From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.3 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DF4BCC4743D for ; Tue, 8 Jun 2021 08:45:47 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 9C9ED6127A for ; Tue, 8 Jun 2021 08:45:47 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9C9ED6127A Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 2F3F96B0071; Tue, 8 Jun 2021 04:45:47 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 2A3BF6B0072; Tue, 8 Jun 2021 04:45:47 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0F69C6B0073; Tue, 8 Jun 2021 04:45:47 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0113.hostedemail.com [216.40.44.113]) by kanga.kvack.org (Postfix) with ESMTP id CE3DD6B0071 for ; Tue, 8 Jun 2021 04:45:46 -0400 (EDT) Received: from smtpin37.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 727DF3D19 for ; Tue, 8 Jun 2021 08:45:46 +0000 (UTC) X-FDA: 78229923492.37.CC842F8 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by imf24.hostedemail.com (Postfix) with ESMTP id A0DF2A00024B for ; Tue, 8 Jun 2021 08:45:42 +0000 (UTC) Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out1.suse.de (Postfix) with ESMTP id C9B71219D1; Tue, 8 Jun 2021 08:45:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1623141944; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ID1bWZyEeEYFe3Gi87astaP82RqRwCiiT0XcxH56fxI=; b=0WEOmP8SOwAOt39qT/z5az300cOjhJG0AqGFTMiuIAirfHD5c93CfZWdp6d1AiD9h7RkB5 WDaL+vvLmyz5/sT8uxWQ25HH83bb6sRpu+Y17OY5TMtZRSXhig35z4euQJ58FFLmJaSTEW IGbx1g8bKVAjtqFhJpdSwnExi/vzMPQ= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1623141944; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ID1bWZyEeEYFe3Gi87astaP82RqRwCiiT0XcxH56fxI=; b=YgVgGDWs3dTKUfzCXl3Cx0JSeLvr+YL/LLV7pJzTCIJxVVpx81ornHaz8zkGxRklYfGFaZ 8SWpo1fOSKjeWeBQ== Received: from quack2.suse.cz (unknown [10.100.200.198]) by relay2.suse.de (Postfix) with ESMTP id BE02FA3B99; Tue, 8 Jun 2021 08:45:44 +0000 (UTC) Received: by quack2.suse.cz (Postfix, from userid 1000) id 8BE491F2C94; Tue, 8 Jun 2021 10:45:44 +0200 (CEST) Date: Tue, 8 Jun 2021 10:45:44 +0200 From: Jan Kara To: Roman Gushchin Cc: Jan Kara , Tejun Heo , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, Alexander Viro , Dennis Zhou , Dave Chinner , cgroups@vger.kernel.org, Jan Kara Subject: Re: [PATCH v8 3/8] writeback, cgroup: increment isw_nr_in_flight before grabbing an inode Message-ID: <20210608084544.GB5562@quack2.suse.cz> References: <20210608013123.1088882-1-guro@fb.com> <20210608013123.1088882-4-guro@fb.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210608013123.1088882-4-guro@fb.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: A0DF2A00024B Authentication-Results: imf24.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=0WEOmP8S; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=YgVgGDWs; spf=pass (imf24.hostedemail.com: domain of jack@suse.cz designates 195.135.220.28 as permitted sender) smtp.mailfrom=jack@suse.cz; dmarc=none X-Stat-Signature: iem8auzwreorxepto5g397gkdwhaw67y X-HE-Tag: 1623141942-449520 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon 07-06-21 18:31:18, Roman Gushchin wrote: > isw_nr_in_flight is used do determine whether the inode switch queue > should be flushed from the umount path. Currently it's increased > after grabbing an inode and even scheduling the switch work. It means > the umount path can be walked past cleanup_offline_cgwb() with active > inode references, which can result in a "Busy inodes after unmount." > message and use-after-free issues (with inode->i_sb which gets freed). > > Fix it by incrementing isw_nr_in_flight before doing anything with > the inode and decrementing in the case when switching wasn't scheduled. > > The problem hasn't yet been seen in the real life and was discovered > by Jan Kara by looking into the code. > > Suggested-by: Jan Kara > Signed-off-by: Roman Gushchin Looks good. Feel free to add: Reviewed-by: Jan Kara Honza > --- > fs/fs-writeback.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c > index 3564efcc4b78..e2cc860a001b 100644 > --- a/fs/fs-writeback.c > +++ b/fs/fs-writeback.c > @@ -505,6 +505,8 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id) > if (!isw) > return; > > + atomic_inc(&isw_nr_in_flight); > + > /* find and pin the new wb */ > rcu_read_lock(); > memcg_css = css_from_id(new_wb_id, &memory_cgrp_subsys); > @@ -535,11 +537,10 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id) > * Let's continue after I_WB_SWITCH is guaranteed to be visible. > */ > call_rcu(&isw->rcu_head, inode_switch_wbs_rcu_fn); > - > - atomic_inc(&isw_nr_in_flight); > return; > > out_free: > + atomic_dec(&isw_nr_in_flight); > if (isw->new_wb) > wb_put(isw->new_wb); > kfree(isw); > -- > 2.31.1 > -- Jan Kara SUSE Labs, CR