kernfs: invoke kernfs_unmap_bin_file() directly from kernfs_deactivate()
kernfs_unmap_bin_file() is supposed to unmap all memory mappings of
the target file before kernfs_remove() finishes; however, it currently
is being called from kernfs_addrm_finish() and has the same race
problem as the original implementation of deactivation when there are
multiple removers - only the remover which snatches the node to its
addrm_cxt->removed list is guaranteed to wait for its completion
before returning.
It can be easily fixed by moving kernfs_unmap_bin_file() invocation
from kernfs_addrm_finish() to kernfs_deactivated(). The function may
be called multiple times but that shouldn't do any harm.
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
index 3ac9373..9603c06 100644
--- a/fs/kernfs/dir.c
+++ b/fs/kernfs/dir.c
@@ -177,9 +177,10 @@
* kernfs_deactivate - deactivate kernfs_node
* @kn: kernfs_node to deactivate
*
- * Deny new active references and drain existing ones. Mutiple
- * removers may invoke this function concurrently on @kn and all will
- * return after deactivation and draining are complete.
+ * Deny new active references, drain existing ones and nuke all
+ * existing mmaps. Mutiple removers may invoke this function
+ * concurrently on @kn and all will return after deactivation and
+ * draining are complete.
*/
static void kernfs_deactivate(struct kernfs_node *kn)
__releases(&kernfs_mutex) __acquires(&kernfs_mutex)
@@ -213,6 +214,8 @@
rwsem_release(&kn->dep_map, 1, _RET_IP_);
}
+ kernfs_unmap_bin_file(kn);
+
mutex_lock(&kernfs_mutex);
}
@@ -493,7 +496,6 @@
acxt->removed = kn->u.removed_list;
- kernfs_unmap_bin_file(kn);
kernfs_put(kn);
}
}