Hi Punit
On 19/10/18 16:18, Punit Agrawal wrote:
Hi Cristian,
[...]
The stacktrace suggests it's the same issue that I'd reported earlier -
https://lkml.org/lkml/2018/6/29/209
though without the analysis below.
[...]
diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c
index bb5476a6d264..171813f9a291 100644
--- a/fs/nfs/pagelist.c
+++ b/fs/nfs/pagelist.c
@@ -432,6 +432,15 @@ void nfs_free_request(struct nfs_page *req)
void nfs_release_request(struct nfs_page *req)
{
+ /* WORKAROUND */
+ if ((kref_read(&req->wb_kref) == 1) &&
+ (req->wb_list.prev != &req->wb_list ||
+ req->wb_list.next != &req->wb_list)) {
Are the last two conditions just checking that wb_list is not empty?
yes ... I basically check if the nfs_page element is still linked
somewhere just before putting the kref to zero (which will result in a
final nfs_page_free() on an nfs_page which is instead still used).
I checked both here instead of using list_empty() because list_empty
just check next pointer (READ_ONCE(head->next) == head;) and I was
overly paranoid while investigating this initially since I didn't know
really if it was some race on the list handling itself...
Since nfs_list_remove_request() wrapper func issue a list_del_init(),
once the item is unlinked wb_list list_head should point to itself...if
it is not ... it still could be accessed after being freed...and it
happens in fact...while does NOT happen in all the cases in which the
refcount is properly accounted...(I have a ton of Ftracing :D)
Thanks
Cristian
