From: yangerkun <yangerkun@huawei.com>
To: <vgoyal@redhat.com>, <miklos@szeredi.hu>, <amir73il@gmail.com>
Cc: <linux-unionfs@vger.kernel.org>, <yangerkun@huawei.com>
Subject: [PATCH] ovl: fix some bug exist in ovl_get_inode
Date: Wed, 27 May 2020 12:17:11 +0800 [thread overview]
Message-ID: <20200527041711.60219-1-yangerkun@huawei.com> (raw)
Run generic/461 with ext4 upper/lower layer sometimes may trigger the
bug as below(linux 4.19):
[ 551.001349] overlayfs: failed to get metacopy (-5)
[ 551.003464] overlayfs: failed to get inode (-5)
[ 551.004243] overlayfs: cleanup of 'd44/fd51' failed (-5)
[ 551.004941] overlayfs: failed to get origin (-5)
[ 551.005199] ------------[ cut here ]------------
[ 551.006697] WARNING: CPU: 3 PID: 24674 at fs/inode.c:1528 iput+0x33b/0x400
...
[ 551.027219] Call Trace:
[ 551.027623] ovl_create_object+0x13f/0x170
[ 551.028268] ovl_create+0x27/0x30
[ 551.028799] path_openat+0x1a35/0x1ea0
[ 551.029377] do_filp_open+0xad/0x160
[ 551.029944] ? vfs_writev+0xe9/0x170
[ 551.030499] ? page_counter_try_charge+0x77/0x120
[ 551.031245] ? __alloc_fd+0x160/0x2a0
[ 551.031832] ? do_sys_open+0x189/0x340
[ 551.032417] ? get_unused_fd_flags+0x34/0x40
[ 551.033081] do_sys_open+0x189/0x340
[ 551.033632] __x64_sys_creat+0x24/0x30
[ 551.034219] do_syscall_64+0xd5/0x430
[ 551.034800] entry_SYSCALL_64_after_hwframe+0x44/0xa9
...
[ 556.107515] BUG: Dentry 000000006bc1d73f{i=4129c,n=fd51} still in use (-1) [unmount of ext4 sdb]
[ 556.108946] ------------[ cut here ]------------
[ 556.109686] WARNING: CPU: 1 PID: 24682 at fs/dcache.c:1557 umount_check+0x95/0xc0
[ 556.130343] d_walk+0x10d/0x430
[ 556.130832] do_one_tree+0x30/0x60
[ 556.131365] shrink_dcache_for_umount+0x38/0xe0
[ 556.132063] generic_shutdown_super+0x2e/0x1c0
[ 556.132747] kill_block_super+0x29/0x80
[ 556.133338] deactivate_locked_super+0x7a/0x100
[ 556.134034] deactivate_super+0x9d/0xb0
[ 556.134627] cleanup_mnt+0x67/0x100
[ 556.135173] __cleanup_mnt+0x16/0x20
[ 556.135731] task_work_run+0xdb/0x110
[ 556.136306] exit_to_usermode_loop+0x197/0x1b0
[ 556.136991] do_syscall_64+0x3ce/0x430
[ 556.137571] entry_SYSCALL_64_after_hwframe+0x44/0xa9
...
[ 556.378140] VFS: Busy inodes after unmount of sdb. Self-destruct in 5 seconds. Have a nice day...
After check the code, there may some bug need to fix:
1. We need to call iput once ovl_check_metacopy_xattr fail.
2. We need to call unlock_new_inode or the above iput(also with iput in
ovl_create_object) will trigger the a WARN_ON since the I_NEW still
exists.
3. We should move the init for upperdentry to the place below
ovl_check_metacopy_xattr. Or the dentry reference will decrease to
-1(error path in ovl_create_upper will inc, ovl_destroy_inode too).
Fixes: 9d3dfea3d35a ("ovl: Modify ovl_lookup() and friends to lookup metacopy dentry")
Signed-off-by: yangerkun <yangerkun@huawei.com>
---
fs/overlayfs/inode.c | 25 +++++++++++++++++--------
1 file changed, 17 insertions(+), 8 deletions(-)
diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
index 981f11ec51bc..8f59e89e14e8 100644
--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
@@ -959,7 +959,7 @@ struct inode *ovl_get_inode(struct super_block *sb,
int fsid = bylower ? lowerpath->layer->fsid : 0;
bool is_dir, metacopy = false;
unsigned long ino = 0;
- int err = oip->newinode ? -EEXIST : -ENOMEM;
+ int err = 0;
if (!realinode)
realinode = d_inode(lowerdentry);
@@ -975,8 +975,11 @@ struct inode *ovl_get_inode(struct super_block *sb,
unsigned int nlink = is_dir ? 1 : realinode->i_nlink;
inode = ovl_iget5(sb, oip->newinode, key);
- if (!inode)
+ if (!inode) {
+ err = oip->newinode ? -EEXIST : -ENOMEM;
goto out_err;
+ }
+
if (!(inode->i_state & I_NEW)) {
/*
* Verify that the underlying files stored in the inode
@@ -984,7 +987,6 @@ struct inode *ovl_get_inode(struct super_block *sb,
*/
if (!ovl_verify_inode(inode, lowerdentry, upperdentry,
true)) {
- iput(inode);
err = -ESTALE;
goto out_err;
}
@@ -1009,8 +1011,6 @@ struct inode *ovl_get_inode(struct super_block *sb,
ino = realinode->i_ino;
fsid = lowerpath->layer->fsid;
}
- ovl_fill_inode(inode, realinode->i_mode, realinode->i_rdev);
- ovl_inode_init(inode, oip, ino, fsid);
if (upperdentry && ovl_is_impuredir(upperdentry))
ovl_set_flag(OVL_IMPURE, inode);
@@ -1027,6 +1027,8 @@ struct inode *ovl_get_inode(struct super_block *sb,
ovl_set_flag(OVL_UPPERDATA, inode);
}
+ ovl_fill_inode(inode, realinode->i_mode, realinode->i_rdev);
+ ovl_inode_init(inode, oip, ino, fsid);
OVL_I(inode)->redirect = oip->redirect;
if (bylower)
@@ -1040,13 +1042,20 @@ struct inode *ovl_get_inode(struct super_block *sb,
}
}
- if (inode->i_state & I_NEW)
+clear_new:
+ if (inode && (inode->i_state & I_NEW))
unlock_new_inode(inode);
+ if (err < 0) {
+ /* Or the iput show be called by ovl_create_object. */
+ if (inode && (inode != oip->newinode))
+ iput(inode);
+
+ inode = ERR_PTR(err);
+ }
out:
return inode;
out_err:
pr_warn_ratelimited("failed to get inode (%i)\n", err);
- inode = ERR_PTR(err);
- goto out;
+ goto clear_new;
}
--
2.21.3
next reply other threads:[~2020-05-27 3:45 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-27 4:17 yangerkun [this message]
2020-05-27 11:16 ` [PATCH] ovl: fix some bug exist in ovl_get_inode Amir Goldstein
2020-05-27 14:46 ` Miklos Szeredi
2020-05-27 15:56 ` Amir Goldstein
2020-05-27 16:02 ` Vivek Goyal
2020-05-27 17:11 ` Amir Goldstein
2020-05-27 18:47 ` Vivek Goyal
2020-05-27 18:57 ` Vivek Goyal
2020-05-27 19:49 ` Vivek Goyal
2020-05-27 20:11 ` Amir Goldstein
2020-05-28 17:35 ` Vivek Goyal
2020-05-28 21:07 ` Amir Goldstein
2020-05-29 14:16 ` Vivek Goyal
2020-05-29 15:46 ` Amir Goldstein
2020-05-29 19:00 ` Vivek Goyal
2020-05-30 11:35 ` Amir Goldstein
2020-06-02 15:57 ` Vivek Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200527041711.60219-1-yangerkun@huawei.com \
--to=yangerkun@huawei.com \
--cc=amir73il@gmail.com \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).