From: Al Viro <viro@ZenIV.linux.org.uk>
To: Santosh Madiraju <madiraju.santosh@gmail.com>
Cc: linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH 2/2] fs: fix bug where dentry freed earlier, might be getting freed again.
Date: Sat, 30 Jan 2016 21:12:38 +0000 [thread overview]
Message-ID: <20160130211237.GG17997@ZenIV.linux.org.uk> (raw)
In-Reply-To: <1454187106-10827-1-git-send-email-madiraju.santosh@gmail.com>
On Sat, Jan 30, 2016 at 12:51:46PM -0800, Santosh Madiraju wrote:
> From: madiraju <madiraju.santosh@gmail.com>
>
> While shrinking the dentry list in shrink_dentry_list function,
> if DCACHE_MAY_FREE flag is set, it frees the dentry, and it again
> tries to do it in dentry_kill.
[snip]
> diff --git a/fs/dcache.c b/fs/dcache.c
> index 92d5140..7aa2252 100644
> --- a/fs/dcache.c
> +++ b/fs/dcache.c
> @@ -986,8 +986,8 @@ static void shrink_dentry_list(struct list_head *list)
> spin_unlock(&parent->d_lock);
> continue;
> }
> -
> - __dentry_kill(dentry);
> + if (dentry)
> + __dentry_kill(dentry);
Considering the fact that this call of __dentry_kill() is immediately preceded
by
inode = dentry->d_inode;
if (inode && unlikely(!spin_trylock(&inode->i_lock))) {
d_shrink_add(dentry, list);
spin_unlock(&dentry->d_lock);
if (parent)
spin_unlock(&parent->d_lock);
continue;
}
it is flat-out impossible to get to that call with dentry equal to NULL -
we would've oopsed on attempt to fetch dentry->d_inode, not to mention that
the value in dentry ultimately comes from
dentry = list_entry(list->prev, struct dentry, d_lru);
which _never_ yields NULL. And that access of dentry->d_inode is not the
only place in between where we would've oopsed with dentry being NULL,
while we are at it.
And description also makes no sense whatsoever - if we run into DCACHE_MAY_FREE
(which can't be set without DCACHE_DENTRY_KILLED having been set first), we
won't even reach that __dentry_kill() - we'll run into
if (unlikely(dentry->d_flags & DCACHE_DENTRY_KILLED)) {
bool can_free = dentry->d_flags & DCACHE_MAY_FREE;
spin_unlock(&dentry->d_lock);
if (parent)
spin_unlock(&parent->d_lock);
if (can_free)
dentry_free(dentry);
continue;
}
and that's it as far as this dentry is concerned. We'd done
d_shrink_del(dentry) - that's the very first thing we do and we do it
unconditionally.
What's more, making no sense is about the only thing description and patch
have in common. NAK.
prev parent reply other threads:[~2016-01-30 21:12 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-30 20:51 [PATCH 2/2] fs: fix bug where dentry freed earlier, might be getting freed again Santosh Madiraju
2016-01-30 21:12 ` Al Viro [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160130211237.GG17997@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=linux-fsdevel@vger.kernel.org \
--cc=madiraju.santosh@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.