From mboxrd@z Thu Jan 1 00:00:00 1970 From: Christoph Hellwig Subject: Re: inode_permission NULL pointer dereference in 3.13-rc1 Date: Mon, 25 Nov 2013 08:06:48 -0800 Message-ID: <20131125160648.GA4933@infradead.org> References: <20131124140413.GA19271@infradead.org> <20131124152758.GL10323@ZenIV.linux.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Christoph Hellwig , linux-fsdevel@vger.kernel.org, xfs@oss.sgi.com To: Al Viro Return-path: Received: from bombadil.infradead.org ([198.137.202.9]:36274 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751809Ab3KYQGs (ORCPT ); Mon, 25 Nov 2013 11:06:48 -0500 Content-Disposition: inline In-Reply-To: <20131124152758.GL10323@ZenIV.linux.org.uk> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Sun, Nov 24, 2013 at 03:27:58PM +0000, Al Viro wrote: > which seems to leave two candidates - follow_dotdot_rcu() and path_init(), > both setting nd->inode to nd->path.dentry->d_inode... > > Could you try to reproduce it with something like > if (read_seqretry(&mount_lock, nd->m_seq)) > goto failed; > slapped before the success exit in follow_dotdot_rcu(), just to see if > we are hitting some races with umount here? Still reproducable with the diff below. Fixed by reverting the RCU'd vfsmounts. diff --git a/fs/namei.c b/fs/namei.c index 8f77a8c..856e4d5 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -1158,6 +1158,10 @@ static int follow_dotdot_rcu(struct nameidata *nd) } follow_mount_rcu(nd); nd->inode = nd->path.dentry->d_inode; + + if (read_seqretry(&mount_lock, nd->m_seq)) + goto failed; + return 0; failed: