Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp5142756pxj; Wed, 9 Jun 2021 10:05:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz+X9hdFKyoNTki4uIV/OA/2PQMBLOgIM6R0crJVmssYACrurR9ABkJUVw6HmT+R10vug8j X-Received: by 2002:a05:6402:416:: with SMTP id q22mr443550edv.204.1623258317030; Wed, 09 Jun 2021 10:05:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623258317; cv=none; d=google.com; s=arc-20160816; b=X1UntR/v1OnbFHuWKqtfs721IcfviZ+S7sNDYmaAhOzuPeuJ2xcYRq8plKzAqQ1MII zW0IycOZMTl8Y3jBl+ODXJPvXDqD0UuEoun8jOmP5e8oJh95iDscTL5vCH729kjsox14 gfxVYK1vRxn48NAUG4CrmO3DbRWzi2lMQJwdQYp/B0ULCyyCvlZjZTyA4SGkjgycjKEt tIcOLci7kqvMacCXKjNWCoQZW6K4i++ZKwr+5YLVkGTUmDZBz7C71HeVrTXXoaBcDsGs iwN95+8JPvJTbrN4kUVxavZoLCyjwgs8AZTS9bkWP2lFk1GbGq065D7foCNqy8gNVmbd Dl9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=umLfKhpHP+RuI0WJ/3k+B1+HOsxB0tKVXkMkbJg5ENY=; b=0w02bqun3NrVg7aNNXn92j7LZxLoJB5g8dydLB6S3tq27tq1NIWN3EQpjLkhah03vQ rWbu/LW3ZfKoE/RVkKcMIwdQfEyCRJZUh/BQupAPQs+R9wKCUUYPvcpWP5WasYFVlIEq ULmHIsf4DPbSq4J22c9Zge0xYW9jBFcqmIMZCqDjRIX/JZvJI43/9WkvZIz9NRm2zVHK +h4pCdDfedtGDicMdkCL9xkGQs6gGvj//9ciUc6WIFkpZYBLjRJ2+RsvI9RX6G1X3tSJ AiGael6+2Y2PFdSuM0P3Xi3EViVzwuoN1j/dAwMtt3/CahewwX7OxQENHB+42h7igN5o 68JA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=DpILld8N; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id co5si146336edb.295.2021.06.09.10.04.53; Wed, 09 Jun 2021 10:05:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=DpILld8N; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236434AbhFIDe5 (ORCPT + 99 others); Tue, 8 Jun 2021 23:34:57 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:41585 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231909AbhFIDe5 (ORCPT ); Tue, 8 Jun 2021 23:34:57 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1623209583; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=umLfKhpHP+RuI0WJ/3k+B1+HOsxB0tKVXkMkbJg5ENY=; b=DpILld8NKvQC+qGUCctqtqXyj/77L3ys8MOQhePWWFw3wFdQtvORWKPcwhe5cD4K4KKUMN G98vURzqFsHLVOcjrhGV6g0sgJoYF3hQSuV9lFLslpaWDQtsliQesGcNIeK2qw3OJly3z8 wVYpV7nv3u9tkYP8afOvdhscr08NDbY= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-262-ygZ5VinmNvipqjSqZSKDzQ-1; Tue, 08 Jun 2021 23:33:00 -0400 X-MC-Unique: ygZ5VinmNvipqjSqZSKDzQ-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 943FA107ACCA; Wed, 9 Jun 2021 03:32:58 +0000 (UTC) Received: from T590 (ovpn-12-143.pek2.redhat.com [10.72.12.143]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0C77F5C1BB; Wed, 9 Jun 2021 03:32:48 +0000 (UTC) Date: Wed, 9 Jun 2021 11:32:44 +0800 From: Ming Lei To: Roman Gushchin Cc: Andrew Morton , Tejun Heo , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, Alexander Viro , Jan Kara , Dennis Zhou , Dave Chinner , cgroups@vger.kernel.org, Jan Kara Subject: Re: [PATCH v9 3/8] writeback, cgroup: increment isw_nr_in_flight before grabbing an inode Message-ID: References: <20210608230225.2078447-1-guro@fb.com> <20210608230225.2078447-4-guro@fb.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210608230225.2078447-4-guro@fb.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jun 08, 2021 at 04:02:20PM -0700, Roman Gushchin wrote: > isw_nr_in_flight is used do determine whether the inode switch queue > should be flushed from the umount path. Currently it's increased > after grabbing an inode and even scheduling the switch work. It means > the umount path can be walked past cleanup_offline_cgwb() with active > inode references, which can result in a "Busy inodes after unmount." > message and use-after-free issues (with inode->i_sb which gets freed). > > Fix it by incrementing isw_nr_in_flight before doing anything with > the inode and decrementing in the case when switching wasn't scheduled. > > The problem hasn't yet been seen in the real life and was discovered > by Jan Kara by looking into the code. > > Suggested-by: Jan Kara > Signed-off-by: Roman Gushchin > Reviewed-by: Jan Kara > --- > fs/fs-writeback.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c > index b6fc13a4962d..4413e005c28c 100644 > --- a/fs/fs-writeback.c > +++ b/fs/fs-writeback.c > @@ -505,6 +505,8 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id) > if (!isw) > return; > > + atomic_inc(&isw_nr_in_flight); smp_mb() may be required for ordering the WRITE in 'atomic_inc(&isw_nr_in_flight)' and the following READ on 'inode->i_sb->s_flags & SB_ACTIVE'. Otherwise, cgroup_writeback_umount() may observe zero of 'isw_nr_in_flight' because of re-order of the two OPs, then miss the flush_workqueue(). Also this barrier should serve as pair of the one added in cgroup_writeback_umount(), so maybe this patch should be merged with 2/8. Thanks, Ming