From mboxrd@z Thu Jan  1 00:00:00 1970
From: Nick Piggin <npiggin@suse.de>
Subject: [patch] fs: fix superblock iteration race
Date: Sat, 12 Jun 2010 00:50:09 +1000
Message-ID: <20100611145009.GE16436@laptop>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
To: Al Viro <viro@ZenIV.linux.org.uk>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	linux-fsdevel@vger.kernel.org
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from cantor2.suse.de ([195.135.220.15]:57074 "EHLO mx2.suse.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1759700Ab0FKOuW (ORCPT <rfc822;linux-fsdevel@vger.kernel.org>);
	Fri, 11 Jun 2010 10:50:22 -0400
Content-Disposition: inline
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

Not sure if this is really the _cleanest_ way to fix it. But open coding
the list walking is a bit annoying too. And I couldn't see any real way to
make the list macro safe. Better ideas?

Thanks,
Nick

--
list_for_each_entry_safe is not suitable to protect against concurrent
modification of the list. 6754af6 introduced a race in sb walking.

list_for_each_entry can use the trick of pinning the current entry in
the list before we drop and retake the lock because it subsequently
follows cur->next. However list_for_each_entry_safe saves n=cur->next
for following before entering the loop body, so when the lock is
dropped, n may be deleted.

Signed-off-by: Nick Piggin <npiggin@suse.de>
---
 fs/dcache.c |    2 ++
 fs/super.c  |    6 ++++++
 2 files changed, 8 insertions(+)

Index: linux-2.6/fs/dcache.c
===================================================================
--- linux-2.6.orig/fs/dcache.c	2010-06-12 00:00:10.000000000 +1000
+++ linux-2.6/fs/dcache.c	2010-06-12 00:38:21.000000000 +1000
@@ -590,6 +590,8 @@ static void prune_dcache(int count)
 			up_read(&sb->s_umount);
 		}
 		spin_lock(&sb_lock);
+		/* old n may have been deleted */
+		n = list_entry(sb->s_list.next, struct super_block, s_list);
 		count -= pruned;
 		__put_super(sb);
 		/* more work left to do? */
Index: linux-2.6/fs/super.c
===================================================================
--- linux-2.6.orig/fs/super.c	2010-06-11 23:55:40.000000000 +1000
+++ linux-2.6/fs/super.c	2010-06-12 00:38:40.000000000 +1000
@@ -374,6 +374,8 @@ void sync_supers(void)
 			up_read(&sb->s_umount);
 
 			spin_lock(&sb_lock);
+			/* old n may have been deleted */
+			n = list_entry(sb->s_list.next, struct super_block, s_list);
 			__put_super(sb);
 		}
 	}
@@ -405,6 +407,8 @@ void iterate_supers(void (*f)(struct sup
 		up_read(&sb->s_umount);
 
 		spin_lock(&sb_lock);
+		/* old n may have been deleted */
+		n = list_entry(sb->s_list.next, struct super_block, s_list);
 		__put_super(sb);
 	}
 	spin_unlock(&sb_lock);
@@ -585,6 +589,8 @@ static void do_emergency_remount(struct
 		}
 		up_write(&sb->s_umount);
 		spin_lock(&sb_lock);
+		/* old n may have been deleted */
+		n = list_entry(sb->s_list.next, struct super_block, s_list);
 		__put_super(sb);
 	}
 	spin_unlock(&sb_lock);