<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/fs/dcache.c, branch linux-3.10.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>move the call of __d_drop(anon) into __d_materialise_unique(dentry, anon)</title>
<updated>2017-06-20T12:04:14+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2014-09-11T22:55:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=64df8d3b3fdd06a877ccac395f60dd54dd515897'/>
<id>64df8d3b3fdd06a877ccac395f60dd54dd515897</id>
<content type='text'>
commit 6f18493e541c690169c3b1479d47d95f624161cf upstream.

and lock the right list there

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Acked-by: NeilBrown &lt;neilb@suse.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
Signed-off-by: Willy Tarreau &lt;w@1wt.eu&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 6f18493e541c690169c3b1479d47d95f624161cf upstream.

and lock the right list there

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Acked-by: NeilBrown &lt;neilb@suse.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
Signed-off-by: Willy Tarreau &lt;w@1wt.eu&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fix d_walk()/non-delayed __d_free() race</title>
<updated>2016-08-27T09:39:59+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2016-06-08T01:26:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=742d555a529c3dbbf7d326620082f7cbb510ac7e'/>
<id>742d555a529c3dbbf7d326620082f7cbb510ac7e</id>
<content type='text'>
commit 3d56c25e3bb0726a5c5e16fc2d9e38f8ed763085 upstream.

Ascend-to-parent logics in d_walk() depends on all encountered child
dentries not getting freed without an RCU delay.  Unfortunately, in
quite a few cases it is not true, with hard-to-hit oopsable race as
the result.

Fortunately, the fix is simiple; right now the rule is "if it ever
been hashed, freeing must be delayed" and changing it to "if it
ever had a parent, freeing must be delayed" closes that hole and
covers all cases the old rule used to cover.  Moreover, pipes and
sockets remain _not_ covered, so we do not introduce RCU delay in
the cases which are the reason for having that delay conditional
in the first place.

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
[wt: add the required change to __d_materialise_dentry() for kernels
  older than v3.17]
Signed-off-by: Willy Tarreau &lt;w@1wt.eu&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 3d56c25e3bb0726a5c5e16fc2d9e38f8ed763085 upstream.

Ascend-to-parent logics in d_walk() depends on all encountered child
dentries not getting freed without an RCU delay.  Unfortunately, in
quite a few cases it is not true, with hard-to-hit oopsable race as
the result.

Fortunately, the fix is simiple; right now the rule is "if it ever
been hashed, freeing must be delayed" and changing it to "if it
ever had a parent, freeing must be delayed" closes that hole and
covers all cases the old rule used to cover.  Moreover, pipes and
sockets remain _not_ covered, so we do not introduce RCU delay in
the cases which are the reason for having that delay conditional
in the first place.

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
[wt: add the required change to __d_materialise_dentry() for kernels
  older than v3.17]
Signed-off-by: Willy Tarreau &lt;w@1wt.eu&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>dcache: Handle escaped paths in prepend_path</title>
<updated>2015-10-22T21:37:52+00:00</updated>
<author>
<name>Eric W. Biederman</name>
<email>ebiederm@xmission.com</email>
</author>
<published>2015-08-15T18:36:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=91397d567646df4ede8619beb678252e82fafb2a'/>
<id>91397d567646df4ede8619beb678252e82fafb2a</id>
<content type='text'>
commit cde93be45a8a90d8c264c776fab63487b5038a65 upstream.

A rename can result in a dentry that by walking up d_parent
will never reach it's mnt_root.  For lack of a better term
I call this an escaped path.

prepend_path is called by four different functions __d_path,
d_absolute_path, d_path, and getcwd.

__d_path only wants to see paths are connected to the root it passes
in.  So __d_path needs prepend_path to return an error.

d_absolute_path similarly wants to see paths that are connected to
some root.  Escaped paths are not connected to any mnt_root so
d_absolute_path needs prepend_path to return an error greater
than 1.  So escaped paths will be treated like paths on lazily
unmounted mounts.

getcwd needs to prepend "(unreachable)" so getcwd also needs
prepend_path to return an error.

d_path is the interesting hold out.  d_path just wants to print
something, and does not care about the weird cases.  Which raises
the question what should be printed?

