diff options
| author | David Teigland <teigland@redhat.com> | 2009-06-18 14:20:24 -0400 |
|---|---|---|
| committer | David Teigland <teigland@redhat.com> | 2009-06-18 14:42:42 -0400 |
| commit | c78a87d0a1fc885dfdbe21fd5e07787691dfb068 (patch) | |
| tree | 73f6056f87cd9183e04f3b9f6a4245876cf0cb23 | |
| parent | a566a6b11c86147fe9fc9db7ab15f9eecca3e862 (diff) | |
dlm: fix plock use-after-free
Fix a regression from the original addition of nfs lock support
586759f03e2e9031ac5589912a51a909ed53c30a. When a synchronous
(non-nfs) plock completes, the waiting thread will wake up and
free the op struct. This races with the user thread in
dev_write() which goes on to read the op's callback field to
check if the lock is async and needs a callback. This check
can happen on the freed op. The fix is to note the callback
value before the op can be freed.
Signed-off-by: David Teigland <teigland@redhat.com>
| -rw-r--r-- | fs/dlm/plock.c | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/fs/dlm/plock.c b/fs/dlm/plock.c index 894a32d438d5..16f682e26c07 100644 --- a/fs/dlm/plock.c +++ b/fs/dlm/plock.c | |||
| @@ -353,7 +353,7 @@ static ssize_t dev_write(struct file *file, const char __user *u, size_t count, | |||
| 353 | { | 353 | { |
| 354 | struct dlm_plock_info info; | 354 | struct dlm_plock_info info; |
| 355 | struct plock_op *op; | 355 | struct plock_op *op; |
| 356 | int found = 0; | 356 | int found = 0, do_callback = 0; |
| 357 | 357 | ||
| 358 | if (count != sizeof(info)) | 358 | if (count != sizeof(info)) |
| 359 | return -EINVAL; | 359 | return -EINVAL; |
| @@ -366,21 +366,24 @@ static ssize_t dev_write(struct file *file, const char __user *u, size_t count, | |||
| 366 | 366 | ||
| 367 | spin_lock(&ops_lock); | 367 | spin_lock(&ops_lock); |
| 368 | list_for_each_entry(op, &recv_list, list) { | 368 | list_for_each_entry(op, &recv_list, list) { |
| 369 | if (op->info.fsid == info.fsid && op->info.number == info.number && | 369 | if (op->info.fsid == info.fsid && |
| 370 | op->info.number == info.number && | ||
| 370 | op->info.owner == info.owner) { | 371 | op->info.owner == info.owner) { |
| 372 | struct plock_xop *xop = (struct plock_xop *)op; | ||
| 371 | list_del_init(&op->list); | 373 | list_del_init(&op->list); |
| 372 | found = 1; | ||
| 373 | op->done = 1; | ||
| 374 | memcpy(&op->info, &info, sizeof(info)); | 374 | memcpy(&op->info, &info, sizeof(info)); |
| 375 | if (xop->callback) | ||
| 376 | do_callback = 1; | ||
| 377 | else | ||
| 378 | op->done = 1; | ||
| 379 | found = 1; | ||
| 375 | break; | 380 | break; |
| 376 | } | 381 | } |
| 377 | } | 382 | } |
| 378 | spin_unlock(&ops_lock); | 383 | spin_unlock(&ops_lock); |
| 379 | 384 | ||
| 380 | if (found) { | 385 | if (found) { |
| 381 | struct plock_xop *xop; | 386 | if (do_callback) |
| 382 | xop = (struct plock_xop *)op; | ||
| 383 | if (xop->callback) | ||
| 384 | dlm_plock_callback(op); | 387 | dlm_plock_callback(op); |
| 385 | else | 388 | else |
| 386 | wake_up(&recv_wq); | 389 | wake_up(&recv_wq); |