On Thu, Aug 10, 2023 at 04:47:22PM -0700, Linus Torvalds wrote: > So I might be barking up entirely the wrong tree. Yeah, I think you are, it sounds like you're describing an entirely different sort of race. The issue here is just that killing off a process should release all the references it holds, and if we kill off all processes accessing a filesystem we should be able to unmount it - but in this case we can't, because fputs() are being delayed asynchronously. delayed_fput() from AIO turned out to not be an issue in my testing, for reasons that are unclear to me; flush_delayed_fput() certainly isn't called in any relevant codepaths. The code _looks_ buggy to me, but I wasn't able to trigger the bug with AIO. io_uring adds its own layer of indirect asynchronous reference holding, and that's why the issue crops up there - but io_uring isn't using delayed_fput() either. The patch I posted was to make sure the file ref doesn't outlive the task - I honestly don't know what you and Jens don't like about that approach (obviously, adding task->ref gets and puts to fastpaths is a nonstarter, but that's fixable as mentioned).
