[RFC dlm/next 05/11] dlm: drop lkb hold for waiter conversion handling

public inbox for gfs2@lists.linux.dev
 help / color / mirror / Atom feed

From: Alexander Aring <aahringo@redhat.com>
To: teigland@redhat.com
Cc: gfs2@lists.linux.dev, aahringo@redhat.com
Subject: [RFC dlm/next 05/11] dlm: drop lkb hold for waiter conversion handling
Date: Thu,  7 Nov 2024 15:46:11 -0500	[thread overview]
Message-ID: <20241107204617.147842-6-aahringo@redhat.com> (raw)
In-Reply-To: <20241107204617.147842-1-aahringo@redhat.com>

Drop the extra reference holding when handling a conversion as a
conversion should never free a lkb. Adding more comments for unlock and
cancel case because internal remove_from_waiters() can end the lkb
lifetime.

Signed-off-by: Alexander Aring <aahringo@redhat.com>
---
 fs/dlm/lock.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c
index 378234b42593..1f4f2d24bef4 100644
--- a/fs/dlm/lock.c
+++ b/fs/dlm/lock.c
@@ -5005,7 +5005,6 @@ static void recover_convert_waiter(struct dlm_ls *ls, struct dlm_lkb *lkb,
 				   struct dlm_message *ms_local)
 {
 	if (middle_conversion(lkb)) {
-		hold_lkb(lkb);
 		memset(ms_local, 0, sizeof(struct dlm_message));
 		ms_local->m_type = cpu_to_le32(DLM_MSG_CONVERT_REPLY);
 		ms_local->m_result = cpu_to_le32(to_dlm_errno(-EINPROGRESS));
@@ -5015,7 +5014,6 @@ static void recover_convert_waiter(struct dlm_ls *ls, struct dlm_lkb *lkb,
 		/* Same special case as in receive_rcom_lock_args() */
 		lkb->lkb_grmode = DLM_LOCK_IV;
 		rsb_set_flag(lkb->lkb_resource, RSB_RECOVER_CONVERT);
-		unhold_lkb(lkb);
 
 	} else if (lkb->lkb_rqmode >= lkb->lkb_grmode) {
 		set_bit(DLM_IFL_RESEND_BIT, &lkb->lkb_iflags);
@@ -5120,10 +5118,17 @@ void dlm_recover_waiters_pre(struct dlm_ls *ls)
 			break;
 
 		case DLM_MSG_CONVERT:
+			/* a convert should never end lkbs lifetime */
 			recover_convert_waiter(ls, lkb, ms_local);
 			break;
 
 		case DLM_MSG_UNLOCK:
+			/* _receive_unlock_reply() can call remove_from_waiters()
+			 * that leads to free the lkb and the reference of ther
+			 * iterating lkb for ls_waiters get drops. To prevent this
+			 * we need to hold the lkb here to prevent use after free
+			 * when the lkb is removed from the waiter.
+			 */
 			hold_lkb(lkb);
 			memset(ms_local, 0, sizeof(struct dlm_message));
 			ms_local->m_type = cpu_to_le32(DLM_MSG_UNLOCK_REPLY);
@@ -5134,6 +5139,12 @@ void dlm_recover_waiters_pre(struct dlm_ls *ls)
 			break;
 
 		case DLM_MSG_CANCEL:
+			/* _receive_cancel_reply() can call remove_from_waiters()
+			 * that leads to free the lkb and the reference of ther
+			 * iterating lkb for ls_waiters get drops. To prevent this
+			 * we need to hold the lkb here to prevent use after free
+			 * when the lkb is removed from the waiter.
+			 */
 			hold_lkb(lkb);
 			memset(ms_local, 0, sizeof(struct dlm_message));
 			ms_local->m_type = cpu_to_le32(DLM_MSG_CANCEL_REPLY);
-- 
2.43.0

next prev parent reply	other threads:[~2024-11-07 20:46 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-11-07 20:46 [RFC dlm/next 00/11] dlm: approach for new lkb reference counting Alexander Aring
2024-11-07 20:46 ` [RFC dlm/next 01/11] dlm: remove set_master() negative return check Alexander Aring
2024-11-07 20:46 ` [RFC dlm/next 02/11] dlm: use move_lkb() instead del/add lkb Alexander Aring
2024-11-07 20:46 ` [RFC dlm/next 03/11] dlm: use hold_lkb() instead kref_get() Alexander Aring
2024-11-07 20:46 ` [RFC dlm/next 04/11] dlm: don't track references on move_lkb() Alexander Aring
2024-11-07 20:46 ` Alexander Aring [this message]
2024-11-07 20:46 ` [RFC dlm/next 06/11] dlm: track reference for lkb_rsb_lookup Alexander Aring
2024-11-07 20:46 ` [RFC dlm/next 07/11] dlm: call queue_cast() on master copy as well Alexander Aring
2024-11-07 20:46 ` [RFC dlm/next 08/11] dlm: make send dlm message as non-failure Alexander Aring
2024-11-07 20:46 ` [RFC dlm/next 09/11] dlm: introduce new lkb refcount model Alexander Aring
2024-11-07 20:46 ` [RFC dlm/next 10/11] dlm: void convert, cancel and unlock requests Alexander Aring
2024-11-07 20:46 ` [RFC dlm/next 11/11] dlm: return void for _request_lock function Alexander Aring

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:378234b4259 dfblob:1f4f2d24bef )
 OR (
bs:"[RFC dlm/next 05/11] dlm: drop lkb hold for waiter conversion handling" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241107204617.147842-6-aahringo@redhat.com \
    --to=aahringo@redhat.com \
    --cc=gfs2@lists.linux.dev \
    --cc=teigland@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox