[PATCH] Race with iput and umount

Jeff Mahoney notes: "generic_shutdown_super() will happily call the ->put_super fs method, destroying data structures still in use by the iput (->delete_inode) in progress. The unlink path will call the ->unlink fs method, release the path (thus dropping the reference to the vfsmount, and then call iput. Since the vfsmount reference is dropped back to 1, a umount will succeed, causing the superblock to be cleaned up." Arrgh... Here's the trivial fix: do the final "iput()" a bit earlier in the unlink path. Note: all places that go to exit1: or exit: will have NULL inode, so we are not leaking anything here and it is OK do that iput() early; indeed, the goal of that kludge was to postpone the final iput() past the unlocking the parent for the sake of contention if a wunch of bankers is doing parallel unlink() on files in the same directory and normally it would happen on dput() after vfs_unlink())

[PATCH] Race with iput and umount
Jeff Mahoney notes: "generic_shutdown_super() will happily call the ->put_super fs method, destroying data structures still in use by the iput (->delete_inode) in progress. The unlink path will call the ->unlink fs method, release the path (thus dropping the reference to the vfsmount, and then call iput. Since the vfsmount reference is dropped back to 1, a umount will succeed, causing the superblock to be cleaned up." Arrgh... Here's the trivial fix: do the final "iput()" a bit earlier in the unlink path. Note: all places that go to exit1: or exit: will have NULL inode, so we are not leaking anything here and it is OK do that iput() early; indeed, the goal of that kludge was to postpone the final iput() past the unlocking the parent for the sake of contention if a wunch of bankers is doing parallel unlink() on files in the same directory and normally it would happen on dput() after vfs_unlink())
6482f833 · Alexander Viro · Linus Torvalds · 928ce049 · 6482f833
Commit 6482f833 authored Oct 01, 2004 by Alexander Viro Committed by Linus Torvalds Oct 01, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 3 deletions

fs/namei.c fs/namei.c +2 -3

No files found.
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1825,13 +1825,12 @@ asmlinkage long sys_unlink(const char __user * pathname)
 		dput(dentry);
 	}
 	up(&nd.dentry->d_inode->i_sem);
+	if (inode)
+		iput(inode);	/* truncate the inode here */
 exit1:
 	path_release(&nd);
 exit:
 	putname(name);
-
-	if (inode)
-		iput(inode);	/* truncate the inode here */
 	return error;

 slashes: