From mboxrd@z Thu Jan 1 00:00:00 1970 From: Al Viro Subject: Re: Linux 2.6.26-rc4 Date: Tue, 3 Jun 2008 17:50:42 +0100 Message-ID: <20080603165042.GC28946@ZenIV.linux.org.uk> References: <5440.195.41.66.226.1212487482.squirrel@mail.jabbernet.dk> <20080603104035.GT28946@ZenIV.linux.org.uk> <20080603105258.GV28946@ZenIV.linux.org.uk> <1212499623.3025.46.camel@raven.themaw.net> <1212509263.3025.66.camel@raven.themaw.net> <20080603164102.GB28946@ZenIV.linux.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Ian Kent , Miklos Szeredi , jesper@krogh.cc, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org To: Linus Torvalds Return-path: Received: from zeniv.linux.org.uk ([195.92.253.2]:59426 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751950AbYFCQuz (ORCPT ); Tue, 3 Jun 2008 12:50:55 -0400 Content-Disposition: inline In-Reply-To: <20080603164102.GB28946@ZenIV.linux.org.uk> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Tue, Jun 03, 2008 at 05:41:03PM +0100, Al Viro wrote: > >From my reading of that code looks like it's been rmdir'ed. And no, I > don't understand what the hell is that code trying to do. > > Ian, could you describe the race you are talking about? BTW, this stuff is definitely broken regardless of mount - if something had the directory in question opened before that rmdir and we'd hit your lookup_unhashed while another CPU had been in the middle of getdents(2) on that opened descriptor, we'll get vfs_readdir() grabs i_mutex vfs_readdir() checks that it's dead autofs4_lookup_unhashed() calls iput() inode is freed vfs_readdir() releases i_mutex - in already freed struct inode. Hell, just getdents() right *after* dentry->d_inode = NULL will oops, plain and simple.