patches/0091-slab-Fix-__do_drain-to-use-the-right-array-cache.patch - pub/scm/linux/kernel/git/paulg/3.4-rt-patches - Git at Google

 From 37437287d44ea18622563f9ad9cf9b6b8a2fca27 Mon Sep 17 00:00:00 2001
 From: Steven Rostedt <rostedt@goodmis.org>
 Date: Tue, 11 Oct 2011 23:56:23 -0400
 Subject: [PATCH 091/262] slab: Fix __do_drain to use the right array cache

 The array cache in __do_drain() was using the cpu_cache_get() function
 which uses smp_processor_id() to get the proper array. On mainline, this
 is fine as __do_drain() is called by for_each_cpu() which runs
 __do_drain() on the CPU it is processing. In RT locks are used instead
 and __do_drain() is only called from a single CPU. This can cause the
 accounting to be off and trigger the following bug:

 slab error in kmem_cache_destroy(): cache `nfs_write_data': Can't free all objects
 Pid: 2905, comm: rmmod Not tainted 3.0.6-test-rt17+ #78
 Call Trace:
  [<ffffffff810fb623>] kmem_cache_destroy+0xa0/0xdf
  [<ffffffffa03aaffb>] nfs_destroy_writepagecache+0x49/0x4e [nfs]
  [<ffffffffa03c0fe0>] exit_nfs_fs+0xe/0x46 [nfs]
  [<ffffffff8107af09>] sys_delete_module+0x1ba/0x22c
  [<ffffffff8109429d>] ? audit_syscall_entry+0x11c/0x148
  [<ffffffff814b6442>] system_call_fastpath+0x16/0x1b

 This can be easily triggered by a simple while loop:

 # while :; do modprobe nfs; rmmod nfs; done

 The proper function to use is cpu_cache_get_on_cpu(). It works for both
 RT and non-RT as the non-RT passes in smp_processor_id() into
 __do_drain().

 Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
 Cc: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
 Cc: Clark Williams <clark@redhat.com>
 Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
 Link: http://lkml.kernel.org/r/1318391783.13262.11.camel@gandalf.stny.rr.com
 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
 ---
  mm/slab.c |    2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/mm/slab.c b/mm/slab.c
 index dc84364..341748b 100644
 --- a/mm/slab.c
 +++ b/mm/slab.c
 @@ -2638,7 +2638,7 @@ static void __do_drain(void *arg, unsigned int cpu)
  	struct array_cache *ac;
  	int node = cpu_to_mem(cpu);

 -	ac = cpu_cache_get(cachep);
 +	ac = cpu_cache_get_on_cpu(cachep, cpu);
  	spin_lock(&cachep->nodelists[node]->list_lock);
  	free_block(cachep, ac->entry, ac->avail, node);
  	spin_unlock(&cachep->nodelists[node]->list_lock);
 --
 1.7.10.4
	From 37437287d44ea18622563f9ad9cf9b6b8a2fca27 Mon Sep 17 00:00:00 2001
	From: Steven Rostedt <rostedt@goodmis.org>
	Date: Tue, 11 Oct 2011 23:56:23 -0400
	Subject: [PATCH 091/262] slab: Fix __do_drain to use the right array cache

	The array cache in __do_drain() was using the cpu_cache_get() function
	which uses smp_processor_id() to get the proper array. On mainline, this
	is fine as __do_drain() is called by for_each_cpu() which runs
	__do_drain() on the CPU it is processing. In RT locks are used instead
	and __do_drain() is only called from a single CPU. This can cause the
	accounting to be off and trigger the following bug:

	slab error in kmem_cache_destroy(): cache `nfs_write_data': Can't free all objects
	Pid: 2905, comm: rmmod Not tainted 3.0.6-test-rt17+ #78
	Call Trace:
	[<ffffffff810fb623>] kmem_cache_destroy+0xa0/0xdf
	[<ffffffffa03aaffb>] nfs_destroy_writepagecache+0x49/0x4e [nfs]
	[<ffffffffa03c0fe0>] exit_nfs_fs+0xe/0x46 [nfs]
	[<ffffffff8107af09>] sys_delete_module+0x1ba/0x22c
	[<ffffffff8109429d>] ? audit_syscall_entry+0x11c/0x148
	[<ffffffff814b6442>] system_call_fastpath+0x16/0x1b

	This can be easily triggered by a simple while loop:

	# while :; do modprobe nfs; rmmod nfs; done

	The proper function to use is cpu_cache_get_on_cpu(). It works for both
	RT and non-RT as the non-RT passes in smp_processor_id() into
	__do_drain().

	Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
	Cc: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
	Cc: Clark Williams <clark@redhat.com>
	Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
	Link: http://lkml.kernel.org/r/1318391783.13262.11.camel@gandalf.stny.rr.com
	Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
	---
	mm/slab.c \| 2 +-
	1 file changed, 1 insertion(+), 1 deletion(-)

	diff --git a/mm/slab.c b/mm/slab.c
	index dc84364..341748b 100644
	--- a/mm/slab.c
	+++ b/mm/slab.c
	@@ -2638,7 +2638,7 @@ static void __do_drain(void *arg, unsigned int cpu)
	struct array_cache *ac;
	int node = cpu_to_mem(cpu);

	- ac = cpu_cache_get(cachep);
	+ ac = cpu_cache_get_on_cpu(cachep, cpu);
	spin_lock(&cachep->nodelists[node]->list_lock);
	free_block(cachep, ac->entry, ac->avail, node);
	spin_unlock(&cachep->nodelists[node]->list_lock);
	--
	1.7.10.4