[PATCH] 9p: fix WARN_ON when dropping nlink on files with nlink=0

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Breno Leitao <leitao@debian.org>
To: Eric Van Hensbergen <ericvh@kernel.org>,
	 Latchesar Ionkov <lucho@ionkov.net>,
	 Dominique Martinet <asmadeus@codewreck.org>,
	 Christian Schoenebeck <linux_oss@crudebyte.com>,
	 Andrew Morton <akpm@linux-foundation.org>,
	 Eryu Guan <eguan@linux.alibaba.com>,
	Yiwen Jiang <jiangyiwen@huawei.com>
Cc: v9fs@lists.linux.dev, linux-kernel@vger.kernel.org,
	 stable@vger.kernel.org, Breno Leitao <leitao@debian.org>
Subject: [PATCH] 9p: fix WARN_ON when dropping nlink on files with nlink=0
Date: Mon, 26 Jan 2026 02:23:37 -0800	[thread overview]
Message-ID: <20260126-9p-v1-1-dc234d53ae87@debian.org> (raw)

v9fs_dec_count() guards against decrementing nlink on directories that
have nlink <= 2, but does not guard against decrementing nlink on
regular files that already have nlink == 0.

In the 9p filesystem, the client caches inode metadata including nlink,
but the server is the source of truth. During an unlink operation, the
following race can occur:

  1. Client initiates unlink, server processes it and sets nlink to 0
  2. Client fetches updated inode metadata (nlink=0) before unlink returns
  3. Client's v9fs_remove() completes successfully
  4. Client calls v9fs_dec_count() which calls drop_nlink() on nlink=0

This race is easily triggered under heavy unlink workloads, such as
stress-ng's unlink stressor, producing the following warning:

  WARNING: fs/inode.c:417 at drop_nlink+0x4c/0xc8
  Call trace:
   drop_nlink+0x4c/0xc8
   v9fs_remove+0x1e0/0x250 [9p]
   v9fs_vfs_unlink+0x20/0x38 [9p]
   vfs_unlink+0x13c/0x258
   ...

Fix this by returning early from v9fs_dec_count() if the inode's nlink
is already zero, extending the protection that commit ac89b2ef9b55
("9p: don't maintain dir i_nlink if the exported fs doesn't either")
added for directories to also cover regular files.

Fixes: ac89b2ef9b55 ("9p: don't maintain dir i_nlink if the exported fs doesn't either")
Cc: stable@vger.kernel.org
Signed-off-by: Breno Leitao <leitao@debian.org>
---
 fs/9p/vfs_inode.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
index 97abe65bf7c1f..b75f656af4c98 100644
--- a/fs/9p/vfs_inode.c
+++ b/fs/9p/vfs_inode.c
@@ -488,10 +488,16 @@ static int v9fs_at_to_dotl_flags(int flags)
  * - ext4 (with dir_nlink feature enabled) sets nlink to 1 if a dir has more
  *   than EXT4_LINK_MAX (65000) links.
  *
+ * For regular files, the server may have already decremented nlink to 0
+ * before the client's unlink completes, so we must also guard against
+ * decrementing an already-zero nlink.
+ *
  * @inode: inode whose nlink is being dropped
  */
 static void v9fs_dec_count(struct inode *inode)
 {
+	if (!inode->i_nlink)
+		return;
 	if (!S_ISDIR(inode->i_mode) || inode->i_nlink > 2)
 		drop_nlink(inode);
 }

---
base-commit: ca3a02fda4da8e2c1cb6baee5d72352e9e2cfaea
change-id: 20260126-9p-50d206e2f6f6

Best regards,
--  
Breno Leitao <leitao@debian.org>

next             reply	other threads:[~2026-01-26 10:24 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-01-26 10:23 Breno Leitao [this message]
2026-02-15  9:27 ` [PATCH] 9p: fix WARN_ON when dropping nlink on files with nlink=0 Dominique Martinet

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:97abe65bf7c1 dfblob:b75f656af4c9 )
 OR (
bs:"[PATCH] 9p: fix WARN_ON when dropping nlink on files with nlink=0" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260126-9p-v1-1-dc234d53ae87@debian.org \
    --to=leitao@debian.org \
    --cc=akpm@linux-foundation.org \
    --cc=asmadeus@codewreck.org \
    --cc=eguan@linux.alibaba.com \
    --cc=ericvh@kernel.org \
    --cc=jiangyiwen@huawei.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux_oss@crudebyte.com \
    --cc=lucho@ionkov.net \
    --cc=stable@vger.kernel.org \
    --cc=v9fs@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox