6d43e485e0
commit 2aa6ba7b5ad3189cc27f14540aa2f57f0ed8df4b upstream. If we try to allocate memory pages to back an xfs_buf that we're trying to read, it's possible that we'll be so short on memory that the page allocation fails. For a blocking read we'll just wait, but for readahead we simply dump all the pages we've collected so far. Unfortunately, after dumping the pages we neglect to clear the _XBF_PAGES state, which means that the subsequent call to xfs_buf_free thinks that b_pages still points to pages we own. It then double-frees the b_pages pages. This results in screaming about negative page refcounts from the memory manager, which xfs oughtn't be triggering. To reproduce this case, mount a filesystem where the size of the inodes far outweighs the availalble memory (a ~500M inode filesystem on a VM with 300MB memory did the trick here) and run bulkstat in parallel with other memory eating processes to put a huge load on the system. The "check summary" phase of xfs_scrub also works for this purpose. Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> Reviewed-by: Eric Sandeen <sandeen@redhat.com> Cc: Ivan Kozik <ivan@ludios.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|---|---|---|
| .. | ||
| libxfs | ||
| Kconfig | ||
| kmem.c | ||
| kmem.h | ||
| Makefile | ||
| mrlock.h | ||
| uuid.c | ||
| uuid.h | ||
| xfs.h | ||
| xfs_acl.c | ||
| xfs_acl.h | ||
| xfs_aops.c | ||
| xfs_aops.h | ||
| xfs_attr.h | ||
| xfs_attr_inactive.c | ||
| xfs_attr_list.c | ||
| xfs_bmap_util.c | ||
| xfs_bmap_util.h | ||
| xfs_buf.c | ||
| xfs_buf.h | ||
| xfs_buf_item.c | ||
| xfs_buf_item.h | ||
| xfs_dir2_readdir.c | ||
| xfs_discard.c | ||
| xfs_discard.h | ||
| xfs_dquot.c | ||
| xfs_dquot.h | ||
| xfs_dquot_item.c | ||
| xfs_dquot_item.h | ||
| xfs_error.c | ||
| xfs_error.h | ||
| xfs_export.c | ||
| xfs_export.h | ||
| xfs_extent_busy.c | ||
| xfs_extent_busy.h | ||
| xfs_extfree_item.c | ||
| xfs_extfree_item.h | ||
| xfs_file.c | ||
| xfs_filestream.c | ||
| xfs_filestream.h | ||
| xfs_fsops.c | ||
| xfs_fsops.h | ||
| xfs_globals.c | ||
| xfs_icache.c | ||
| xfs_icache.h | ||
| xfs_icreate_item.c | ||
| xfs_icreate_item.h | ||
| xfs_inode.c | ||
| xfs_inode.h | ||
| xfs_inode_item.c | ||
| xfs_inode_item.h | ||
| xfs_ioctl.c | ||
| xfs_ioctl.h | ||
| xfs_ioctl32.c | ||
| xfs_ioctl32.h | ||
| xfs_iomap.c | ||
| xfs_iomap.h | ||
| xfs_iops.c | ||
| xfs_iops.h | ||
| xfs_itable.c | ||
| xfs_itable.h | ||
| xfs_linux.h | ||
| xfs_log.c | ||
| xfs_log.h | ||
| xfs_log_cil.c | ||
| xfs_log_priv.h | ||
| xfs_log_recover.c | ||
| xfs_message.c | ||
| xfs_message.h | ||
| xfs_mount.c | ||
| xfs_mount.h | ||
| xfs_mru_cache.c | ||
| xfs_mru_cache.h | ||
| xfs_pnfs.c | ||
| xfs_pnfs.h | ||
| xfs_qm.c | ||
| xfs_qm.h | ||
| xfs_qm_bhv.c | ||
| xfs_qm_syscalls.c | ||
| xfs_quota.h | ||
| xfs_quotaops.c | ||
| xfs_rtalloc.c | ||
| xfs_rtalloc.h | ||
| xfs_stats.c | ||
| xfs_stats.h | ||
| xfs_super.c | ||
| xfs_super.h | ||
| xfs_symlink.c | ||
| xfs_symlink.h | ||
| xfs_sysctl.c | ||
| xfs_sysctl.h | ||
| xfs_sysfs.c | ||
| xfs_sysfs.h | ||
| xfs_trace.c | ||
| xfs_trace.h | ||
| xfs_trans.c | ||
| xfs_trans.h | ||
| xfs_trans_ail.c | ||
| xfs_trans_buf.c | ||
| xfs_trans_dquot.c | ||
| xfs_trans_extfree.c | ||
| xfs_trans_inode.c | ||
| xfs_trans_priv.h | ||
| xfs_xattr.c | ||