Re: [PATCH v2 3/3] NFS: Fix a memory leak in nfs_readdir

[Andrew Morton <akpm@linux-foundation.org>]

On Wed, 01 Dec 2010 16:51:12 -0500
Trond Myklebust <Trond.Myklebust@netapp.com> wrote:

> On Wed, 2010-12-01 at 13:38 -0800, Andrew Morton wrote:
> > On Wed, 1 Dec 2010 13:15:07 -0800 (PST)
> > Hugh Dickins <hughd@google.com> wrote:
> > 
> > > On Wed, 1 Dec 2010, Hugh Dickins wrote:
> > > > On Wed, 1 Dec 2010, Andrew Morton wrote:
> > > > > On Wed, 01 Dec 2010 15:10:50 -0500
> > > > > Trond Myklebust <Trond.Myklebust@netapp.com> wrote:
> > > > > 
> > > > > > --- a/include/linux/fs.h
> > > > > > +++ b/include/linux/fs.h
> > > > > > @@ -602,6 +602,7 @@ struct address_space_operations {
> > > > > >  	sector_t (*bmap)(struct address_space *, sector_t);
> > > > > >  	void (*invalidatepage) (struct page *, unsigned long);
> > > > > >  	int (*releasepage) (struct page *, gfp_t);
> > > > > > +	void (*freepage)(struct page *);
> > > > > >  	ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
> > > > > >  			loff_t offset, unsigned long nr_segs);
> > > > > >  	int (*get_xip_mem)(struct address_space *, pgoff_t, int,
> > > > > 
> > > > > It would be good to think about and then clearly spell out exactly what
> > > > > state the page is in here.  It is locked, and I assume clean and not
> > > > > under writeback.  What about its refcount, freezedness status and
> > > > > eligibility for lookups?
> > > > > 
> > > > > And as Hugh pointed out, some callees might needs the address_space*
> > > > > although we can perhaps defer that until such a callee turns up. 
> > > > > If/when that happens we might have a problem though: if this locked
> > > > > page is no longer attached to the address_space then what now pins the
> > > > > address_space, protecting it from inode reclaim?
> > > > 
> > > > That's an excellent point and trumps mine: it would be actively wrong
> > > > to provide the struct address_space *mapping arg I was asking for.
> > > > (Bet someone then tries stashing it away via page->private though.)
> > > 
> > > Hmm, thinking further along the same lines: can we even guarantee that
> > > the filesystem module is still loaded at that point?  i.e. might
> > > mapping->freepage now be pointing off into the garbage heap?
> > 
> > I don't see anything on the VFS side which would prevent a module
> > unload.  Or, more realistically, a concurrent unmount, freeing of the
> > superblock and everything associated with it.  All we have here is a
> > page*.
> > 
> > Probably on most call paths we'll be OK - if a process is in the middle
> > of a file truncate, holdin a file* ref which holds an inode ref then
> > nobody will be unmounting that fs and hence nobody will be unloading
> > that module.
> > 
> > However on the random_code->alloc_page->vmscan->releasepage path, none
> > of that applies.
> 
> Just out of interest, what ensures that the mapping is still around for
> the 'spin_unlock_irq(&mapping->tree_lock);' in __remove_mapping()?

Nothing, afacit.

I think this was the race which I taunted the mm developers about a
couple of months back (can't find the email) and nobody contradicted
me at that time.

> I'm clearly missing whatever mechanism prevents iput_final() from racing
> with vmscan if the latter clears out the last page from the mapping.

The mechanism is called "luck".  Way back in the 2.5.late days there
was such a bug in the kernel (inode was reclaimed while vmscan was
playing with the address_space) and I was able to trigger oopses from
it.  It required really massive, withering amounts of memory pressure. 
Stupid amounts.  I should dig out those tools and remember how to
operate them...