f2fs and ntfs play games where they transitiong the refcount 0->1 and release the inode spinlock, allowing other threads to grab a ref of their own. They also return 0 in that case, making this problem harmless. Should they start using the I_DONTCACHE machinery down the road while retaining the above, iput_final() will get a race where it can proceed to teardown an inode with references. Future-proof it. Developing better ->drop_inode and sanitizing all users is left as en exercise for the reader. Signed-off-by: Mateusz Guzik --- fs/inode.c | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/fs/inode.c b/fs/inode.c index 0050eca6d83f..a417abc64822 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -1935,20 +1935,29 @@ static void iput_final(struct inode *inode) else drop = inode_generic_drop(inode); - if (!drop && - !(inode_state_read(inode) & I_DONTCACHE) && - (sb->s_flags & SB_ACTIVE)) { + /* + * XXXCRAP: there are ->drop_inode hooks playing nasty games releasing the + * spinlock and temporarily grabbing refs. This opens a possibility someone + * else will sneak in and grab a ref while it happens. + * + * If such a hook returns 0 (== don't drop) this happens to be harmless as long + * as the inode is not marked with I_DONTCACHE. Otherwise we are proceeding with + * teardown despite references being present. + * + * Damage-control the problem by including the count in the decision. However, + * assert no refs showed up if the hook decided to drop the inode. + */ + if (drop) + VFS_BUG_ON_INODE(icount_read(inode) != 0, inode); + + if (icount_read(inode) > 0 || + (!drop && !(inode_state_read(inode) & I_DONTCACHE) && + (sb->s_flags & SB_ACTIVE))) { __inode_lru_list_add(inode, true); spin_unlock(&inode->i_lock); return; } - /* - * Re-check ->i_count in case the ->drop_inode() hooks played games. - * Note we only execute this if the verdict was to drop the inode. - */ - VFS_BUG_ON_INODE(icount_read(inode) != 0, inode); - if (drop) { inode_state_set(inode, I_FREEING); } else { -- 2.48.1