public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH 1/2] dlm: fix user space lkb refcounting
@ 2024-03-12 17:05 Alexander Aring
  2024-03-12 17:05 ` [PATCH 2/2] dlm: fix off-by-one waiters refcount handling Alexander Aring
  0 siblings, 1 reply; 3+ messages in thread
From: Alexander Aring @ 2024-03-12 17:05 UTC (permalink / raw)
  To: teigland
  Cc: gfs2, stable, vvidic, joseph.qi, ocfs2-devel, heming.zhao,
	aahringo

This patch fixes to check on the right return value if it was the last
callback. The rv variable got overwritten by the return of
copy_result_to_user(). Fixing it by introducing a second variable for
the return value and don't let rv being overwritten.

Cc: stable@vger.kernel.org
Fixes: 61bed0baa4db ("fs: dlm: use a non-static queue for callbacks")
Reported-by: Valentin Vidić <vvidic@valentin-vidic.from.hr>
Closes: https://lore.kernel.org/gfs2/Ze4qSvzGJDt5yxC3@valentin-vidic.from.hr
Signed-off-by: Alexander Aring <aahringo@redhat.com>
---
 fs/dlm/user.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/fs/dlm/user.c b/fs/dlm/user.c
index 695e691b38b3..9f9b68448830 100644
--- a/fs/dlm/user.c
+++ b/fs/dlm/user.c
@@ -806,7 +806,7 @@ static ssize_t device_read(struct file *file, char __user *buf, size_t count,
 	struct dlm_lkb *lkb;
 	DECLARE_WAITQUEUE(wait, current);
 	struct dlm_callback *cb;
-	int rv, copy_lvb = 0;
+	int rv, ret, copy_lvb = 0;
 	int old_mode, new_mode;
 
 	if (count == sizeof(struct dlm_device_version)) {
@@ -906,9 +906,9 @@ static ssize_t device_read(struct file *file, char __user *buf, size_t count,
 		trace_dlm_ast(lkb->lkb_resource->res_ls, lkb);
 	}
 
-	rv = copy_result_to_user(lkb->lkb_ua,
-				 test_bit(DLM_PROC_FLAGS_COMPAT, &proc->flags),
-				 cb->flags, cb->mode, copy_lvb, buf, count);
+	ret = copy_result_to_user(lkb->lkb_ua,
+				  test_bit(DLM_PROC_FLAGS_COMPAT, &proc->flags),
+				  cb->flags, cb->mode, copy_lvb, buf, count);
 
 	kref_put(&cb->ref, dlm_release_callback);
 
@@ -916,7 +916,7 @@ static ssize_t device_read(struct file *file, char __user *buf, size_t count,
 	if (rv == DLM_DEQUEUE_CALLBACK_LAST)
 		dlm_put_lkb(lkb);
 
-	return rv;
+	return ret;
 }
 
 static __poll_t device_poll(struct file *file, poll_table *wait)
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [PATCH 2/2] dlm: fix off-by-one waiters refcount handling
  2024-03-12 17:05 [PATCH 1/2] dlm: fix user space lkb refcounting Alexander Aring
@ 2024-03-12 17:05 ` Alexander Aring
  2024-03-12 20:25   ` Valentin Vidić
  0 siblings, 1 reply; 3+ messages in thread
From: Alexander Aring @ 2024-03-12 17:05 UTC (permalink / raw)
  To: teigland
  Cc: gfs2, stable, vvidic, joseph.qi, ocfs2-devel, heming.zhao,
	aahringo

There was a wrong conversion to atomic counters in commit 75a7d60134ce
("fs: dlm: handle lkb wait count as atomic_t"), when
atomic_dec_and_test() returns true it will decrement at first and
then return true if it hits zero. This means we will mis a unhold_lkb()
for the last iteration. This patch fixes this issue and if the last
reference is taken we will remove the lkb from the waiters list as this
is how it's supposed to work.

Cc: stable@vger.kernel.org
Fixes: 75a7d60134ce ("fs: dlm: handle lkb wait count as atomic_t")
Signed-off-by: Alexander Aring <aahringo@redhat.com>
---
 fs/dlm/lock.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c
index 652c51fbbf76..c30e9f8d017e 100644
--- a/fs/dlm/lock.c
+++ b/fs/dlm/lock.c
@@ -5070,11 +5070,13 @@ int dlm_recover_waiters_post(struct dlm_ls *ls)
 		/* drop all wait_count references we still
 		 * hold a reference for this iteration.
 		 */
-		while (!atomic_dec_and_test(&lkb->lkb_wait_count))
-			unhold_lkb(lkb);
-
 		mutex_lock(&ls->ls_waiters_mutex);
-		list_del_init(&lkb->lkb_wait_reply);
+		while (atomic_read(&lkb->lkb_wait_count)) {
+			if (atomic_dec_and_test(&lkb->lkb_wait_count))
+				list_del_init(&lkb->lkb_wait_reply);
+
+			unhold_lkb(lkb);
+		}
 		mutex_unlock(&ls->ls_waiters_mutex);
 
 		if (oc || ou) {
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH 2/2] dlm: fix off-by-one waiters refcount handling
  2024-03-12 17:05 ` [PATCH 2/2] dlm: fix off-by-one waiters refcount handling Alexander Aring
@ 2024-03-12 20:25   ` Valentin Vidić
  0 siblings, 0 replies; 3+ messages in thread
From: Valentin Vidić @ 2024-03-12 20:25 UTC (permalink / raw)
  To: Alexander Aring
  Cc: teigland, gfs2, stable, joseph.qi, ocfs2-devel, heming.zhao

On Tue, Mar 12, 2024 at 01:05:08PM -0400, Alexander Aring wrote:
> There was a wrong conversion to atomic counters in commit 75a7d60134ce
> ("fs: dlm: handle lkb wait count as atomic_t"), when
> atomic_dec_and_test() returns true it will decrement at first and
> then return true if it hits zero. This means we will mis a unhold_lkb()
> for the last iteration. This patch fixes this issue and if the last
> reference is taken we will remove the lkb from the waiters list as this
> is how it's supposed to work.
> 
> Cc: stable@vger.kernel.org
> Fixes: 75a7d60134ce ("fs: dlm: handle lkb wait count as atomic_t")
> Signed-off-by: Alexander Aring <aahringo@redhat.com>

Tested-by: Valentin Vidić <vvidic@valentin-vidic.from.hr>

-- 
Valentin

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-03-12 20:25 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-12 17:05 [PATCH 1/2] dlm: fix user space lkb refcounting Alexander Aring
2024-03-12 17:05 ` [PATCH 2/2] dlm: fix off-by-one waiters refcount handling Alexander Aring
2024-03-12 20:25   ` Valentin Vidić

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox