2.5.64 sysfs bug

2.5.64 sysfs bug

[David Howells]

Hi, I seem to be getting tripping a bug somewhere with my filesystem now that
I'm using it with 2.5.64 (no problems of this nature occurred with
2.5.63). The problem occurs during rmmod (I don't need to actually mount
anything):

	[root@host135 root]# insmod /tmp/cachefs.ko
	[root@host135 root]# rmmod -f cachefs
	[root@host135 root]# insmod /tmp/cachefs.ko
	[root@host135 root]# rmmod -f cachefs
	Segmentation fault
	[root@host135 root]# 

I see this appearing on the console:

[insmod] ==> cachefs_init()
CacheFS: Started kcachefs_jnld 1161
[insmod] ==> cachefs_fs_init()
[insmod] <== cachefs_fs_init() = 0
[insmod] <== cachefs_init()
[rmmod ] ==> cachefs_exit()
[rmmod ] ==> cachefs_fs_exit()
[rmmod ] <== cachefs_fs_exit()
[kujnld] <== kcachefs_jnld()
[rmmod ] <== cachefs_exit() = 0
[insmod] ==> cachefs_init()
CacheFS: Started kcachefs_jnld 1164
[insmod] ==> cachefs_fs_init()
[insmod] <== cachefs_fs_init() = 0
[insmod] <== cachefs_init()
[rmmod ] ==> cachefs_exit()
[rmmod ] ==> cachefs_fs_exit()
------------[ cut here ]------------
kernel BUG at include/linux/dcache.h:266!
invalid operand: 0000
CPU:    0
EIP:    0060:[<c019016c>]    Not tainted
EFLAGS: 00010246
EIP is at sysfs_remove_dir+0x1c/0x14e
eax: 00000000   ebx: c886b494   ecx: c0331bc4   edx: c886b480
esi: c6a7abcc   edi: c69be000   ebp: c69be000   esp: c69bff00
ds: 007b   es: 007b   ss: 0068
Process rmmod (pid: 1165, threadinfo=c69be000 task=c6e40ca0)
Stack: 00001b05 00001b27 fffffffd c886b494 c886b480 c69be000 c69be000 c01faa13 
       c886b494 c886b494 c01faa43 c886b494 00000000 c017516b c886b494 c69be000 
       00000000 c886661d c886b480 c6e40f96 c88669b4 c886b560 c88665a8 c8867500 
Call Trace:
 [<c886b494>] cachefs_fs_type+0x14/0x80 [cachefs]
 [<c886b480>] cachefs_fs_type+0x0/0x80 [cachefs]
 [<c01faa13>] kobject_del+0x13/0x30
 [<c886b494>] cachefs_fs_type+0x14/0x80 [cachefs]
 [<c886b494>] cachefs_fs_type+0x14/0x80 [cachefs]
 [<c01faa43>] kobject_unregister+0x13/0x30
 [<c886b494>] cachefs_fs_type+0x14/0x80 [cachefs]
 [<c017516b>] unregister_filesystem+0x3b/0x40
 [<c886b494>] cachefs_fs_type+0x14/0x80 [cachefs]
 [<c886661d>] cachefs_fs_exit+0x4d/0xb0 [cachefs]
 [<c886b480>] cachefs_fs_type+0x0/0x80 [cachefs]
 [<c88669b4>] __func__.1+0x0/0x10 [cachefs]
 [<c886b560>] +0x0/0x120 [cachefs]
 [<c88665a8>] cachefs_exit+0x28/0x50 [cachefs]
 [<c8867500>] +0xa80/0x1511 [cachefs]
 [<c013538e>] sys_delete_module+0x1ae/0x1e0
 [<c013538e>] sys_delete_module+0x1ae/0x1e0
 [<c886b560>] +0x0/0x120 [cachefs]
 [<c014804e>] sys_brk+0xfe/0x130
 [<c0117380>] do_page_fault+0x0/0x47f
 [<c0109ac3>] syscall_call+0x7/0xb

