On Sun, Nov 24, 2013 at 06:04:13AM -0800, Christoph Hellwig wrote: > Seems I can reproduce this by doing a full xfstests run and then > shutting down the VM. Doesn't seem to happen with the XFS tree > which is still based on 3.12-rc1. may_lookup() with LOOKUP_RCU in nd->flags and NULL nd->inode, by the look of it... Interesting. AFAICS, path_init() initializes nd->inode on all success exits. As for the places where we reassign nd->inode, we have the following: fs/namei.c:681: nd->inode = nd->path.dentry->d_inode; nd_jump_link(), we would've already left RCU mode fs/namei.c:856: nd->inode = nd->path.dentry->d_inode; follow_link() - ditto. fs/namei.c:1160: nd->inode = nd->path.dentry->d_inode; follow_dotdot_rcu() fs/namei.c:1257: nd->inode = nd->path.dentry->d_inode; follow_dotdot() - not in RCU mode fs/namei.c:1547: nd->inode = inode; walk_component() - inode can't be NULL here, variable has been explicitly compared with NULL a few lines prior fs/namei.c:1825: nd->inode = inode; path_init() with LOOKUP_ROOT; not from stat(2) and it would've already oopsed with NULL inode anyway. fs/namei.c:1892: nd->inode = nd->path.dentry->d_inode; path_init() fs/namei.c:3006: nd->inode = inode; do_last(), not from stat(2) and no may_lookup() done past that point anyway. fs/namei.c:3077: nd->inode = dir->d_inode; do_last(), not from stat(2) which seems to leave two candidates - follow_dotdot_rcu() and path_init(), both setting nd->inode to nd->path.dentry->d_inode... Could you try to reproduce it with something like if (read_seqretry(&mount_lock, nd->m_seq)) goto failed; slapped before the success exit in follow_dotdot_rcu(), just to see if we are hitting some races with umount here? -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
