From: Al Viro <viro@ZenIV.linux.org.uk>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Dave Chinner <david@fromorbit.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>
Subject: Re: dcache shrink list corruption?
Date: Wed, 30 Apr 2014 20:59:18 +0100 [thread overview]
Message-ID: <20140430195918.GS18016@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20140430190227.GR18016@ZenIV.linux.org.uk>
On Wed, Apr 30, 2014 at 08:02:27PM +0100, Al Viro wrote:
> On Wed, Apr 30, 2014 at 08:42:01PM +0200, Miklos Szeredi wrote:
>
> > Message-ID: <20140430154958.GC3113@tucsk.piliscsaba.szeredi.hu>
>
> I see... Several points:
> * I still think that it's better to do handling of "we see
> DCACHE_DENTRY_KILLED already set" in dentry_kill() itself.
> * in dentry_kill(dentry, 0) we *know* that it's not on a shrink
> list - the caller has just removed it from there and we'd kept ->d_lock
> since that point. What's more, with that scheme we don't need to bother
> with can_free at all - just grab ->d_lock after ->d_release() call and check
> DCACHE_SHRINK_LIST. No sense trying to avoid that - in case where we
> could just go ahead and free the sucker, there's neither contention nor
> anybody else interested in that cacheline, so spin_lock(&dentry->d_lock)
> is pretty much free.
>
> IOW, I'd prefer to do the following (completely untested) on top of 1/6--4/6:
Sigh... One more problem:
/*
* We found an inuse dentry which was not removed from
* the LRU because of laziness during lookup. Do not free it.
*/
if (dentry->d_lockref.count) {
spin_unlock(&dentry->d_lock);
continue;
}
should become
if (dentry->d_lockref.count > 0) {
....
instead - lockref_mark_dead() slaps -128 into it, so we'll just leak all
dentries where dput() has come first and decided to leave the suckers
for us.
Another thing: I don't like what's going on with freeing vs. ->d_lock there.
Had that been a mutex, we'd definitely get a repeat of "vfs: fix subtle
use-after-free of pipe_inode_info". The question is, can spin_unlock(p)
dereference p after another CPU gets through spin_lock(p)? Linus?
It can be dealt with by setting DCACHE_RCUACCESS in "let another guy free
it" cases and playing with rcu_read_lock a bit, but I wonder whether we
need to bother - quick look through alpha/sparc/ppc shows that on those
we do not and the same is true for non-paravirt case on x86. I hadn't
checked what paravirt one does, though, and I certainly hadn't done
exhaustive search for architectures doing something weird...
next prev parent reply other threads:[~2014-04-30 19:59 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-29 16:01 dcache shrink list corruption? Miklos Szeredi
2014-04-29 17:43 ` Linus Torvalds
2014-04-29 18:03 ` Miklos Szeredi
2014-04-29 18:16 ` Al Viro
2014-04-29 19:10 ` Al Viro
2014-04-29 21:18 ` Dave Chinner
2014-04-29 21:48 ` Al Viro
2014-04-29 23:04 ` Linus Torvalds
2014-04-29 23:20 ` Al Viro
2014-04-30 2:31 ` Al Viro
2014-04-30 2:56 ` Linus Torvalds
2014-04-30 4:04 ` Al Viro
2014-04-30 15:49 ` Miklos Szeredi
2014-04-30 15:56 ` Miklos Szeredi
2014-04-30 16:03 ` Al Viro
2014-04-30 17:33 ` Miklos Szeredi
2014-04-30 18:36 ` Al Viro
2014-04-30 18:42 ` Miklos Szeredi
2014-04-30 19:02 ` Al Viro
2014-04-30 19:59 ` Al Viro [this message]
2014-04-30 20:23 ` Linus Torvalds
2014-04-30 20:38 ` Al Viro
2014-04-30 20:57 ` Linus Torvalds
2014-04-30 21:12 ` Al Viro
2014-04-30 22:12 ` Al Viro
2014-04-30 23:04 ` Linus Torvalds
2014-04-30 23:14 ` Linus Torvalds
2014-04-30 23:43 ` Al Viro
2014-05-01 0:18 ` Linus Torvalds
2014-05-01 2:51 ` Al Viro
2014-05-01 2:59 ` Linus Torvalds
2014-05-01 3:12 ` Al Viro
2014-05-01 9:42 ` Miklos Szeredi
2014-05-01 14:34 ` Al Viro
2014-05-01 21:02 ` Al Viro
2014-05-01 21:05 ` Al Viro
2014-05-01 22:52 ` Linus Torvalds
2014-05-02 8:43 ` Szeredi Miklos
2014-05-02 21:04 ` Linus Torvalds
2014-04-30 23:38 ` Al Viro
2014-04-30 9:15 ` Miklos Szeredi
2014-05-02 5:51 ` Al Viro
2014-05-02 9:00 ` Szeredi Miklos
2014-05-02 21:02 ` Miklos Szeredi
2014-05-02 21:08 ` Miklos Szeredi
2014-05-02 21:18 ` Linus Torvalds
2014-05-02 22:40 ` Al Viro
2014-05-02 23:06 ` Al Viro
2014-05-03 4:26 ` Al Viro
2014-05-03 18:07 ` Linus Torvalds
2014-05-03 18:25 ` Al Viro
2014-05-03 18:21 ` Al Viro
2014-05-04 6:29 ` Al Viro
2014-05-06 10:17 ` Miklos Szeredi
2014-05-06 14:53 ` Linus Torvalds
2014-05-06 16:52 ` Al Viro
2014-05-06 17:01 ` Linus Torvalds
2014-05-06 19:15 ` Al Viro
2014-05-02 22:32 ` Al Viro
2014-04-29 18:17 ` Linus Torvalds
2014-04-29 17:56 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140430195918.GS18016@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=david@fromorbit.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.