Al Viro wrote: > On Tue, Feb 10, 2009 at 01:19:17PM +0800, Li Zefan wrote: >>> You have no promise whatsoever that whoever's been trying to >>> get the lock in question will even get out of the locking primitive >>> before the memory that contains the lock gets freed. In case of superblocks >>> in general, you don't free them until ->s_count hits zero. At that point >>> anything as much as remembering the address of that superblock is already >>> FUBAR. >>> >> This is not the general case. This sb won't be seen by anyone, and destroy_super() >> is called on a sb with ->s_count == 1 and ->s_umount held. > > ... so in this case we have even a stronger warranty of everything being > OK with freeing it while locked. "Nothing has ever seen its address" > means that entire struct contents is fair game... > Yes, this won't cause bad things, but I think it's better to make lock/unlock consistent, and we have to make lockdep happy. > As for the other question, you are leaving a reference to root hanging from > superblock still on the list (grab_super() will fail on it, but that's it) > and you have code that might look into the damn thing (test callback you > pass to sget()). Dereferencing pointers to freed objects is not nice, to > put it mildly... > It's clear to me now, thanks for the explanation. Though I failed to trigger this bug, I managed to trigger it if I set sb->s_fs_info to NULL just after kfree(root). > BTW, which dentries are going to stick around until that point? > Not sure if I got what you mean. cgroup_kill_sb() will be called only if there are no sub-dirs. -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