Given that &lt;escaped_path&gt;/&lt;anything&gt; should result in -ENOENT I
believe it is desirable for escaped paths to be printed as empty
paths.  As there are not really any meaninful path components when
considered from the perspective of a mount tree.

So tweak prepend_path to return an empty path with an new error
code of 3 when it encounters an escaped path.

Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit cde93be45a8a90d8c264c776fab63487b5038a65 upstream.

A rename can result in a dentry that by walking up d_parent
will never reach it's mnt_root.  For lack of a better term
I call this an escaped path.

prepend_path is called by four different functions __d_path,
d_absolute_path, d_path, and getcwd.

__d_path only wants to see paths are connected to the root it passes
in.  So __d_path needs prepend_path to return an error.

d_absolute_path similarly wants to see paths that are connected to
some root.  Escaped paths are not connected to any mnt_root so
d_absolute_path needs prepend_path to return an error greater
than 1.  So escaped paths will be treated like paths on lazily
unmounted mounts.

getcwd needs to prepend "(unreachable)" so getcwd also needs
prepend_path to return an error.

d_path is the interesting hold out.  d_path just wants to print
something, and does not care about the weird cases.  Which raises
the question what should be printed?

Given that &lt;escaped_path&gt;/&lt;anything&gt; should result in -ENOENT I
believe it is desirable for escaped paths to be printed as empty
paths.  As there are not really any meaninful path components when
considered from the perspective of a mount tree.

So tweak prepend_path to return an empty path with an new error
code of 3 when it encounters an escaped path.

Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>vfs: Remove incorrect debugging WARN in prepend_path</title>
<updated>2015-10-01T10:07:38+00:00</updated>
<author>
<name>Eric W. Biederman</name>
<email>ebiederm@xmission.com</email>
</author>
<published>2015-05-24T14:25:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e6478de4fad8e6d7cad3ca3440ee4da599fb0b2f'/>
<id>e6478de4fad8e6d7cad3ca3440ee4da599fb0b2f</id>
<content type='text'>
commit 93e3bce6287e1fb3e60d3324ed08555b5bbafa89 upstream.

The warning message in prepend_path is unclear and outdated.  It was
added as a warning that the mechanism for generating names of pseudo
files had been removed from prepend_path and d_dname should be used
instead.  Unfortunately the warning reads like a general warning,
making it unclear what to do with it.

Remove the warning.  The transition it was added to warn about is long
over, and I added code several years ago which in rare cases causes
the warning to fire on legitimate code, and the warning is now firing
and scaring people for no good reason.

Reported-by: Ivan Delalande &lt;colona@arista.com&gt;
Reported-by: Omar Sandoval &lt;osandov@osandov.com&gt;
Fixes: f48cfddc6729e ("vfs: In d_path don't call d_dname on a mount point")
Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
[ vlee: Backported to 3.10. Adjusted context. ]
Signed-off-by: Vinson Lee &lt;vlee@twitter.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 93e3bce6287e1fb3e60d3324ed08555b5bbafa89 upstream.

The warning message in prepend_path is unclear and outdated.  It was
added as a warning that the mechanism for generating names of pseudo
files had been removed from prepend_path and d_dname should be used
instead.  Unfortunately the warning reads like a general warning,
making it unclear what to do with it.

Remove the warning.  The transition it was added to warn about is long
over, and I added code several years ago which in rare cases causes
the warning to fire on legitimate code, and the warning is now firing
and scaring people for no good reason.

Reported-by: Ivan Delalande &lt;colona@arista.com&gt;
Reported-by: Omar Sandoval &lt;osandov@osandov.com&gt;
Fixes: f48cfddc6729e ("vfs: In d_path don't call d_dname on a mount point")
Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
[ vlee: Backported to 3.10. Adjusted context. ]
Signed-off-by: Vinson Lee &lt;vlee@twitter.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>freeing unlinked file indefinitely delayed</title>
<updated>2015-08-10T19:20:29+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@ZenIV.linux.org.uk</email>
</author>
<published>2015-07-08T01:42:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=518309e081d6328daf443531c3a70cbb10277006'/>
<id>518309e081d6328daf443531c3a70cbb10277006</id>
<content type='text'>
commit 75a6f82a0d10ef8f13cd8fe7212911a0252ab99e upstream.

