The bump is gated by I_FREEING | I_WILL_FREE, but these flags can only legally show up if the count is 0. Consequently if the value is at least 1 and it succesfully CAS'ed to something higher, the flags must not be there. I verified all places which look at the refcount either only care about it staying 0 (and have the lock enforce it) or don't hold the inode lock to begin with. Thus the patch retains the invariant for correct consumers and does not make things worse for the rest. Signed-off-by: Mateusz Guzik --- fs/inode.c | 5 +++++ include/linux/fs.h | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/fs/inode.c b/fs/inode.c index fc6045e6d43f..17b925887382 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -1580,6 +1580,11 @@ EXPORT_SYMBOL(iunique); struct inode *igrab(struct inode *inode) { + if (atomic_add_unless(&inode->i_count, 1, 0)) { + VFS_BUG_ON_INODE(inode_state_read_once(inode) & (I_FREEING | I_WILL_FREE), inode); + return inode; + } + spin_lock(&inode->i_lock); if (!(inode_state_read(inode) & (I_FREEING | I_WILL_FREE))) { __iget(inode); diff --git a/include/linux/fs.h b/include/linux/fs.h index 07363fce4406..119e0a3d2f42 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -2234,8 +2234,8 @@ static inline int icount_read_once(const struct inode *inode) } /* - * returns the refcount on the inode. The lock guarantees no new references - * are added, but references can be dropped as long as the result is > 0. + * returns the refcount on the inode. The lock guarantees no 0->1 or 1->0 transitions + * of the count are going to take place, otherwise it changes arbitrarily. */ static inline int icount_read(const struct inode *inode) { -- 2.48.1