I create the patch which fixes lack of mutex_lock in drop_pagecache_sb().
Please check the bug and the patch (below).
----------------------------------------------------------------------
When drop_pagecache_sb() frees inodes, it doesn't get mutex_lock of
iprune_mutex. Therefore, if it races the process which frees inodes
(ex. prune_icache()), OS panic may happen.
An example of the panic flow is the following:
----------------------------------------------------------------------
[process A] | [process B]
| |
| shrink_icache_memory() |
| | |
| V |
| prune_icache() | drop_pagecache()
| mutex_lock(&iprune_mutex) | |
| spin_lock(&inode_lock) | |
| | | V
| | | drop_pagecache_sb()
| | | |
| V | V
| spin_unlock(&inode_lock) | spin_lock(&inode_lock)
| | | |
| | | |
| V | V
| dispose_list() | __iget()
| list_del() | |
| | | |
| V | V
| spin_lock(&inode_lock) | list_move() <----- PANIC !!
| |
V |
(time)
----------------------------------------------------------------------
If the inode which Process B do list_move() with is the same as the one which
Process A did list_del() with, OS may panic.
Fixing this bug requires the following:
- Adding mutex_lock of iprune_mutex to drop_pagecache_sb().
- Changing iprune_mutex from static to global.
Signed-off-by: Masayoshi Mizuma <m.mizuma@xxxxxxxxxxxxxx>
---
fs/drop_caches.c | 2 ++
fs/inode.c | 2 +-
include/linux/writeback.h | 1 +
3 files changed, 4 insertions(+), 1 deletion(-)
diff -Nurp linux-2.6.29-rc7.orig/fs/drop_caches.c linux-2.6.29-rc7/fs/drop_caches.c
--- linux-2.6.29-rc7.orig/fs/drop_caches.c 2009-03-10 06:38:17.137283010 +0900
+++ linux-2.6.29-rc7/fs/drop_caches.c 2009-03-11 04:04:29.705284864 +0900
@@ -16,6 +16,7 @@ static void drop_pagecache_sb(struct sup
{
struct inode *inode, *toput_inode = NULL;
+ mutex_lock(&iprune_mutex);
spin_lock(&inode_lock);
list_for_each_entry(inode, &sb->s_inodes, i_sb_list) {
if (inode->i_state & (I_FREEING|I_WILL_FREE))
@@ -31,6 +32,7 @@ static void drop_pagecache_sb(struct sup
}
spin_unlock(&inode_lock);
iput(toput_inode);
+ mutex_unlock(&iprune_mutex);
}
static void drop_pagecache(void)
diff -Nurp linux-2.6.29-rc7.orig/fs/inode.c linux-2.6.29-rc7/fs/inode.c
--- linux-2.6.29-rc7.orig/fs/inode.c 2009-03-10 06:38:22.404282773 +0900
+++ linux-2.6.29-rc7/fs/inode.c 2009-03-18 07:17:31.032284423 +0900
@@ -91,7 +91,7 @@ DEFINE_SPINLOCK(inode_lock);
* from its final dispose_list, the struct super_block they refer to
* (for inode->i_sb->s_op) may already have been freed and reused.
*/
-static DEFINE_MUTEX(iprune_mutex);
+DEFINE_MUTEX(iprune_mutex);
/*
* Statistics gathering..
diff -Nurp linux-2.6.29-rc7.orig/include/linux/writeback.h linux-2.6.29-rc7/include/linux/writeback.h
--- linux-2.6.29-rc7.orig/include/linux/writeback.h 2009-03-10 06:38:27.133285255 +0900
+++ linux-2.6.29-rc7/include/linux/writeback.h 2009-03-11 05:27:43.679283477 +0900
@@ -10,6 +10,7 @@
struct backing_dev_info;
extern spinlock_t inode_lock;
+extern struct mutex iprune_mutex;
extern struct list_head inode_in_use;
extern struct list_head inode_unused;
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
