diff options
| author | Dave Chinner <dchinner@redhat.com> | 2012-03-06 23:50:25 -0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2012-04-02 12:27:13 -0400 |
| commit | c5ee1ac24b6f878e63fd208984b3cfe3ccf7b9a8 (patch) | |
| tree | 9674195b9f8c69f286e6ff09a67305f9c6e8ebdd | |
| parent | 6e8768d198a2ea5f31dbd2fe679a62c605fcdbbd (diff) | |
xfs: fix inode lookup race
commit f30d500f809eca67a21704347ab14bb35877b5ee upstream.
When we get concurrent lookups of the same inode that is not in the
per-AG inode cache, there is a race condition that triggers warnings
in unlock_new_inode() indicating that we are initialising an inode
that isn't in a the correct state for a new inode.
When we do an inode lookup via a file handle or a bulkstat, we don't
serialise lookups at a higher level through the dentry cache (i.e.
pathless lookup), and so we can get concurrent lookups of the same
inode.
The race condition is between the insertion of the inode into the
cache in the case of a cache miss and a concurrently lookup:
Thread 1 Thread 2
xfs_iget()
xfs_iget_cache_miss()
xfs_iread()
lock radix tree
radix_tree_insert()
rcu_read_lock
radix_tree_lookup
lock inode flags
XFS_INEW not set
igrab()
unlock inode flags
rcu_read_unlock
use uninitialised inode
.....
lock inode flags
set XFS_INEW
unlock inode flags
unlock radix tree
xfs_setup_inode()
inode flags = I_NEW
unlock_new_inode()
WARNING as inode flags != I_NEW
This can lead to inode corruption, inode list corruption, etc, and
is generally a bad thing to occur.
Fix this by setting XFS_INEW before inserting the inode into the
radix tree. This will ensure any concurrent lookup will find the new
inode with XFS_INEW set and that forces the lookup to wait until the
XFS_INEW flag is removed before allowing the lookup to succeed.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Ben Myers <bpm@sgi.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | fs/xfs/xfs_iget.c | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/fs/xfs/xfs_iget.c b/fs/xfs/xfs_iget.c index 3631783b2b5..ca752f05c31 100644 --- a/fs/xfs/xfs_iget.c +++ b/fs/xfs/xfs_iget.c | |||
| @@ -356,9 +356,20 @@ xfs_iget_cache_miss( | |||
| 356 | BUG(); | 356 | BUG(); |
| 357 | } | 357 | } |
| 358 | 358 | ||
| 359 | spin_lock(&pag->pag_ici_lock); | 359 | /* |
| 360 | * These values must be set before inserting the inode into the radix | ||
| 361 | * tree as the moment it is inserted a concurrent lookup (allowed by the | ||
| 362 | * RCU locking mechanism) can find it and that lookup must see that this | ||
| 363 | * is an inode currently under construction (i.e. that XFS_INEW is set). | ||
| 364 | * The ip->i_flags_lock that protects the XFS_INEW flag forms the | ||
| 365 | * memory barrier that ensures this detection works correctly at lookup | ||
| 366 | * time. | ||
| 367 | */ | ||
| 368 | ip->i_udquot = ip->i_gdquot = NULL; | ||
| 369 | xfs_iflags_set(ip, XFS_INEW); | ||
| 360 | 370 | ||
| 361 | /* insert the new inode */ | 371 | /* insert the new inode */ |
| 372 | spin_lock(&pag->pag_ici_lock); | ||
| 362 | error = radix_tree_insert(&pag->pag_ici_root, agino, ip); | 373 | error = radix_tree_insert(&pag->pag_ici_root, agino, ip); |
| 363 | if (unlikely(error)) { | 374 | if (unlikely(error)) { |
| 364 | WARN_ON(error != -EEXIST); | 375 | WARN_ON(error != -EEXIST); |
| @@ -366,11 +377,6 @@ xfs_iget_cache_miss( | |||
| 366 | error = EAGAIN; | 377 | error = EAGAIN; |
| 367 | goto out_preload_end; | 378 | goto out_preload_end; |
| 368 | } | 379 | } |
| 369 | |||
| 370 | /* These values _must_ be set before releasing the radix tree lock! */ | ||
| 371 | ip->i_udquot = ip->i_gdquot = NULL; | ||
| 372 | xfs_iflags_set(ip, XFS_INEW); | ||
| 373 | |||
| 374 | spin_unlock(&pag->pag_ici_lock); | 380 | spin_unlock(&pag->pag_ici_lock); |
| 375 | radix_tree_preload_end(); | 381 | radix_tree_preload_end(); |
| 376 | 382 | ||