In 2006 Trond Myklebust added support for the FL_ACCESS flag,
commit 01c3b861cd77 ("NLM,NFSv4: Wait on local locks before we put RPC
calls on the wire"), as a result of which _nfs4_proc_setlk() began
to execute _nfs4_do_setlk() with modified request->fl_flag where
FL_ACCESS flag was set.
It was not important not till 2015, when commit c69899a17ca4 ("NFSv4:
Update of VFS byte range lock must be atomic with the stateid update")
added do_vfs_lock call into nfs4_locku_done().
nfs4_locku_done() in this case uses calldata->fl of nfs4_unlockdata.
It is copied from struct nfs4_lockdata, which in turn uses the fl_flag
copied from the request->fl_flag provided by _nfs4_do_setlk(), i.e. with
FL_ACCESS flag set.
FL_ACCESS flag is removed in nfs4_lock_done() for non-cancelled case.
however rpc task can be cancelled earlier.
As a result flock_lock_inode() can be called with request->fl_type F_UNLCK
and fl_flags with FL_ACCESS flag set.
Such request is processed incorectly. Instead of expected search and
removal of exisiting flocks it jumps to "find_conflict" label and can call
locks_insert_block() function.
On kernels before 2018, (i.e. before commit 7b587e1a5a6c
("NFS: use locks_copy_lock() to copy locks.")) it caused a BUG in
__locks_insert_block() because copied fl had incorrectly linked fl_block.
On new kernels all lists are properly initialized and no BUG occur,
however any any case, such a call does nothing useful.
If I understand correctly locks_lock_inode_wait(F_UNLCK) call is required
to revert locks_lock_inode_wait(F_LCK) request send from nfs4_lock_done().
An additional F_UNLCK request is dangerous, because of it can remove flock
set not by canceled task but by some other concurrent process.
So I think we need to add FL_ACCESS check in nfs4_locku_done
and skip locks_lock_inode_wait() executing if this flag is set.
Fixes: c69899a17ca4 ("NFSv4: Update of VFS byte range lock must be atomic with the stateid update")
Signed-off-by: Vasily Averin <vvs@xxxxxxxxxxxxx>
---
fs/nfs/nfs4proc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index ee3bc79f6ca3..4417dde69202 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -6728,7 +6728,9 @@ static void nfs4_locku_done(struct rpc_task *task, void *data)
switch (task->tk_status) {
case 0:
renew_lease(calldata->server, calldata->timestamp);
- locks_lock_inode_wait(calldata->lsp->ls_state->inode, &calldata->fl);
+ if (!(calldata->fl.fl_flags & FL_ACCESS))
+ locks_lock_inode_wait(calldata->lsp->ls_state->inode,
+ &calldata->fl);
if (nfs4_update_lock_stateid(calldata->lsp,
&calldata->res.stateid))
break;
--
2.25.1
