotlb: fix the check condition for xen_swiotlb_free_coherent - drm/vmwgfx: Fix 32-bit VMW_PORT_HB_[IN|OUT] macros - arm64: lse: Add early clobbers to some input/output asm operands - powerpc/64s: Clear PCR on boot - IB/hfi1: Use after free race condition in send context error path - IB/umem: Use the correct mm during ib_umem_release - idr: fix invalid ptr dereference on item delete - Revert "ipc/shm: Fix shmat mmap nil-page protection" - ipc/shm: fix shmat() nil address after round-down when remapping - mm/kasan: don't vfree() nonexistent vm_area - kasan: free allocated shadow memory on MEM_CANCEL_ONLINE - kasan: fix memory hotplug during boot - kernel/sys.c: fix potential Spectre v1 issue - KVM: s390: vsie: fix < 8k check for the itdba - KVM: x86: Update cpuid properly when CR4.OSXAVE or CR4.PKE is changed - kvm: x86: IA32_ARCH_CAPABILITIES is always supported - powerpc/64s: Improve RFI L1-D cache flush fallback - powerpc/pseries: Restore default security feature flags on setup - powerpc/64s: Fix section mismatch warnings from setup_rfi_flush() - MIPS: generic: Fix machine compatible matching - mac80211: mesh: fix wrong mesh TTL offset calculation - ARC: Fix malformed ARC_EMUL_UNALIGNED default - ptr_ring: prevent integer overflow when calculating size - arm64: dts: rockchip: fix rock64 gmac2io stability issues - arm64: dts: rockchip: correct ep-gpios for rk3399-sapphire - libata: Fix compile warning with ATA_DEBUG enabled - selftests: sync: missing CFLAGS while compiling - selftest/vDSO: fix O= - selftests: pstore: Adding config fragment CONFIG_PSTORE_RAM=m - selftests: memfd: add config fragment for fuse - ARM: OMAP2+: timer: fix a kmemleak caused in omap_get_timer_dt - ARM: OMAP3: Fix prm wake interrupt for resume - ARM: OMAP2+: Fix sar_base inititalization for HS omaps - ARM: OMAP1: clock: Fix debugfs_create_*() usage - tls: retrun the correct IV in getsockopt - xhci: workaround for AMD Promontory disabled ports wakeup - IB/uverbs: Fix method merging in uverbs_ioctl_merge - IB/uverbs: Fix possible oops with duplicate ioctl attributes - IB/uverbs: Fix unbalanced unlock on error path for rdma_explicit_destroy - arm64: dts: rockchip: Fix DWMMC clocks - ARM: dts: rockchip: Fix DWMMC clocks - iwlwifi: mvm: fix security bug in PN checking - iwlwifi: mvm: fix IBSS for devices that support station type API - iwlwifi: mvm: always init rs with 20mhz bandwidth rates - NFC: llcp: Limit size of SDP URI - rxrpc: Work around usercopy check - MD: Free bioset when md_run fails - md: fix md_write_start() deadlock w/o metadata devices - s390/dasd: fix handling of internal requests - xfrm: do not call rcu_read_unlock when afinfo is NULL in xfrm_get_tos - mac80211: round IEEE80211_TX_STATUS_HEADROOM up to multiple of 4 - mac80211: fix a possible leak of station stats - mac80211: fix calling sleeping function in atomic context - cfg80211: clear wep keys after disconnection - mac80211: Do not disconnect on invalid operating class - mac80211: Fix sending ADDBA response for an ongoing session - gpu: ipu-v3: pre: fix device node leak in ipu_pre_lookup_by_phandle - gpu: ipu-v3: prg: fix device node leak in ipu_prg_lookup_by_phandle - md raid10: fix NULL deference in handle_write_completed() - drm/exynos: g2d: use monotonic timestamps - drm/exynos: fix comparison to bitshift when dealing with a mask - drm/meson: fix vsync buffer update - arm64: perf: correct PMUVer probing - RDMA/bnxt_re: Unpin SQ and RQ memory if QP create fails - RDMA/bnxt_re: Fix system crash during load/unload - net/mlx5e: Return error if prio is specified when offloading eswitch vlan push - locking/xchg/al
[Kernel-packages] [Bug 1776277] Re: fscache cookie refcount updated incorrectly during fscache object allocation
I have confirmation that the kernel in -proposed fixes the issue in xenial. ** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1776277 Title: fscache cookie refcount updated incorrectly during fscache object allocation Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Committed Bug description: == SRU Justification == [Impact] Oops during heavy NFS + FSCache + Cachefiles use: kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/internal.h:321! kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/cookie.c:639! [Cause] 1)Two threads are trying to do operate on a cookie and two objects. 2a)One thread tries to unmount the filesystem and in process goes over a huge list of objects marking them dead and deleting the objects. cookie->usage is also decremented in following path nfs_fscache_release_super_cookie -> __fscache_relinquish_cookie ->__fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); 2b)second thread tries to lookup an object for reading data in following path fscache_alloc_object 1) cachefiles_alloc_object -> fscache_object_init -> assign cookie, but usage not bumped. 