From mboxrd@z Thu Jan 1 00:00:00 1970 From: Al Viro Subject: Re: [PATCH] VFS: Add back check for !inode in walk_component() Date: Thu, 7 May 2015 18:28:34 +0100 Message-ID: <20150507172834.GD889@ZenIV.linux.org.uk> References: <20150507125241.4da739ac@gandalf.local.home> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: David Howells , LKML , linux-fsdevel@vger.kernel.org To: Steven Rostedt Return-path: Received: from zeniv.linux.org.uk ([195.92.253.2]:52821 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751545AbbEGR2h (ORCPT ); Thu, 7 May 2015 13:28:37 -0400 Content-Disposition: inline In-Reply-To: <20150507125241.4da739ac@gandalf.local.home> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Thu, May 07, 2015 at 12:52:41PM -0400, Steven Rostedt wrote: > > Commit 698934df8b45 "VFS: Combine inode checks with d_is_negative() and > d_is_positive() in pathwalk" removed a check for inode being NULL in > walk_component() where the type is tested. Stressing my tracefs create > and remove instances while reading the files now triggers this: So you get NULL ->d_inode with stale flags? The thing is, ->d_inode becoming NULL should happen via d_delete(), which goes throug this: unsigned flags = READ_ONCE(dentry->d_flags); flags &= ~(DCACHE_ENTRY_TYPE | DCACHE_FALLTHRU); WRITE_ONCE(dentry->d_flags, flags); smp_wmb(); dentry->d_inode = NULL; and after that assignment to ->d_flags you'll see d_is_negative() being true. OTOH, we have *inode = dentry->d_inode; if (read_seqcount_retry(&dentry->d_seq, seq)) in lookup_fast(), and read_seqcount_retry() is { smp_rmb(); return __read_seqcount_retry(s, start); } IOW, we have smp_rmb() between fetching ->d_inode and checking ->d_flags. If you can reproduce that at will, could you make it dump nd->flags along with dentry involved?