NFSD: Fix possible sleep during nfsd4_release_lockowner()

nfsd4_release_lockowner() holds clp->cl_lock when it calls
check_for_locks(). However, check_for_locks() calls nfsd_file_get()
/ nfsd_file_put() to access the backing inode's flc_posix list, and
nfsd_file_put() can sleep if the inode was recently removed.

Let's instead rely on the stateowner's reference count to gate
whether the release is permitted. This should be a reliable
indication of locks-in-use since file lock operations and
->lm_get_owner take appropriate references, which are released
appropriately when file locks are removed.

Reported-by: Dai Ngo <dai.ngo@oracle.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Cc: stable@vger.kernel.org

diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index a280256cbb0344572245064befebbafaae928e1c..4e0850a10550ccbff074e19dd65c7063e31e8386 100644 (file)
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -7557,16 +7557,12 @@ nfsd4_release_lockowner(struct svc_rqst *rqstp,
                if (sop->so_is_open_owner || !same_owner_str(sop, owner))
                        continue;
 
-               /* see if there are still any locks associated with it */
-               lo = lockowner(sop);
-               list_for_each_entry(stp, &sop->so_stateids, st_perstateowner) {
-                       if (check_for_locks(stp->st_stid.sc_file, lo)) {
-                               status = nfserr_locks_held;
-                               spin_unlock(&clp->cl_lock);
-                               return status;
-                       }
+               if (atomic_read(&sop->so_count) != 1) {
+                       spin_unlock(&clp->cl_lock);
+                       return nfserr_locks_held;
                }
 
+               lo = lockowner(sop);
                nfs4_get_stateowner(sop);
                break;
        }