git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Alexander Aring <aahringo@redhat.com>
	Fri, 29 Apr 2022 15:06:51 +0000 (11:06 -0400)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 9 Jun 2022 08:26:21 +0000 (10:26 +0200)
commit	da9242d3af9236b99c749405b54e595e3e6d1947
tree	0db1ca8de775af2fcb3116c6a3aa01919b09d254	tree
parent	86ee803ddab669ab08f4c7d0bd52f1c85cfba084	commit \| diff

dlm: fix missing lkb refcount handling

commit 1689c169134f4b5a39156122d799b7dca76d8ddb upstream.

We always call hold_lkb(lkb) if we increment lkb->lkb_wait_count.
So, we always need to call unhold_lkb(lkb) if we decrement
lkb->lkb_wait_count. This patch will add missing unhold_lkb(lkb) if we
decrement lkb->lkb_wait_count. In case of setting lkb->lkb_wait_count to
zero we need to countdown until reaching zero and call unhold_lkb(lkb).
The waiters list unhold_lkb(lkb) can be removed because it's done for
the last lkb_wait_count decrement iteration as it's done in
_remove_from_waiters().

This issue was discovered by a dlm gfs2 test case which use excessively
dlm_unlock(LKF_CANCEL) feature. Probably the lkb->lkb_wait_count value
never reached above 1 if this feature isn't used and so it was not
discovered before.

The testcase ended in a rsb on the rsb keep data structure with a
refcount of 1 but no lkb was associated with it, which is itself
an invalid behaviour. A side effect of that was a condition in which
the dlm was sending remove messages in a looping behaviour. With this
patch that has not been reproduced.

Cc: stable@vger.kernel.org
Signed-off-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: David Teigland <teigland@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>