This bug was fixed in the package linux - 3.13.0-158.208
---------------
linux (3.13.0-158.208) trusty; urgency=medium
* linux: 3.13.0-158.208 -proposed tracker (LP: #1788764)
* CVE-2018-3620 // CVE-2018-3646
- SAUCE: x86/fremap: Invert the offset when converting to/from a PTE
* BUG: scheduling while atomic (Kernel : Ubuntu-3.13 + VMware: 6.0 and late)
(LP: #1780470)
- VSOCK: sock_put wasn't safe to call in interrupt context
- VSOCK: Fix lockdep issue.
- VSOCK: Detach QP check should filter out non matching QPs.
* CacheFiles: Error: Overlong wait for old active object to go away.
(LP: #1776254)
- cachefiles: Fix missing clear of the CACHEFILES_OBJECT_ACTIVE flag
- cachefiles: Wait rather than BUG'ing on "Unexpected object collision"
* fscache cookie refcount updated incorrectly during fscache object allocation
(LP: #1776277)
- fscache: Fix reference overput in fscache_attach_object() error handling
* FS-Cache: Assertion failed: FS-Cache: 6 == 5 is false (LP: #1774336)
- Revert "UBUNTU: SAUCE: CacheFiles: fix a read_waiter/read_copier race"
- fscache: Allow cancelled operations to be enqueued
- cachefiles: Fix refcounting bug in backing-file read monitoring
-- Kleber Sacilotto de Souza <kleber.so...@canonical.com> Fri, 24 Aug
2018 15:08:23 +0000
** Changed in: linux (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1776277
Title:
fscache cookie refcount updated incorrectly during fscache object
allocation
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Trusty:
Fix Released
Status in linux source package in Xenial:
Fix Released
Status in linux source package in Bionic:
Fix Released
Bug description:
== SRU Justification ==
[Impact]
Oops during heavy NFS + FSCache + Cachefiles use:
kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/internal.h:321!
kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/cookie.c:639!
[Cause]
1)Two threads are trying to do operate on a cookie and two objects.
2a)One thread tries to unmount the filesystem and in process goes over
a huge list of objects marking them dead and deleting the objects.
cookie->usage is also decremented in following path
nfs_fscache_release_super_cookie
-> __fscache_relinquish_cookie
->__fscache_cookie_put
->BUG_ON(atomic_read(&cookie->usage) <= 0);
2b)second thread tries to lookup an object for reading data in
following path
fscache_alloc_object
1) cachefiles_alloc_object
-> fscache_object_init
-> assign cookie, but usage not bumped.
2) fscache_attach_object -> fails in cant_attach_object because the
cookie's backing object or cookie's->parent object are going away
3)fscache_put_object
-> cachefiles_put_object
->fscache_object_destroy
->fscache_cookie_put
->BUG_ON(atomic_read(&cookie->usage) <= 0);
[Fix]
Bump up the cookie usage in fscache_object_init,
when it is first being assigned a cookie atomically such that the cookie
is added and bumped up if its refcount is not zero.
remove the assignment in the attach_object.
[Testcase]
A user has run ~100 hours of NFS stress tests and not seen this bug recur.
[Regression Potential]
- Limited to fscache/cachefiles.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1776277/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
