From: Eric Sandeen <sandeen@redhat.com> Date: Mon, 1 Jun 2009 14:33:20 -0500 Subject: [fs] vfs: skip I_CLEAR state inodes in drop_pagecache_sb Message-id: 4A242D00.5050104@redhat.com O-Subject: [PATCH RHEL5.4] vfs: skip I_CLEAR state inodes in drop_pagecache_sb Bugzilla: 500164 RH-Acked-by: Jeff Layton <jlayton@redhat.com> This is for Bug #500164, Possible panic when drop_pagecache_sb() and prune_icache() run concurrently. Simple backport of upstream patch as shown below; only the first hunk is relevant to RHEL5. Thanks to Harshula for doing the original backport of this patch for RHEL5. Thanks, -Eric X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=b6fac63cc1f52ec27f29fe6c6c8494a2ffac33fd vfs: skip I_CLEAR state inodes clear_inode() will switch inode state from I_FREEING to I_CLEAR, and do so _outside_ of inode_lock. So any I_FREEING testing is incomplete without a coupled testing of I_CLEAR. So add I_CLEAR tests to drop_pagecache_sb(), generic_sync_sb_inodes() and add_dquot_ref(). Masayoshi MIZUMA discovered the bug in drop_pagecache_sb() and Jan Kara reminds fixing the other two cases. Masayoshi MIZUMA has a nice panic flow: ===================================================================== [process A] | [process B] | | | prune_icache() | drop_pagecache() | spin_lock(&inode_lock) | drop_pagecache_sb() | inode->i_state |= I_FREEING; | | | spin_unlock(&inode_lock) | V | | | spin_lock(&inode_lock) | V | | | dispose_list() | | | list_del() | | | clear_inode() | | | inode->i_state = I_CLEAR | | | | | V | | | if (inode->i_state & (I_FREEING|I_WILL_FREE)) | | | continue; <==== NOT MATCH | | | | | | (DANGER from here on! Accessing disposing inode!) | | | | | | __iget() | | | list_move() <===== PANIC on poisoned list !! V V | (time) ===================================================================== diff --git a/fs/drop_caches.c b/fs/drop_caches.c index f5aae26..16db525 100644 --- a/fs/drop_caches.c +++ b/fs/drop_caches.c @@ -18,7 +18,7 @@ static void drop_pagecache_sb(struct super_block *sb) spin_lock(&inode_lock); list_for_each_entry(inode, &sb->s_inodes, i_sb_list) { - if (inode->i_state & (I_FREEING|I_WILL_FREE)) + if (inode->i_state & (I_FREEING|I_CLEAR|I_WILL_FREE)) continue; __iget(inode); spin_unlock(&inode_lock);