	Normally opening a file, unlinking it and then closing will have
the inode freed upon close() (provided that it's not otherwise busy and
has no remaining links, of course).  However, there's one case where that
does *not* happen.  Namely, if you open it by fhandle with cold dcache,
then unlink() and close().

	In normal case you get d_delete() in unlink(2) notice that dentry
is busy and unhash it; on the final dput() it will be forcibly evicted from
dcache, triggering iput() and inode removal.  In this case, though, we end
up with *two* dentries - disconnected (created by open-by-fhandle) and
regular one (used by unlink()).  The latter will have its reference to inode
dropped just fine, but the former will not - it's considered hashed (it
is on the -&gt;s_anon list), so it will stay around until the memory pressure
will finally do it in.  As the result, we have the final iput() delayed
indefinitely.  It's trivial to reproduce -

void flush_dcache(void)
{
        system("mount -o remount,rw /");
}

static char buf[20 * 1024 * 1024];

main()
{
        int fd;
        union {
                struct file_handle f;
                char buf[MAX_HANDLE_SZ];
        } x;
        int m;

        x.f.handle_bytes = sizeof(x);
        chdir("/root");
        mkdir("foo", 0700);
        fd = open("foo/bar", O_CREAT | O_RDWR, 0600);
        close(fd);
        name_to_handle_at(AT_FDCWD, "foo/bar", &amp;x.f, &amp;m, 0);
        flush_dcache();
        fd = open_by_handle_at(AT_FDCWD, &amp;x.f, O_RDWR);
        unlink("foo/bar");
        write(fd, buf, sizeof(buf));
        system("df .");			/* 20Mb eaten */
        close(fd);
        system("df .");			/* should've freed those 20Mb */
        flush_dcache();
        system("df .");			/* should be the same as #2 */
}

will spit out something like
Filesystem     1K-blocks   Used Available Use% Mounted on
/dev/root         322023 303843      1131 100% /
Filesystem     1K-blocks   Used Available Use% Mounted on
/dev/root         322023 303843      1131 100% /
Filesystem     1K-blocks   Used Available Use% Mounted on
/dev/root         322023 283282     21692  93% /
- inode gets freed only when dentry is finally evicted (here we trigger
than by remount; normally it would've happened in response to memory
pressure hell knows when).

Acked-by: J. Bruce Fields &lt;bfields@fieldses.org&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 75a6f82a0d10ef8f13cd8fe7212911a0252ab99e upstream.

	Normally opening a file, unlinking it and then closing will have
the inode freed upon close() (provided that it's not otherwise busy and
has no remaining links, of course).  However, there's one case where that
does *not* happen.  Namely, if you open it by fhandle with cold dcache,
then unlink() and close().

	In normal case you get d_delete() in unlink(2) notice that dentry
is busy and unhash it; on the final dput() it will be forcibly evicted from
dcache, triggering iput() and inode removal.  In this case, though, we end
up with *two* dentries - disconnected (created by open-by-fhandle) and
regular one (used by unlink()).  The latter will have its reference to inode
dropped just fine, but the former will not - it's considered hashed (it
is on the -&gt;s_anon list), so it will stay around until the memory pressure
will finally do it in.  As the result, we have the final iput() delayed
indefinitely.  It's trivial to reproduce -

void flush_dcache(void)
{
        system("mount -o remount,rw /");
}

static char buf[20 * 1024 * 1024];

main()
{
        int fd;
        union {
                struct file_handle f;
                char buf[MAX_HANDLE_SZ];
        } x;
        int m;