2) fscache_attach_object -> fails in cant_attach_object because the cookie's backing object or cookie's->parent object are going away 3)fscache_put_object -> cachefiles_put_object ->fscache_object_destroy ->fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); [Fix] Bump up the cookie usage in fscache_object_init, when it is first being assigned a cookie atomically such that the cookie is added and bumped up if its refcount is not zero. remove the assignment in the attach_object. [Testcase] A user has run ~100 hours of NFS stress tests and not seen this bug recur. [Regression Potential] - Limited to fscache/cachefiles. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1776277/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1776277] Re: fscache cookie refcount updated incorrectly during fscache object allocation
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed- xenial'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1776277 Title: fscache cookie refcount updated incorrectly during fscache object allocation Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Committed Bug description: == SRU Justification == [Impact] Oops during heavy NFS + FSCache + Cachefiles use: kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/internal.h:321! kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/cookie.c:639! [Cause] 1)Two threads are trying to do operate on a cookie and two objects. 2a)One thread tries to unmount the filesystem and in process goes over a huge list of objects marking them dead and deleting the objects. cookie->usage is also decremented in following path nfs_fscache_release_super_cookie -> __fscache_relinquish_cookie ->__fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); 2b)second thread tries to lookup an object for reading data in following path fscache_alloc_object 1) cachefiles_alloc_object -> fscache_object_init -> assign cookie, but usage not bumped. 2) fscache_attach_object -> fails in cant_attach_object because the cookie's backing object or cookie's->parent object are going away 3)fscache_put_object -> cachefiles_put_object ->fscache_object_destroy ->fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); [Fix] Bump up the cookie usage in fscache_object_init, when it is first being assigned a cookie atomically such that the cookie is added and bumped up if its refcount is not zero. remove the assignment in the attach_object. [Testcase] A user has run ~100 hours of NFS stress tests and not seen this bug recur. [Regression Potential] - Limited to fscache/cachefiles. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1776277/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1776277] Re: fscache cookie refcount updated incorrectly during fscache object allocation
This bug was fixed in the package linux - 4.17.0-9.10 --- linux (4.17.0-9.10) cosmic; urgency=medium * linux: 4.17.0-9.10 -proposed tracker (LP: #1787988) * Cosmic update to 4.17.17 stable release (LP: #1787973) - x86/speculation/l1tf: Exempt zeroed PTEs from inversion - Linux 4.17.17 * Cosmic update to 4.17.16 stable release (LP: #1787972) - x86/l1tf: Fix build error seen if CONFIG_KVM_INTEL is disabled - x86: i8259: Add missing include file - x86/platform/UV: Mark memblock related init code and data correctly - x86/mm/pti: Clear Global bit more aggressively - xen/pv: Call get_cpu_address_sizes to set x86_virt/phys_bits - x86/mm: Disable ioremap free page handling on x86-PAE - kbuild: verify that $DEPMOD is installed - crypto: ccree - fix finup - crypto: ccree - fix iv handling - crypto: ccp - Check for NULL PSP pointer at module unload - crypto: ccp - Fix command completion detection race - crypto: x86/sha256-mb - fix digest copy in sha256_mb_mgr_get_comp_job_avx2() - crypto: vmac - require a block cipher with 128-bit block size - crypto: vmac - separate tfm and request context - crypto: blkcipher - fix crash flushing dcache in error path - crypto: ablkcipher - fix crash flushing dcache in error path - crypto: skcipher - fix aligning block size in skcipher_copy_iv() - crypto: skcipher - fix crash flushing dcache in error path - ioremap: Update pgtable free interfaces with addr - x86/mm: Add TLB purge to free pmd/pte page interfaces - Linux 4.17.16 * Cosmic update to 4.17.16 stable release (LP: #1787972) // CVE-2018-9363 - Bluetooth: hidp: buffer overflow in hidp_process_report * linux-cloud-tools-common: Ensure hv-kvp-daemon.service starts before walinuxagent.service (LP: #1739107) - [Debian] hyper-v -- Ensure that hv-kvp-daemon.service starts before walinuxagent.service * Miscellaneous Ubuntu changes - [Packaging] retpoline -- fix temporary filenaming linux (4.17.0-8.9) cosmic; urgency=medium * linux: 4.17.0-8.9 -proposed tracker (LP: #1787259) * Cosmic update to v4.17.15 stable release (LP: #1787257) - parisc: Enable CONFIG_MLONGCALLS by default - parisc: Define mb() and add memory barriers to assembler unlock sequences - Mark HI and TASKLET softirq synchronous - stop_machine: Disable preemption after queueing stopper threads - sched/deadline: Update rq_clock of later_rq when pushing a task - zram: remove BD_CAP_SYNCHRONOUS_IO with writeback feature - xen/netfront: don't cache skb_shinfo() - bpf, sockmap: fix leak in bpf_tcp_sendmsg wait for mem path - bpf, sockmap: fix bpf_tcp_sendmsg sock error handling - scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled - scsi: qla2xxx: Fix memory leak for allocating abort IOCB - init: rename and re-order boot_cpu_state_init() - root dentries need RCU-delayed freeing - make sure that __dentry_kill() always invalidates d_seq, unhashed or not - fix mntput/mntput race - fix __legitimize_mnt()/mntput() race - ARM: dts: imx6sx: fix irq for pcie bridge - x86/paravirt: Fix spectre-v2 mitigations for paravirt guests - x86/speculation: Protect against userspace-userspace spectreRSB - kprobes/x86: Fix %p uses in error messages - x86/irqflags: Provide a declaration for native_save_fl - x86/speculation/l1tf: Increase 32bit PAE __PHYSICAL_PAGE_SHIFT - x86/speculation/l1tf: Change order of offset/type in swap entry - x86/speculation/l1tf: Protect swap entries against L1TF - x86/speculation/l1tf: Protect PROT_NONE PTEs against speculation - x86/speculation/l1tf: Make sure the first page is always reserved - x86/speculation/l1tf: Add sysfs reporting for l1tf - x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings - x86/speculation/l1tf: Limit swap file size to MAX_PA/2 - x86/bugs: Move the l1tf function and define pr_fmt properly - sched/smt: Update sched_smt_present at runtime - x86/smp: Provide topology_is_primary_thread() - x86/topology: Provide topology_smt_supported() - cpu/hotplug: Make bringup/teardown of smp threads symmetric - cpu/hotplug: Split do_cpu_down() - cpu/hotplug: Provide knobs to control SMT - x86/cpu: Remove the pointless CPU printout - x86/cpu/AMD: Remove the pointless detect_ht() call - x86/cpu/common: Provide detect_ht_early() - x86/cpu/topology: Provide detect_extended_topology_early() - x86/cpu/intel: Evaluate smp_num_siblings early - x86/CPU/AMD: Do not check CPUID max ext level before parsing SMP info - x86/cpu/AMD: Evaluate smp_num_siblings early - x86/apic: Ignore secondary threads if nosmt=force - x86/speculation/l1tf: Extend 64bit swap file size limit - x86/cpufeatures: Add detection of L1D cache flush support. - x86/CPU/AMD: Move TOPOEXT reenablement before
[Kernel-packages] [Bug 1776277] Re: fscache cookie refcount updated incorrectly during fscache object allocation
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed- bionic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1776277 Title: fscache cookie refcount updated incorrectly during fscache object allocation Status in linux package in Ubuntu: Triaged Status in linux source package in Trusty: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Committed Bug description: == SRU Justification == [Impact] Oops during heavy NFS + FSCache + Cachefiles use: kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/internal.h:321! kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/cookie.c:639! [Cause] 1)Two threads are trying to do operate on a cookie and two objects. 2a)One thread tries to unmount the filesystem and in process goes over a huge list of objects marking them dead and deleting the objects. cookie->usage is also decremented in following path nfs_fscache_release_super_cookie -> __fscache_relinquish_cookie ->__fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); 2b)second thread tries to lookup an object for reading data in following path fscache_alloc_object 1) cachefiles_alloc_object -> fscache_object_init -> assign cookie, but usage not bumped. 2) fscache_attach_object -> fails in cant_attach_object because the cookie's backing object or cookie's->parent object are going away 3)fscache_put_object -> cachefiles_put_object ->fscache_object_destroy ->fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); [Fix] Bump up the cookie usage in fscache_object_init, when it is first being assigned a cookie atomically such that the cookie is added and bumped up if its refcount is not zero. remove the assignment in the attach_object. [Testcase] A user has run ~100 hours of NFS stress tests and not seen this bug recur. [Regression Potential] - Limited to fscache/cachefiles. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1776277/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1776277] Re: fscache cookie refcount updated incorrectly during fscache object allocation
** Changed in: linux (Ubuntu Bionic) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1776277 Title: fscache cookie refcount updated incorrectly during fscache object allocation Status in linux package in Ubuntu: Triaged Status in linux source package in Trusty: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Committed Bug description: == SRU Justification == [Impact] Oops during heavy NFS + FSCache + Cachefiles use: kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/internal.h:321! kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/cookie.c:639! [Cause] 1)Two threads are trying to do operate on a cookie and two objects. 2a)One thread tries to unmount the filesystem and in process goes over a huge list of objects marking them dead and deleting the objects. cookie->usage is also decremented in following path nfs_fscache_release_super_cookie -> __fscache_relinquish_cookie ->__fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); 2b)second thread tries to lookup an object for reading data in following path fscache_alloc_object 1) cachefiles_alloc_object -> fscache_object_init -> assign cookie, but usage not bumped. 2) fscache_attach_object -> fails in cant_attach_object because the cookie's backing object or cookie's->parent object are going away 3)fscache_put_object -> cachefiles_put_object ->fscache_object_destroy ->fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); [Fix] Bump up the cookie usage in fscache_object_init, when it is first being assigned a cookie atomically such that the cookie is added and bumped up if its refcount is not zero. remove the assignment in the attach_object. [Testcase] A user has run ~100 hours of NFS stress tests and not seen this bug recur. [Regression Potential] - Limited to fscache/cachefiles. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1776277/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1776277] Re: fscache cookie refcount updated incorrectly during fscache object allocation
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- trusty' to 'verification-done-trusty'. If the problem still exists, change the tag 'verification-needed-trusty' to 'verification-failed- trusty'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-trusty -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1776277 Title: fscache cookie refcount updated incorrectly during fscache object allocation Status in linux package in Ubuntu: Triaged Status in linux source package in Trusty: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: New Bug description: == SRU Justification == [Impact] Oops during heavy NFS + FSCache + Cachefiles use: kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/internal.h:321! kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/cookie.c:639! [Cause] 1)Two threads are trying to do operate on a cookie and two objects. 2a)One thread tries to unmount the filesystem and in process goes over a huge list of objects marking them dead and deleting the objects. cookie->usage is also decremented in following path nfs_fscache_release_super_cookie -> __fscache_relinquish_cookie ->__fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); 2b)second thread tries to lookup an object for reading data in following path fscache_alloc_object 1) cachefiles_alloc_object -> fscache_object_init -> assign cookie, but usage not bumped. 2) fscache_attach_object -> fails in cant_attach_object because the cookie's backing object or cookie's->parent object are going away 3)fscache_put_object -> cachefiles_put_object ->fscache_object_destroy ->fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); [Fix] Bump up the cookie usage in fscache_object_init, when it is first being assigned a cookie atomically such that the cookie is added and bumped up if its refcount is not zero. remove the assignment in the attach_object. [Testcase] A user has run ~100 hours of NFS stress tests and not seen this bug recur. [Regression Potential] - Limited to fscache/cachefiles. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1776277/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1776277] Re: fscache cookie refcount updated incorrectly during fscache object allocation
** Changed in: linux (Ubuntu Xenial) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1776277 Title: fscache cookie refcount updated incorrectly during fscache object allocation Status in linux package in Ubuntu: Triaged Status in linux source package in Trusty: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: New Bug description: == SRU Justification == [Impact] Oops during heavy NFS + FSCache + Cachefiles use: kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/internal.h:321! kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/cookie.c:639! [Cause] 1)Two threads are trying to do operate on a cookie and two objects. 2a)One thread tries to unmount the filesystem and in process goes over a huge list of objects marking them dead and deleting the objects. cookie->usage is also decremented in following path nfs_fscache_release_super_cookie -> __fscache_relinquish_cookie ->__fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); 2b)second thread tries to lookup an object for reading data in following path fscache_alloc_object 1) cachefiles_alloc_object -> fscache_object_init -> assign cookie, but usage not bumped. 