From 4e56755a7d65add91da1ab50b56ea77cf61bd599 Mon Sep 17 00:00:00 2001
From: Kirill Korotaev <dev@sw.ru>
Date: Wed, 22 Sep 2004 04:21:31 -0700
Subject: [PATCH] Fix of race in writeback_inodes()

This patch fixes race in writeback_inodes() described below:

writeback_inodes()
{
     ....
     sb->s_count++;
     spin_unlock(&sb_lock);
     ....
     spin_lock(&sb_lock);
     if (__put_super(sb))        <<< X
         goto restart;
     }
}

deactivate_super()
{
     fs->kill_sb(s);
         kill_block_super(sb)
             generic_shutdown_super(sb)
                     spin_lock(&sb_lock);
                     list_del(&sb->s_list);    <<< Y
                     spin_unlock(&sb_lock);
     ....
     put_super(s);
             spin_lock(&sb_lock);
             __put_super(sb);            <<< Z
             spin_unlock(&sb_lock);
}

The problem with it is that writeback_inodes() supposes that if
__put_super() returns 0 then no super block was deleted from the list and
we can safely traverse sb list further.

But as it is obvious from the deactivate_super() it's not actually true.
because at point Y we delete super block from the list and drop the lock.
We do __put_super() very much later...  So we can find sb with poisoned
sb->s_list at point X and we won't be the last sb reference holders.  The
last reference will be dropped in point Z.

So in case of the following sequence of execution Y -> X -> Z we'll get an
oops after point X in writeback_inodes().

This patch introduces __put_super_and_need_restart() function which allows
safe traversing of sb list.  I'll send a couple of patches later which
remove O(n^2) algos and using this function.

Signed-Off-By: Kirill Korotaev <dev@sw.ru>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
---
 include/linux/fs.h | 1 +
 1 file changed, 1 insertion(+)

(limited to 'include/linux')

diff --git a/include/linux/fs.h b/include/linux/fs.h
index 76f96659507a..5bb9738362d5 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1149,6 +1149,7 @@ struct super_block *sget(struct file_system_type *type,
 struct super_block *get_sb_pseudo(struct file_system_type *, char *,
 			struct super_operations *ops, unsigned long);
 int __put_super(struct super_block *sb);
+int __put_super_and_need_restart(struct super_block *sb);
 void unnamed_dev_init(void);
 
 /* Alas, no aliases. Too much hassle with bringing module.h everywhere */
-- 
cgit v1.2.3