On Wed, Aug 22 2018, NeilBrown wrote: > > Oh dear. > nfs4_alloc_lockdata contains: > memcpy(&p->fl, fl, sizeof(p->fl)); > > so any list_heads that are valid in fl will be invalid in p->fl. > > Maybe I should initialize the relevant list_heads at the start of wait > functions. > I should look more closely at what filesystems do with locks though. > I looked .... and .... it's complicated. Some call posix_lock_file() (which doesn't block, I think). Some call locks_lock_file_wait() (which can block, if FL_SLEEP is given). Some call both. Strangely, vfs_lock_file() either calls posix_lock_file(), which doesn't block, or filp->f_op->lock() which, I think, can. I'm confused. However I think this version of the patch should be safer. When I make time to test this, this will be part of what I test. Thanks, NeilBrown From: NeilBrown Date: Tue, 21 Aug 2018 15:09:06 +1000 Subject: [PATCH] fs/locks: always delete_block after waiting. Now that requests can block other requests, we need to be careful to always clean up those blocked requests. Any time that we wait for a request, we might have other requests attached, and when we stop waiting, we much clean them up. If the lock was granted, the requests might have been moved to the new lock, though when merged with a pre-exiting lock, this might not happen. No all cases we don't want blocked locks to remain attached, so we remove them to be safe. Note that when these locking routines are called without FL_SLEEP set, the list_head might not be properly initialize. In that case it is neither safe nor necessary to call locks_delete_block() Signed-off-by: NeilBrown --- fs/locks.c | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/fs/locks.c b/fs/locks.c index de38bafb7f7b..2af9c657f81f 100644 --- a/fs/locks.c +++ b/fs/locks.c @@ -1276,12 +1276,11 @@ static int posix_lock_inode_wait(struct inode *inode, struct file_lock *fl) if (error != FILE_LOCK_DEFERRED) break; error = wait_event_interruptible(fl->fl_wait, !fl->fl_blocker); - if (!error) - continue; - - locks_delete_block(fl); - break; + if (error) + break; } + if (fl->fl_flags & FL_SLEEP) + locks_delete_block(fl); return error; } @@ -1971,12 +1970,11 @@ static int flock_lock_inode_wait(struct inode *inode, struct file_lock *fl) if (error != FILE_LOCK_DEFERRED) break; error = wait_event_interruptible(fl->fl_wait, !fl->fl_blocker); - if (!error) - continue; - - locks_delete_block(fl); - break; + if (error) + break; } + if (fl->fl_flags & FL_SLEEP) + locks_delete_block(fl); return error; } @@ -2250,12 +2248,11 @@ static int do_lock_file_wait(struct file *filp, unsigned int cmd, if (error != FILE_LOCK_DEFERRED) break; error = wait_event_interruptible(fl->fl_wait, !fl->fl_blocker); - if (!error) - continue; - - locks_delete_block(fl); - break; + if (error) + break; } + if (fl->fl_flags & FL_SLEEP) + locks_delete_block(fl); return error; } -- 2.14.0.rc0.dirty