illumos-gate Cdiff usr/src/uts/common/fs/tmpfs/tmp

Print this page

7656 unlinking directory on tmpfs can cause kernel panic


*** 19,32 ****
   * CDDL HEADER END
   */
  /*
   * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
   * Use is subject to license terms.
   */
  
- #pragma ident   "%Z%%M% %I%     %E% SMI"
- 
  #include <sys/types.h>
  #include <sys/param.h>
  #include <sys/sysmacros.h>
  #include <sys/systm.h>
  #include <sys/time.h>
--- 19,32 ----
   * CDDL HEADER END
   */
  /*
   * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
   * Use is subject to license terms.
+  *
+  * Copyright 2016 RackTop Systems.
   */
  
  #include <sys/types.h>
  #include <sys/param.h>
  #include <sys/sysmacros.h>
  #include <sys/systm.h>
  #include <sys/time.h>
*** 523,538 ****
          gethrestime(&now);
          dir->tn_mtime = now;
          dir->tn_ctime = now;
          tp->tn_ctime = now;
  
          ASSERT(tp->tn_nlink > 0);
          DECR_COUNT(&tp->tn_nlink, &tp->tn_tlock);
!         if (op == DR_RMDIR && tp->tn_type == VDIR) {
                  tdirtrunc(tp);
                  ASSERT(tp->tn_nlink == 0);
          }
          return (0);
  }
  
  /*
   * tdirinit is used internally to initialize a directory (dir)
--- 523,546 ----
          gethrestime(&now);
          dir->tn_mtime = now;
          dir->tn_ctime = now;
          tp->tn_ctime = now;
  
+         /*
+          * If this is a _REMOVE (unlink) operation there may
+          * be other links to the directory entry.
+          */
          ASSERT(tp->tn_nlink > 0);
          DECR_COUNT(&tp->tn_nlink, &tp->tn_tlock);
!         if (op == DR_RMDIR || (op == DR_REMOVE && tp->tn_type == VDIR)) {
!                 if (tp->tn_nlink > 1) {
!                         ASSERT(op == DR_REMOVE);
!                 } else {
                          tdirtrunc(tp);
                          ASSERT(tp->tn_nlink == 0);
                  }
+         }
          return (0);
  }
  
  /*
   * tdirinit is used internally to initialize a directory (dir)
*** 613,622 ****
--- 621,631 ----
          struct tdirent *tdp;
          struct tmpnode *tp;
          size_t namelen;
          timestruc_t now;
          int isvattrdir, isdotdot, skip_decr;
+         int lock_held;
  
          ASSERT(RW_WRITE_HELD(&dir->tn_rwlock));
          ASSERT(dir->tn_type == VDIR);
  
          isvattrdir = (dir->tn_vnode->v_flag & V_XATTRDIR) ? 1 : 0;
*** 651,661 ****
--- 660,693 ----
                  tmpfs_hash_out(tdp);
  
                  tmp_memfree(tdp, sizeof (struct tdirent) + namelen);
                  dir->tn_size -= (sizeof (struct tdirent) + namelen);
                  dir->tn_dirents--;
+ 
+                 /*
+                  * This directory entry may itself be a directory with
+                  * entries and removing it may have created orphans.
+                  * On a normal filesystem like UFS this wouldn't be
+                  * a huge problem because fcsk can reclaim them.  For
+                  * TMPFS which resides in RAM however, it means we
+                  * end up leaking memory.
+                  *
+                  * To avoid this we also truncate child directories,
+                  * but only if they have no other links to them.
+                  */
+                 if (!isdotdot && tp->tn_type == VDIR && tp != dir) {
+                         if (tp->tn_nlink > 1)
+                                 continue;
+                         lock_held = RW_WRITE_HELD(&tp->tn_rwlock);
+                         if (!lock_held)
+                                 rw_enter(&tp->tn_rwlock, RW_WRITER);
+                         tdirtrunc(tp);
+                         if (!lock_held)
+                                 rw_exit(&tp->tn_rwlock);
+                         ASSERT(tp->tn_nlink == 0);
                  }
+         }
  
          gethrestime(&now);
          dir->tn_mtime = now;
          dir->tn_ctime = now;