Indentation looks off here.

Isn't it really fusefs that requires the exclusive lock for those calls? The mentioned functions themselves do not require the vnode lock if I understand correctly. If so it might be better to explain exactly why the exclusive lock is needed.

This should be on the previous line.

I think these macros need the do-while treatment, otherwise you will get incorrect behaviour (or a compiler error?) from a construct like

if (foo)
    CACHED_ATTR_LOCK(vp);
else
    ...

Use VNASSERT?

Should this say "avoiding the LOR"?

vnode_pager_setsize does require it; see vm/vnode_pager.c line 511. And vtruncbuf calls vnode_pager_setsize.

Good catch.

This is perhaps generic question about fuse, triggered by the addition of the assert of the vnode lock at the start of the function.

fdisp_wait_answ() does an unbound sleep while owning the vnode lock. This is not right. Essentially, this is a recipe for lock cascade, which might affect the daemon that must reply to kernel itself, deadlocking the whole machine.

fuse_vnode_setsize() sometimes called when other vnode is locked,e.g. in fuse_vnop_copy_file_range(). Dropping and re-acquiring the lock means that you create LoR.

I think you want an assert that the vnode is locked, before checking VOP_ISLOCKED().

Similarly, vp lock should be asserted before this.

It's not actually unbounded. It's limited by daemon_timeout, which is 60s by default, but can be changed by a mount option.

For copy_file_range, the vnode that we will call fuse_vnode_setsize on will always be exclusively locked. So fuse_vnode_setsize won't need to upgrade the lock. So in that case, there's no risk of LOR. The only times that it will need to upgrade the lock are during VOP_GETATTR, VOP_ACCESS, VOP_ADVLOCK, VOP_GETEXTATTR, VOP_SETEXTATTR, VOP_LISTEXTATTR, VOP_DELETEEXTATTR, VOP_CLOSE (if updating atime), VOP_LOOKUP (when removing a file, if the parent's sticky bit is set), and VOP_VPTOFH.

I should double check VOP_CLOSE. It's man page doesn't say that the vnode will be locked. And I'll double check VOP_L0OKUP when removing with a sticky parent.

System getting stuck for 1 minute does not sound good.

For VOP_LOOKUP() for DELETE, both parent and target must be exclusively locked. I am not sure why you listed VOP_CLOSE() as potential trouble point.

Still, such relock is very fragile. Could you cache the new size, and then have a fusefs-specific VOP_LOCK() which sets the size on the next lock? I did that for nfsclient to avoid these issues in principle.

In practice it's not that bad. It usually only happens if the daemon crashes or hangs. And in that case, you can always hit the mountpoint with a "umount -f".

I'm imagining now what fusefs would look like it we never held a vnode lock while blocking. It sounds hard. Are you imagining, for example, that fuse_vnop_setattr would release the vnode lock before sending the request to the daemon, and reacquire it on return? If so, then multiple chmod calls could stack up within fusefs. And whether a sequence of chmod calls all succeed could depend on how fast the daemon processes them. The first call might change file permissions in a way that should block the second call. But if the second call passes its access checks before the daemon responds to the first call, then we could end up sending the second to the daemon anyway.

I mentioned VOP_CLOSE because the man page doesn't specify the locking type. Looking deeper, I see that it will always be LK_EXCLUSIVE since we don't set MNTK_EXTENDED_SHARED.

I could try the VOP_LOCK trick. There might be some tricky issues there. Do you require me to do it before merging this PR, or can I do it afterwards?

Does unmount -f able to unblock threads owning the fusefs vnode locks?

For NFS client, it does, but it requires a lot of specific features in the fs. Also, this is the reason why we have the rule 'vnode might be reclaimed any time the lock is not owned'.

Sure I do not require anything. It is just technically better path, IMO. The current patch is improvement, so it makes no sense to postpone if you plan to work on other scheme some time later.

unmount -f will unmount the file system immediately, without waiting for the server to respond to anything. But by itself it doesn't unblock any threads.

If a thread is blocked in fdisp_wait_answ but the operation hasn't yet been sent to userland, then it can be interrupted by a signal.

If a thread is blocked in fdisp_wait_answ and its operation has been sent to userland, then it can be interrupted only with the cooperation of the server. Some servers support that feature and some don't. If they don't, then there's no way to interrupt the operation before the 60s timeout.

unmount -f will unmount the file system immediately, without waiting for the server to respond to anything. But by itself it doesn't unblock any threads.

From my reading of the code, it does not. The fuse' VFS_UNMOUNT() correctly starts with the vflush() which reclaims each vnode on the mp list. To reclaim, vflush() locks the vnode exclusively, that would just block if there is the locked vnode by a thread waiting for the userspace reply.

Right. fuse_vfsop_unmount may block when trying to flush vnodes, or when waiting on the FUSE_DESTROY operation. But the file system is already unmounted by that point; other processes can no longer access it.

Other processes might have already blocked on the fuse vnodes. Also, while the fs is unmounted, its covered vnode is exclusively locked (this is how the unmounted fs is made inaccessible while being unmounted). All of them are happy to participate in the lock cascade.