Re: panic in do_last()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Al Viro <viro@ZenIV.linux.org.uk>
To: Lin Ming <minggr@gmail.com>
Cc: David Howells <dhowells@redhat.com>,
	linux-fsdevel@vger.kernel.org, Hugh Dickins <hughd@google.com>
Subject: Re: panic in do_last()
Date: Fri, 18 Apr 2014 03:17:09 +0100	[thread overview]
Message-ID: <20140418021707.GH18016@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20140418015750.GG18016@ZenIV.linux.org.uk>

On Fri, Apr 18, 2014 at 02:57:50AM +0100, Al Viro wrote:

> Where is it in do_last()?  Hard to tell without even the hex dump of
> oopsing code (and trying to reproduce it here hasn't produced any oopsen
> so far).

Hmm...  Still no oopsen, but it looks like it *is* possible to get
screwed there.  RCU mode isn't a problem, AFAICS (we'll fail on d_seq
mismatch in complete_walk() and that will be the end of it), but
non-lazy mode *can* get buggered.  We are holding a reference to
nd->path.dentry and that's enough to prevent positive-to-negative
transition, but negative-to-positive is fair game.  So it does
happen and we end up with nd->inode being set to NULL.  And _that_
promptly blows up on
        if (!S_ISREG(nd->inode->i_mode))
                will_truncate = false;
Actually, it might very well be the only source of breakage - that late
in the game (already out of RCU mode, for starters) we don't give a damn
about nd->inode.

Ah, actually there's also
                BUG_ON(inode != path->dentry->d_inode);
in symlink case (similar "negative to positive", but it will be a symlink(2),
not creat(2)).  Pointless BUG_ON, actually...

The reason why your reordering hadn't done any good is that CPU cache is free
to reorder behind your back - no barriers between these two stores.

I'd still like the disassembly of your do_last() and the missing hex dump...

next prev parent reply	other threads:[~2014-04-18  2:17 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-04-18  1:14 panic in do_last() Lin Ming
2014-04-18  1:57 ` Al Viro
2014-04-18  2:17   ` Al Viro [this message]
2014-04-18  2:22     ` Lin Ming
2014-04-18  2:35     ` Lin Ming
2014-04-18  2:42       ` Al Viro
     [not found]   ` <CAF1ivSbqM2LorrED3MvgKBDxA9sLz_RkOEPwAfvYYmL5C9K0vA@mail.gmail.com>
2014-04-18  2:38     ` Al Viro
2014-04-18  2:48       ` Al Viro
2014-04-18  3:17         ` Al Viro
2014-04-18  3:40           ` Lin Ming
2014-04-18 15:11             ` Lin Ming
2014-04-22 17:51               ` Lin Ming

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140418021707.GH18016@ZenIV.linux.org.uk \
    --to=viro@zeniv.linux.org.uk \
    --cc=dhowells@redhat.com \
    --cc=hughd@google.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=minggr@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.