All of lore.kernel.org
 help / color / mirror / Atom feed
* Race in iput()?
@ 2004-06-29  4:40 Paul Menage
  2004-06-29  5:40 ` viro
  0 siblings, 1 reply; 2+ messages in thread
From: Paul Menage @ 2004-06-29  4:40 UTC (permalink / raw)
  To: viro; +Cc: linux-kernel

Hi,

Is the following sequence of events possible? If so, that would seem
to be a bug.

- inode on non-MS_ACTIVE superblock is on unused list (fs being unmounted?)
- prune_icache() starts processing inode, so sets I_LOCK
- in another thread, someone calls iget() then iput() on inode 
- inode is dirty, so iput() calls write_inode_now() 
- write_inode_now() calls sync_one()
- sync_one() calls __iget() and bumps inode ref count back up to 1
- sync_one() calls __wait_on_inode() and sleeps
- in original thread, prune_icache() finishes with inode and clears I_LOCK
- sync_one() wakes up and calls iput()
- iput() decrements ref count to 0 again and frees inode (no wait this time)
- sync_one() and callers now hold a pointer to a freed inode

Alternatively, try_to_sync_unused_inodes() could be racing rather than
prune_icache().

We've seen a crash that could be explained by this race being hit, if
it is possible.

Paul

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-06-29  5:40 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-06-29  4:40 Race in iput()? Paul Menage
2004-06-29  5:40 ` viro

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.