• Artem B. Bityuckiy's avatar
    [PATCH] bugfix: two read_inode() calls without clear_inode() call between · 4120db47
    Artem B. Bityuckiy authored
    Bug symptoms
    ~~~~~~~~~~~~
    For the same inode VFS calls read_inode() twice and doesn't call
    clear_inode() between the two read_inode() invocations.
    
    Bug description
    ~~~~~~~~~~~~~~~
    Suppose we have an inode which has zero reference count but is still in
    the inode cache. Suppose kswapd invokes shrink_icache_memory() to free
    some RAM. In prune_icache() inodes are removed from i_hash. prune_icache
    () is then going to call clear_inode(), but drops the inode_lock
    spinlock before this. If in this moment another task calls iget() for an
    inode which was just removed from i_hash by prune_icache(), then iget()
    invokes read_inode() for this inode, because it is *already removed*
    from i_hash.
    
    The end result is: we call iget(#N) then iput(#N); inode #N has zero
    i_count now and is in the inode cache; kswapd starts. kswapd removes the
    inode #N from i_hash ans is preempted; we call iget(#N) again;
    read_inode() is invoked as the result; but we expect clear_inode()
    before.
    
    Fix
    ~~~~~~~
    To fix the bug I remove inodes from i_hash later, when clear_inode() is
    actually called. I remove them from i_hash under spinlock protection.
    Since the i_state is set to I_FREEING, it is safe to do this. The others
    will sleep waiting for the inode state change.
    
    I also postpone removing inodes from i_sb_list. It is not compulsory to
    do so but I do it for readability reasons. Inodes are added/removed to
    the lists together everywhere in the code and there is no point to
    change this rule. This is harmless because the only user of i_sb_list
    which somehow may interfere with me (invalidate_list()) is excluded by
    the iprune_sem mutex.
    
    The same race is possible in invalidate_list() so I do the same for it.
    Acked-by: default avatarChristoph Hellwig <hch@lst.de>
    Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
    4120db47
inode.c 34.3 KB