        x.f.handle_bytes = sizeof(x);
        chdir("/root");
        mkdir("foo", 0700);
        fd = open("foo/bar", O_CREAT | O_RDWR, 0600);
        close(fd);
        name_to_handle_at(AT_FDCWD, "foo/bar", &amp;x.f, &amp;m, 0);
        flush_dcache();
        fd = open_by_handle_at(AT_FDCWD, &amp;x.f, O_RDWR);
        unlink("foo/bar");
        write(fd, buf, sizeof(buf));
        system("df .");			/* 20Mb eaten */
        close(fd);
        system("df .");			/* should've freed those 20Mb */
        flush_dcache();
        system("df .");			/* should be the same as #2 */
}

will spit out something like
Filesystem     1K-blocks   Used Available Use% Mounted on
/dev/root         322023 303843      1131 100% /
Filesystem     1K-blocks   Used Available Use% Mounted on
/dev/root         322023 303843      1131 100% /
Filesystem     1K-blocks   Used Available Use% Mounted on
/dev/root         322023 283282     21692  93% /
- inode gets freed only when dentry is finally evicted (here we trigger
than by remount; normally it would've happened in response to memory
pressure hell knows when).

Acked-by: J. Bruce Fields &lt;bfields@fieldses.org&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>d_walk() might skip too much</title>
<updated>2015-07-04T02:48:09+00:00</updated>
<author>
<name>Jari Ruusu</name>
<email>jariruusu@users.sourceforge.net</email>
</author>
<published>2015-06-13T16:01:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b93e0acc5001b80153cb0c7efcdcc53cc56aac4a'/>
<id>b93e0acc5001b80153cb0c7efcdcc53cc56aac4a</id>
<content type='text'>
When Al Viro's VFS deadlock fix "deal with deadlock in d_walk()" was
backported to 3.10.y 3.4.y and 3.2.y stable kernel brances, the deadlock fix
was copied to 3 different places. Later, a bug in that code was discovered.
Al Viro's fix involved fixing only one part of code in mainline kernel. That
fix is called "d_walk() might skip too much".

3.10.y 3.4.y and 3.2.y stable kernel brances need that later fix copied to 3
different places. Greg Kroah-Hartman included Al Viro's "d_walk() might skip
too much" fix only once in 3.10.80 kernel, leaving 2 more places without a
fix.

The patch below was not written by me. I only applied Al Viro's "d_walk()
might skip too much" fix 2 more times to 3.10.80 kernel, and cheched that
the fixes went to correct places. With this patch applied, all 3 places that
I am aware of 3.10.y stable branch are now fixed.

Signed-off-by: Jari Ruusu &lt;jariruusu@users.sourceforge.net&gt;
Cc: Willy Tarreau &lt;w@1wt.eu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When Al Viro's VFS deadlock fix "deal with deadlock in d_walk()" was
backported to 3.10.y 3.4.y and 3.2.y stable kernel brances, the deadlock fix
was copied to 3 different places. Later, a bug in that code was discovered.
Al Viro's fix involved fixing only one part of code in mainline kernel. That
fix is called "d_walk() might skip too much".

3.10.y 3.4.y and 3.2.y stable kernel brances need that later fix copied to 3
different places. Greg Kroah-Hartman included Al Viro's "d_walk() might skip
too much" fix only once in 3.10.80 kernel, leaving 2 more places without a
fix.

The patch below was not written by me. I only applied Al Viro's "d_walk()
might skip too much" fix 2 more times to 3.10.80 kernel, and cheched that
the fixes went to correct places. With this patch applied, all 3 places that
I am aware of 3.10.y stable branch are now fixed.

Signed-off-by: Jari Ruusu &lt;jariruusu@users.sourceforge.net&gt;
Cc: Willy Tarreau &lt;w@1wt.eu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>d_walk() might skip too much</title>
<updated>2015-06-06T06:19:54+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2015-05-29T03:09:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bf6aa269ed400ba7f159341a926e77b7464f1b64'/>
<id>bf6aa269ed400ba7f159341a926e77b7464f1b64</id>
<content type='text'>
commit 2159184ea01e4ae7d15f2017e296d4bc82d5aeb0 upstream.

when we find that a child has died while we'd been trying to ascend,
we should go into the first live sibling itself, rather than its sibling.