2) fscache_attach_object -> fails in cant_attach_object because the cookie's backing object or cookie's->parent object are going away 3)fscache_put_object -> cachefiles_put_object ->fscache_object_destroy ->fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); [Fix] Bump up the cookie usage in fscache_object_init, when it is first being assigned a cookie atomically such that the cookie is added and bumped up if its refcount is not zero. remove the assignment in the attach_object. [Testcase] A user has run ~100 hours of NFS stress tests and not seen this bug recur. [Regression Potential] - Limited to fscache/cachefiles. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1776277/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1776277] Re: fscache cookie refcount updated incorrectly during fscache object allocation
** Also affects: linux (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Trusty) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Trusty) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1776277 Title: fscache cookie refcount updated incorrectly during fscache object allocation Status in linux package in Ubuntu: Triaged Status in linux source package in Trusty: Fix Committed Status in linux source package in Xenial: New Status in linux source package in Bionic: New Bug description: == SRU Justification == [Impact] Oops during heavy NFS + FSCache + Cachefiles use: kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/internal.h:321! kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/cookie.c:639! [Cause] 1)Two threads are trying to do operate on a cookie and two objects. 2a)One thread tries to unmount the filesystem and in process goes over a huge list of objects marking them dead and deleting the objects. cookie->usage is also decremented in following path nfs_fscache_release_super_cookie -> __fscache_relinquish_cookie ->__fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); 2b)second thread tries to lookup an object for reading data in following path fscache_alloc_object 1) cachefiles_alloc_object -> fscache_object_init -> assign cookie, but usage not bumped. 2) fscache_attach_object -> fails in cant_attach_object because the cookie's backing object or cookie's->parent object are going away 3)fscache_put_object -> cachefiles_put_object ->fscache_object_destroy ->fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); [Fix] Bump up the cookie usage in fscache_object_init, when it is first being assigned a cookie atomically such that the cookie is added and bumped up if its refcount is not zero. remove the assignment in the attach_object. [Testcase] A user has run ~100 hours of NFS stress tests and not seen this bug recur. [Regression Potential] - Limited to fscache/cachefiles. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1776277/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1776277] Re: fscache cookie refcount updated incorrectly during fscache object allocation
** Changed in: linux (Ubuntu) Importance: Undecided => Medium ** Changed in: linux (Ubuntu) Status: Incomplete => Triaged -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1776277 Title: fscache cookie refcount updated incorrectly during fscache object allocation Status in linux package in Ubuntu: Triaged Bug description: == SRU Justification == [Impact] Oops during heavy NFS + FSCache + Cachefiles use: kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/internal.h:321! kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/cookie.c:639! [Cause] 1)Two threads are trying to do operate on a cookie and two objects. 2a)One thread tries to unmount the filesystem and in process goes over a huge list of objects marking them dead and deleting the objects. cookie->usage is also decremented in following path nfs_fscache_release_super_cookie -> __fscache_relinquish_cookie ->__fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); 2b)second thread tries to lookup an object for reading data in following path fscache_alloc_object 1) cachefiles_alloc_object -> fscache_object_init -> assign cookie, but usage not bumped. 2) fscache_attach_object -> fails in cant_attach_object because the cookie's backing object or cookie's->parent object are going away 3)fscache_put_object -> cachefiles_put_object ->fscache_object_destroy ->fscache_cookie_put ->BUG_ON(atomic_read(&cookie->usage) <= 0); [Fix] Bump up the cookie usage in fscache_object_init, when it is first being assigned a cookie atomically such that the cookie is added and bumped up if its refcount is not zero. remove the assignment in the attach_object. [Testcase] A user has run ~100 hours of NFS stress tests and not seen this bug recur. [Regression Potential] - Limited to fscache/cachefiles. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1776277/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp