Re: RFC: asserting an inode is locked

From: Mateusz Guzik <mjguzik@gmail.com>
To: Matthew Wilcox <willy@infradead.org>
Cc: linux-fsdevel@vger.kernel.org
Subject: Re: RFC: asserting an inode is locked
Date: Thu, 2 May 2024 17:31:12 +0200	[thread overview]
Message-ID: <w5aicng35yjeqef7ll5kiakg2ayarodl7h5o4uxwi76zvaewxt@kcja7hf5qqhb> (raw)
In-Reply-To: <ZgTL4jrUqIgCItx3@casper.infradead.org>

On Thu, Mar 28, 2024 at 01:46:10AM +0000, Matthew Wilcox wrote:
> 
> I have this patch in my tree that I'm thinking about submitting:
> 
> +static inline void inode_assert_locked(const struct inode *inode)
> +{
> +       rwsem_assert_held(&inode->i_rwsem);
> +}
> +
> +static inline void inode_assert_locked_excl(const struct inode *inode)
> +{
> +       rwsem_assert_held_write(&inode->i_rwsem);
> +}
> 

Huh, I thought this was sorted out some time last year.

> Then we can do a whole bunch of "replace crappy existing assertions with
> the shiny new ones".
> 
> @@ -2746,7 +2746,7 @@ struct dentry *lookup_one_len(const char *name, struct den
> try *base, int len)
>         struct qstr this;
>         int err;
> 
> -       WARN_ON_ONCE(!inode_is_locked(base->d_inode));
> +       inode_assert_locked(base->d_inode);
> 
> for example.
> 
> But the naming is confusing and I can't think of good names.
> 
> inode_lock() takes the lock exclusively, whereas inode_assert_locked()
> only checks that the lock is held.  ie 1-3 pass and 4 fails.
> 
> 1.	inode_lock(inode);		inode_assert_locked(inode);
> 2.	inode_lock_shared(inode);	inode_assert_locked(inode);
> 3.	inode_lock(inode);		inode_assert_locked_excl(inode);
> 4.	inode_lock_shared(inode);	inode_assert_locked_excl(inode);
> 
> I worry that this abstraction will cause people to write
> inode_assert_locked() when they really need to check
> inode_assert_locked_excl().  We already had/have this problem:
> https://lore.kernel.org/all/20230831101824.qdko4daizgh7phav@f/
> 
> So how do we make it that people write the right one?
> Renaming inode_assert_locked() to inode_assert_locked_shared() isn't
> the answer because it checks that the lock is _at least_ shared, it
> might be held exclusively.
> 
> Rename inode_assert_locked() to inode_assert_held()?  That might be
> enough of a disconnect that people would not make bad assumptions.
> I don't have a good answer here, or I'd send a patch to do that.
> Please suggest something ;-)

Ideally all ops would explicitly specify how they lock and what they
check, so in particular there would be inode_lock_write or similar, but
that's not worth the churn.

Second best option that I see is to patch up just the assertions to be
very explicit, to that end:
inode_assert_locked_excl
inode_assert_locked_any

No dedicated entry for shared-only, unless someone can point out
legitimate usage.

So happens I was looking at adding VFS_* debug macros (as in a config
option to have them be optionally compiled in) and this bit is related
-- namely absent the debug option *and* lockdep all these asserts should
compile to nothing. But I can elide these asserts from my initial patch
and add them after the above is settled.