ChangeSet 1.738, 2002/10/11 11:02:02-07:00, wg@malloc.de

[PATCH] usbfs race while mounting/umounting

I use usbfs, but normally have only a single USB device connected, a
generic mouse.  When usbfs is unmounted on shutdown, I see "BUG at
inode.c:1034" in between 5% and 50% of all cases, the backtrace being
iput(), free_inode(), usbdevfs_put_super(), kill_super(), __mntput(),
etc.

I believe this to be a long standing problem, I remember seeing this
in 2.2.x as well, more than a year ago.  Then I moved the mouse to a
2.4.x system, and I've seen the problem ever since.  As a workaround,
I have moved the "umount /proc/bus/usb" after all disk umounts, but I
believe I've now finally tracked down the cause.

drivers/usb/inode.c says that all calls of its inode-list-manipulating
functions must occur with the kernel lock held.  usbdevfs_read_super()
does _not_ do this, however, and I strongly suspect that my mouse is
auto-detected (occasionally) exactly while usbfs is being mounted.
The result is that the same inode ends up twice in usbfs's lists,
hence the "BUG in inode.c:1034" when it is iput() twice on shutdown.
The appended patch has fixed the problem for me, although I've only
done a few boot cycles with it.


diff -Nru a/drivers/usb/inode.c b/drivers/usb/inode.c
--- a/drivers/usb/inode.c	Fri Oct 11 12:33:00 2002
+++ b/drivers/usb/inode.c	Fri Oct 11 12:33:00 2002
@@ -628,6 +628,7 @@
         s->s_root = d_alloc_root(root_inode);
         if (!s->s_root)
                 goto out_no_root;
+	lock_kernel();
 	list_add_tail(&s->u.usbdevfs_sb.slist, &superlist);
 	for (i = 0; i < NRSPECIAL; i++) {
 		if (!(inode = iget(s, IROOT+1+i)))
@@ -646,6 +647,7 @@
 		recurse_new_dev_inode(bus->root_hub, s);
 	}
 	up (&usb_bus_list_lock);
+	unlock_kernel();
         return s;
 
  out_no_root: