Q: bugs in generic_forget

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* Q: bugs in generic_forget_inode()?
@ 2004-09-06 12:06 Kirill Korotaev
  2004-09-06 19:35 ` Andrew Morton
  0 siblings, 1 reply; 4+ messages in thread
From: Kirill Korotaev @ 2004-09-06 12:06 UTC (permalink / raw)
  To: linux-kernel, akpm, torvalds

Hello,

1. I found that generic_forget_inode() calls write_inode_now() dropping 
inode_lock and destroys inode after that. The problem is that 
write_inode_now() can sleep and during this sleep someone can find inode 
in the hash, w/o I_FREEING state and with i_count = 0.

If such inode will be iget'ed, then it will be iput'ed once more later 
messing with the current iput(). So the inode can be cleared and 
destroyed twice.

2. Why there is no wake_up_inode() in generic_forget_inode() like in 
generic_delete_inode()? Looks like it is missing...

is it bugs in generic_forget_inode()?

Kirill

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Q: bugs in generic_forget_inode()?
  2004-09-06 12:06 Q: bugs in generic_forget_inode()? Kirill Korotaev
@ 2004-09-06 19:35 ` Andrew Morton
  2004-09-10  9:04   ` Kirill Korotaev
  0 siblings, 1 reply; 4+ messages in thread
From: Andrew Morton @ 2004-09-06 19:35 UTC (permalink / raw)
  To: Kirill Korotaev; +Cc: linux-kernel, torvalds

Kirill Korotaev <dev@sw.ru> wrote:
>
> Hello,
> 
> 1. I found that generic_forget_inode() calls write_inode_now() dropping 
> inode_lock and destroys inode after that. The problem is that 
> write_inode_now() can sleep and during this sleep someone can find inode 
> in the hash, w/o I_FREEING state and with i_count = 0.

The filesystem is in the process of being unmounted (!MS_ACTIVE).  So the
question is: who is doing inode lookups against a soon-to-be-defunct
filesystem?



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Q: bugs in generic_forget_inode()?
  2004-09-06 19:35 ` Andrew Morton
@ 2004-09-10  9:04   ` Kirill Korotaev
  2004-09-10  9:11     ` Andrew Morton
  0 siblings, 1 reply; 4+ messages in thread
From: Kirill Korotaev @ 2004-09-10  9:04 UTC (permalink / raw)
  To: Andrew Morton; +Cc: linux-kernel, torvalds

Andrew Morton wrote:
> Kirill Korotaev <dev@sw.ru> wrote:
> 
>>Hello,
>>
>>1. I found that generic_forget_inode() calls write_inode_now() dropping 
>>inode_lock and destroys inode after that. The problem is that 
>>write_inode_now() can sleep and during this sleep someone can find inode 
>>in the hash, w/o I_FREEING state and with i_count = 0.
> 
> The filesystem is in the process of being unmounted (!MS_ACTIVE).  So the
> question is: who is doing inode lookups against a soon-to-be-defunct
> filesystem?

Yup, I'm studing this issue.
But while looking at code I found this interesting place:

__writeback_single_inode()
{
         while (inode->i_state & I_LOCK) {
                 __iget(inode);			<<<<<<
                 spin_unlock(&inode_lock);
                 __wait_on_inode(inode);
                 iput(inode);			<<<<<<
                 spin_lock(&inode_lock);
        }
	return __sync_single_inode(inode, wbc); <<<<<<
}

the problem here is iget/iput.

There are 2 possible cases:
1. all callers of this function do hold reference on inode, then 
iget/iput is unneeded.
2. if 1) is incorrect then it's a bug, since inode is used after iput.

This place looks really ugly, or I don't understand something here?

Kirill


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Q: bugs in generic_forget_inode()?
  2004-09-10  9:04   ` Kirill Korotaev
@ 2004-09-10  9:11     ` Andrew Morton
  0 siblings, 0 replies; 4+ messages in thread
From: Andrew Morton @ 2004-09-10  9:11 UTC (permalink / raw)
  To: Kirill Korotaev; +Cc: linux-kernel, torvalds

Kirill Korotaev <dev@sw.ru> wrote:
>
> Andrew Morton wrote:
> > Kirill Korotaev <dev@sw.ru> wrote:
> > 
> >>Hello,
> >>
> >>1. I found that generic_forget_inode() calls write_inode_now() dropping 
> >>inode_lock and destroys inode after that. The problem is that 
> >>write_inode_now() can sleep and during this sleep someone can find inode 
> >>in the hash, w/o I_FREEING state and with i_count = 0.
> > 
> > The filesystem is in the process of being unmounted (!MS_ACTIVE).  So the
> > question is: who is doing inode lookups against a soon-to-be-defunct
> > filesystem?
> 
> Yup, I'm studing this issue.

Do you mean to say that you are observing the above scenario with an
unmodified kernel.org filesystem?  Which one?

I suggest you add a

	BUG_ON(!(inode->i_sb->s_flags & MS_ACTIVE));

in the hash lookup code.

> But while looking at code I found this interesting place:
> 
> __writeback_single_inode()
> {
>          while (inode->i_state & I_LOCK) {
>                  __iget(inode);			<<<<<<
>                  spin_unlock(&inode_lock);
>                  __wait_on_inode(inode);
>                  iput(inode);			<<<<<<
>                  spin_lock(&inode_lock);
>         }
> 	return __sync_single_inode(inode, wbc); <<<<<<
> }
> 
> the problem here is iget/iput.
> 
> There are 2 possible cases:
> 1. all callers of this function do hold reference on inode, then 
> iget/iput is unneeded.
> 2. if 1) is incorrect then it's a bug, since inode is used after iput.
> 
> This place looks really ugly, or I don't understand something here?

You're right - the iget/iput is not needed.  The only caller here who does
not already have a ref on the inode is pdflush, and we already did an
__iget on that callpath.


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2004-09-10  9:13 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-09-06 12:06 Q: bugs in generic_forget_inode()? Kirill Korotaev
2004-09-06 19:35 ` Andrew Morton
2004-09-10  9:04   ` Kirill Korotaev
2004-09-10  9:11     ` Andrew Morton

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox