Two file locking fixes from Xiubo.

-----BEGIN PGP SIGNATURE----- iQFHBAABCAAxFiEEydHwtzie9C7TfviiSn/eOAIR84sFAmO4Z+YTHGlkcnlvbW92 QGdtYWlsLmNvbQAKCRBKf944AhHzi1wBB/sFeiTptv/RhoNc7UDKvfXxAIY7nSQf drCg0Zb1ZgwTr5l7QmWLvJcohkUgzyk+F2XwQfe02F/epzaEC2d0tVW0H48HM5Pr 3b0Lk6EProS8Nfs0Qd8ZaXraP+DNTTInDQfxCGYbl3pvOvtF060Ija0QrmdzWyWA 38ZEVwVDNlxPJY7qn6bGEvGmw+oFGub4JJ+CvO3Z65b4Cf++8z0PWifbOtMOzUgX q5H6ORVrBB20bASVR9m+yX5YGLpZ+ZvdPPFWEhVrR4q7vgJsKDhKnWJXHafg0Vkt PfaPBOjgh+l5IWBNw5Ob7X/XdFxYzktF6REoHfBCToF+YUMd1NGJ5uSd =nuHc -----END PGP SIGNATURE----- Merge tag 'ceph-for-6.2-rc3' of https://github.com/ceph/ceph-client Pull ceph fixes from Ilya Dryomov: "Two file locking fixes from Xiubo" * tag 'ceph-for-6.2-rc3' of https://github.com/ceph/ceph-client: ceph: avoid use-after-free in ceph_fl_release_lock() ceph: switch to vfs_inode_has_locks() to fix file lock bug
2024-12-27 05:11:48 +00:00 · 2023-01-06 12:11:41 -08:00 · 2023-01-06 12:11:41 -08:00 · 5c1a712f71
commit 5c1a712f71
parent 7b8c854cfe 8e1858710d
4 changed files with 22 additions and 8 deletions
--- a/fs/ceph/caps.c
+++ b/fs/ceph/caps.c
@ -2913,7 +2913,7 @@ int ceph_get_caps(struct file *filp, int need, int want, loff_t endoff, int *got

 	while (true) {
 		flags &= CEPH_FILE_MODE_MASK;
-		if (atomic_read(&fi->num_locks))
+		if (vfs_inode_has_locks(inode))
 			flags |= CHECK_FILELOCK;
 		_got = 0;
 		ret = try_get_cap_refs(inode, need, want, endoff,
--- a/fs/ceph/locks.c
+++ b/fs/ceph/locks.c
@ -32,24 +32,36 @@ void __init ceph_flock_init(void)

 static void ceph_fl_copy_lock(struct file_lock *dst, struct file_lock *src)
 {
-	struct ceph_file_info *fi = dst->fl_file->private_data;
 	struct inode *inode = file_inode(dst->fl_file);
 	atomic_inc(&ceph_inode(inode)->i_filelock_ref);
-	atomic_inc(&fi->num_locks);
+	dst->fl_u.ceph.inode = igrab(inode);
 }

+/*
+ * Do not use the 'fl->fl_file' in release function, which
+ * is possibly already released by another thread.
+ */
 static void ceph_fl_release_lock(struct file_lock *fl)
 {
-	struct ceph_file_info *fi = fl->fl_file->private_data;
-	struct inode *inode = file_inode(fl->fl_file);
-	struct ceph_inode_info *ci = ceph_inode(inode);
-	atomic_dec(&fi->num_locks);
+	struct inode *inode = fl->fl_u.ceph.inode;
+	struct ceph_inode_info *ci;
+
+	/*
+	 * If inode is NULL it should be a request file_lock,
+	 * nothing we can do.
+	 */
+	if (!inode)
+		return;
+
+	ci = ceph_inode(inode);
 	if (atomic_dec_and_test(&ci->i_filelock_ref)) {
 		/* clear error when all locks are released */
 		spin_lock(&ci->i_ceph_lock);
 		ci->i_ceph_flags &= ~CEPH_I_ERROR_FILELOCK;
 		spin_unlock(&ci->i_ceph_lock);
 	}
+	fl->fl_u.ceph.inode = NULL;
+	iput(inode);
 }

 static const struct file_lock_operations ceph_fl_lock_ops = {
--- a/fs/ceph/super.h
+++ b/fs/ceph/super.h
@ -790,7 +790,6 @@ struct ceph_file_info {
 	struct list_head rw_contexts;

 	u32 filp_gen;
-	atomic_t num_locks;
 };

 struct ceph_dir_file_info {
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@ -1119,6 +1119,9 @@ struct file_lock {
 			int state;		/* state of grant or error if -ve */
 			unsigned int	debug_id;
 		} afs;
+		struct {
+			struct inode *inode;
+		} ceph;
 	} fl_u;
 } __randomize_layout;