Code: 0f 0b 0a 01 8b 37 2e c0 f0 ff 06 83 4e 04 08 85 f6 0f 84 13 

The cachefs_fs_exit() function is:

	void __exit cachefs_fs_exit(void)
	{
		kenter("");

		unregister_filesystem(&cachefs_fs_type);

		/* destroy our private inode cache */
		kmem_cache_destroy(cachefs_inode_cachep);

		kleave("");
	} /* end cachefs_fs_exit() */

The function causing the bug report is:

	[include/linux/dcache.h]
	static __inline__ struct dentry * dget(struct dentry *dentry)
	{
		if (dentry) {
			if (!atomic_read(&dentry->d_count))
				BUG();
			atomic_inc(&dentry->d_count);
			dentry->d_vfs_flags |= DCACHE_REFERENCED;
		}
		return dentry;
	}

David

Re: 2.5.64 sysfs bug

[Patrick Mochel]

On Fri, 7 Mar 2003, David Howells wrote:

> 
> Hi, I seem to be getting tripping a bug somewhere with my filesystem now that
> I'm using it with 2.5.64 (no problems of this nature occurred with
> 2.5.63). The problem occurs during rmmod (I don't need to actually mount
> anything):
> 
> 	[root@host135 root]# insmod /tmp/cachefs.ko
> 	[root@host135 root]# rmmod -f cachefs
> 	[root@host135 root]# insmod /tmp/cachefs.ko
> 	[root@host135 root]# rmmod -f cachefs
> 	Segmentation fault
> 	[root@host135 root]# 
> 
> I see this appearing on the console:

Could you try the attached patch, and let me know if it helps? 

Thanks,

	-pat

===== fs/sysfs/dir.c 1.2 vs edited =====
--- 1.2/fs/sysfs/dir.c	Thu Jan 30 17:10:06 2003
+++ edited/fs/sysfs/dir.c	Thu Mar  6 14:34:01 2003
@@ -71,7 +71,7 @@
 
 void sysfs_remove_dir(struct kobject * kobj)
 {
-	struct list_head * node, * next;
+	struct list_head * node;
 	struct dentry * dentry = dget(kobj->dentry);
 	struct dentry * parent;
 
@@ -83,31 +83,28 @@
 	down(&parent->d_inode->i_sem);
 	down(&dentry->d_inode->i_sem);
 
-	list_for_each_safe(node,next,&dentry->d_subdirs) {
-		struct dentry * d = dget(list_entry(node,struct dentry,d_child));
-		/** 
-		 * Make sure dentry is still there 
-		 */
-		pr_debug(" o %s: ",d->d_name.name);
-		if (d->d_inode) {
+	spin_lock(&dcache_lock);
+	node = dentry->d_subdirs.next;
+	while (node != &dentry->d_subdirs) {
+		struct dentry * d = list_entry(node,struct dentry,d_child);
+		list_del_init(node);
 
+		pr_debug(" o %s (%d): ",d->d_name.name,atomic_read(&d->d_count));
+		if (d->d_inode) {
+			d = dget_locked(d);
 			pr_debug("removing");
+
 			/**
 			 * Unlink and unhash.
 			 */
-			simple_unlink(dentry->d_inode,d);
+			spin_unlock(&dcache_lock);
 			d_delete(d);
-
-			/**
-			 * Drop reference from initial sysfs_get_dentry().
-			 */
+			simple_unlink(dentry->d_inode,d);
 			dput(d);
+			spin_lock(&dcache_lock);
 		}
-		pr_debug(" done (%d)\n",atomic_read(&d->d_count));
-		/**
-		 * drop reference from dget() above.
-		 */
-		dput(d);
+		pr_debug(" done\n");
+		node = dentry->d_subdirs.next;
 	}
 
 	up(&dentry->d_inode->i_sem);