Off-by-one in question had been introduced in "deal with deadlock in
d_walk()" and the fix needs to be backported to all branches this one
has been backported to.

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 2159184ea01e4ae7d15f2017e296d4bc82d5aeb0 upstream.

when we find that a child has died while we'd been trying to ascend,
we should go into the first live sibling itself, rather than its sibling.

Off-by-one in question had been introduced in "deal with deadlock in
d_walk()" and the fix needs to be backported to all branches this one
has been backported to.

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>dcache: Fix locking bugs in backported "deal with deadlock in d_walk()"</title>
<updated>2015-04-29T08:34:02+00:00</updated>
<author>
<name>Ben Hutchings</name>
<email>ben@decadent.org.uk</email>
</author>
<published>2015-02-11T03:16:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c190d250d8db5620218d5d56999580ed8488ec24'/>
<id>c190d250d8db5620218d5d56999580ed8488ec24</id>
<content type='text'>
commit 20defcec264ceab2630356fb9d397f3d237b5e6d upstream in 3.2-stable

Steven Rostedt reported:
&gt; Porting -rt to the latest 3.2 stable tree I triggered this bug:
&gt;
&gt; =====================================
&gt; [ BUG: bad unlock balance detected! ]
&gt; -------------------------------------
&gt; rm/1638 is trying to release lock (rcu_read_lock) at:
&gt; [&lt;c04fde6c&gt;] rcu_read_unlock+0x0/0x23
&gt; but there are no more locks to release!
&gt;
&gt; other info that might help us debug this:
&gt; 2 locks held by rm/1638:
&gt;  #0:  (&amp;sb-&gt;s_type-&gt;i_mutex_key#9/1){+.+.+.}, at: [&lt;c04f93eb&gt;] do_rmdir+0x5f/0xd2
&gt;  #1:  (&amp;sb-&gt;s_type-&gt;i_mutex_key#9){+.+.+.}, at: [&lt;c04f9329&gt;] vfs_rmdir+0x49/0xac
&gt;
&gt; stack backtrace:
&gt; Pid: 1638, comm: rm Not tainted 3.2.66-test-rt96+ #2
&gt; Call Trace:
&gt;  [&lt;c083f390&gt;] ? printk+0x1d/0x1f
&gt;  [&lt;c0463cdf&gt;] print_unlock_inbalance_bug+0xc3/0xcd
&gt;  [&lt;c04653a8&gt;] lock_release_non_nested+0x98/0x1ec
&gt;  [&lt;c046228d&gt;] ? trace_hardirqs_off_caller+0x18/0x90
&gt;  [&lt;c0456f1c&gt;] ? local_clock+0x2d/0x50
&gt;  [&lt;c04fde6c&gt;] ? d_hash+0x2f/0x2f
&gt;  [&lt;c04fde6c&gt;] ? d_hash+0x2f/0x2f
&gt;  [&lt;c046568e&gt;] lock_release+0x192/0x1ad
&gt;  [&lt;c04fde83&gt;] rcu_read_unlock+0x17/0x23
&gt;  [&lt;c04ff344&gt;] shrink_dcache_parent+0x227/0x270
&gt;  [&lt;c04f9348&gt;] vfs_rmdir+0x68/0xac
&gt;  [&lt;c04f9424&gt;] do_rmdir+0x98/0xd2
&gt;  [&lt;c04f03ad&gt;] ? fput+0x1a3/0x1ab
&gt;  [&lt;c084dd42&gt;] ? sysenter_exit+0xf/0x1a
&gt;  [&lt;c0465b58&gt;] ? trace_hardirqs_on_caller+0x118/0x149
&gt;  [&lt;c04fa3e0&gt;] sys_unlinkat+0x2b/0x35
&gt;  [&lt;c084dd13&gt;] sysenter_do_call+0x12/0x12
&gt;
&gt;
&gt;
&gt;
&gt; There's a path to calling rcu_read_unlock() without calling
&gt; rcu_read_lock() in have_submounts().
&gt;
&gt; 	goto positive;
&gt;
&gt; positive:
&gt; 	if (!locked &amp;&amp; read_seqretry(&amp;rename_lock, seq))
&gt; 		goto rename_retry;
&gt;
&gt; rename_retry:
&gt; 	rcu_read_unlock();
&gt;
&gt; in the above path, rcu_read_lock() is never done before calling
&gt; rcu_read_unlock();

I reviewed locking contexts in all three functions that I changed when
backporting "deal with deadlock in d_walk()".  It's actually worse
than this:

- We don't hold this_parent-&gt;d_lock at the 'positive' label in
  have_submounts(), but it is unlocked after 'rename_retry'.
- There is an rcu_read_unlock() after the 'out' label in
  select_parent(), but it's not held at the 'goto out'.

Fix all three lock imbalances.

Reported-by: Steven Rostedt &lt;rostedt@goodmis.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
Tested-by: Steven Rostedt &lt;rostedt@goodmis.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 20defcec264ceab2630356fb9d397f3d237b5e6d upstream in 3.2-stable

Steven Rostedt reported:
&gt; Porting -rt to the latest 3.2 stable tree I triggered this bug:
&gt;
&gt; =====================================
&gt; [ BUG: bad unlock balance detected! ]
&gt; -------------------------------------
&gt; rm/1638 is trying to release lock (rcu_read_lock) at:
&gt; [&lt;c04fde6c&gt;] rcu_read_unlock+0x0/0x23
&gt; but there are no more locks to release!
&gt;
&gt; other info that might help us debug this:
&gt; 2 locks held by rm/1638:
&gt;  #0:  (&amp;sb-&gt;s_type-&gt;i_mutex_key#9/1){+.+.+.}, at: [&lt;c04f93eb&gt;] do_rmdir+0x5f/0xd2
&gt;  #1:  (&amp;sb-&gt;s_type-&gt;i_mutex_key#9){+.+.+.}, at: [&lt;c04f9329&gt;] vfs_rmdir+0x49/0xac
&gt;
&gt; stack backtrace:
&gt; Pid: 1638, comm: rm Not tainted 3.2.66-test-rt96+ #2
&gt; Call Trace:
&gt;  [&lt;c083f390&gt;] ? printk+0x1d/0x1f
&gt;  [&lt;c0463cdf&gt;] print_unlock_inbalance_bug+0xc3/0xcd
&gt;  [&lt;c04653a8&gt;] lock_release_non_nested+0x98/0x1ec
&gt;  [&lt;c046228d&gt;] ? trace_hardirqs_off_caller+0x18/0x90
&gt;  [&lt;c0456f1c&gt;] ? local_clock+0x2d/0x50
&gt;  [&lt;c04fde6c&gt;] ? d_hash+0x2f/0x2f
&gt;  [&lt;c04fde6c&gt;] ? d_hash+0x2f/0x2f
&gt;  [&lt;c046568e&gt;] lock_release+0x192/0x1ad
&gt;  [&lt;c04fde83&gt;] rcu_read_unlock+0x17/0x23
&gt;  [&lt;c04ff344&gt;] shrink_dcache_parent+0x227/0x270
&gt;  [&lt;c04f9348&gt;] vfs_rmdir+0x68/0xac
&gt;  [&lt;c04f9424&gt;] do_rmdir+0x98/0xd2
&gt;  [&lt;c04f03ad&gt;] ? fput+0x1a3/0x1ab
&gt;  [&lt;c084dd42&gt;] ? sysenter_exit+0xf/0x1a
&gt;  [&lt;c0465b58&gt;] ? trace_hardirqs_on_caller+0x118/0x149
&gt;  [&lt;c04fa3e0&gt;] sys_unlinkat+0x2b/0x35
&gt;  [&lt;c084dd13&gt;] sysenter_do_call+0x12/0x12
&gt;
&gt;
&gt;
&gt;
&gt; There's a path to calling rcu_read_unlock() without calling
&gt; rcu_read_lock() in have_submounts().
&gt;
&gt; 	goto positive;
&gt;
&gt; positive:
&gt; 	if (!locked &amp;&amp; read_seqretry(&amp;rename_lock, seq))
&gt; 		goto rename_retry;
&gt;
&gt; rename_retry:
&gt; 	rcu_read_unlock();
&gt;
&gt; in the above path, rcu_read_lock() is never done before calling
&gt; rcu_read_unlock();

I reviewed locking contexts in all three functions that I changed when
backporting "deal with deadlock in d_walk()".  It's actually worse
than this:

- We don't hold this_parent-&gt;d_lock at the 'positive' label in
  have_submounts(), but it is unlocked after 'rename_retry'.
- There is an rcu_read_unlock() after the 'out' label in
  select_parent(), but it's not held at the 'goto out'.

Fix all three lock imbalances.

Reported-by: Steven Rostedt &lt;rostedt@goodmis.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
Tested-by: Steven Rostedt &lt;rostedt@goodmis.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>deal with deadlock in d_walk()</title>
<updated>2015-04-29T08:34:00+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2014-10-26T23:31:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5f03ac13d87590b0ee879c77e68df63a3d9b3e07'/>
<id>5f03ac13d87590b0ee879c77e68df63a3d9b3e07</id>
<content type='text'>
commit ca5358ef75fc69fee5322a38a340f5739d997c10 upstream.

... by not hitting rename_retry for reasons other than rename having
happened.  In other words, do _not_ restart when finding that
between unlocking the child and locking the parent the former got
into __dentry_kill().  Skip the killed siblings instead...

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Cc: Ben Hutchings &lt;ben@decadent.org.uk&gt;
[hujianyang: Backported to 3.10 refer to the work of Ben Hutchings in 3.2:
 - As we only have try_to_ascend() and not d_walk(), apply this
   change to all callers of try_to_ascend()
 - Adjust context to make __dentry_kill() apply to d_kill()]
Signed-off-by: hujianyang &lt;hujianyang@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit ca5358ef75fc69fee5322a38a340f5739d997c10 upstream.

... by not hitting rename_retry for reasons other than rename having
happened.  In other words, do _not_ restart when finding that
between unlocking the child and locking the parent the former got
into __dentry_kill().  Skip the killed siblings instead...

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Cc: Ben Hutchings &lt;ben@decadent.org.uk&gt;
[hujianyang: Backported to 3.10 refer to the work of Ben Hutchings in 3.2:
 - As we only have try_to_ascend() and not d_walk(), apply this
   change to all callers of try_to_ascend()
 - Adjust context to make __dentry_kill() apply to d_kill()]
Signed-off-by: hujianyang &lt;hujianyang@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>move d_rcu from overlapping d_child to overlapping d_alias</title>
<updated>2015-04-29T08:34:00+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2014-10-26T23:19:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6637ecd306a94a03dd5b8e4e8d3f260d9877c5b0'/>
<id>6637ecd306a94a03dd5b8e4e8d3f260d9877c5b0</id>
<content type='text'>
commit 946e51f2bf37f1656916eb75bd0742ba33983c28 upstream.

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Cc: Ben Hutchings &lt;ben@decadent.org.uk&gt;
[hujianyang: Backported to 3.10 refer to the work of Ben Hutchings in 3.2:
 - Apply name changes in all the different places we use d_alias and d_child
 - Move the WARN_ON() in __d_free() to d_free() as we don't have dentry_free()]
Signed-off-by: hujianyang &lt;hujianyang@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 946e51f2bf37f1656916eb75bd0742ba33983c28 upstream.

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Cc: Ben Hutchings &lt;ben@decadent.org.uk&gt;
[hujianyang: Backported to 3.10 refer to the work of Ben Hutchings in 3.2:
 - Apply name changes in all the different places we use d_alias and d_child
 - Move the WARN_ON() in __d_free() to d_free() as we don't have dentry_free()]
Signed-off-by: hujianyang &lt;hujianyang@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
