From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthew Wilcox <willy@debian.org>
Subject: Re: [PATCH] ext3 [linux-2.6.2.]: accessing already freed inodes when under memory pressure
Date: Tue, 30 Mar 2004 15:16:37 +0100
Sender: linux-fsdevel-owner@vger.kernel.org
Message-ID: <20040330141637.GI7709@parcelfarce.linux.theplanet.co.uk>
References: <OFB7BF1E31.8824C0B7-ONC1256E67.004015BB-C1256E67.0041B813@de.ibm.com> <1080653969.24117.192.camel@hades.cambridge.redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>,
	Linus Torvalds <torvalds@osdl.org>,
	Andrew Morton <akpm@osdl.org>, Carsten Otte <cotte@de.ibm.com>,
	Carsten Otte <cotte@freenet.de>, linux-fsdevel@vger.kernel.org,
	sct@redhat.com, Al Viro <viro@parcelfarce.linux.theplanet.co.uk>,
	Dave Kleikamp <shaggy@austin.ibm.com>
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from parcelfarce.linux.theplanet.co.uk ([195.92.249.252]:48301 "EHLO
	www.linux.org.uk") by vger.kernel.org with ESMTP id S263671AbUC3OQk
	(ORCPT <rfc822;linux-fsdevel@vger.kernel.org>);
	Tue, 30 Mar 2004 09:16:40 -0500
To: David Woodhouse <dwmw2@infradead.org>
Content-Disposition: inline
In-Reply-To: <1080653969.24117.192.camel@hades.cambridge.redhat.com>
List-Id: linux-fsdevel.vger.kernel.org

On Tue, Mar 30, 2004 at 02:39:30PM +0100, David Woodhouse wrote:
> If we ignore the anecdotes about reinstating a libc which has been
> unlinked but is still in use -- is there any reason we're want any file
> system to allow link() to inodes with i_nlink == 0?

To preserve the anecdotes, we could check i_count as well, but this starts
to get hairy.  If iput_final() races with vfs_link() we'd have problems.
Should iput_final() be taking i_sem anyway?  Seems to me we have the race:

CPU0					CPU1

iput()
atomic_dec_and_lock(&inode->i_count, &inode_lock)
					sys_unlink()
					atomic_inc(&inode->i_count);
					vfs_unlink()
					inode->i_nlink-- (reaches 0)
iput_final()
generic_drop_inode()
					
if (!inode->i_nlink)
        generic_delete_inode(inode);
else
        generic_forget_inode(inode);
					iput()
					atomic_dec_and_lock()
					generic_delete_inode()

Calling generic_delete_inode() twice gives us a BUG() in clear_inode()
(if we even get that far).  Have I overlooked something here?	

-- 
"Next the statesmen will invent cheap lies, putting the blame upon 
the nation that is attacked, and every man will be glad of those
conscience-soothing falsities, and will diligently study them, and refuse
to examine any refutations of them; and thus he will by and by convince 
himself that the war is just, and will thank God for the better sleep 
he enjoys after this process of grotesque self-deception." -- Mark Twain