diff options
| author | Al Viro <viro@zeniv.linux.org.uk> | 2012-01-10 22:24:48 -0500 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2012-01-11 00:19:58 -0500 |
| commit | 8753333266be67ff3a984ac1f6566d31c260bee4 (patch) | |
| tree | 27a8565988791e2971d631e19c7a9a0057386668 /fs/autofs4 | |
| parent | 4041bcdc7bef06a2fb29c57394c713a74bd13b08 (diff) | |
autofs4: catatonic_mode vs. notify_daemon race
we need to hold ->wq_mutex while we are forming the packet to send,
lest we have autofs4_catatonic_mode() setting wq->name.name to NULL
just as autofs4_notify_daemon() decides to memcpy() from it...
We do have check for catatonic mode immediately after that (under
->wq_mutex, as it ought to be) and packet won't be actually sent,
but it'll be too late for us if we oops on that memcpy() from NULL...
Fix is obvious - just extend the area covered by ->wq_mutex over
that switch and check whether it's catatonic *before* doing anything
else.
Acked-by: Ian Kent <raven@themaw.net>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'fs/autofs4')
| -rw-r--r-- | fs/autofs4/waitq.c | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c index c13273afd546..9a0256da5d56 100644 --- a/fs/autofs4/waitq.c +++ b/fs/autofs4/waitq.c | |||
| @@ -110,6 +110,13 @@ static void autofs4_notify_daemon(struct autofs_sb_info *sbi, | |||
| 110 | 110 | ||
| 111 | pkt.hdr.proto_version = sbi->version; | 111 | pkt.hdr.proto_version = sbi->version; |
| 112 | pkt.hdr.type = type; | 112 | pkt.hdr.type = type; |
| 113 | mutex_lock(&sbi->wq_mutex); | ||
| 114 | |||
| 115 | /* Check if we have become catatonic */ | ||
| 116 | if (sbi->catatonic) { | ||
| 117 | mutex_unlock(&sbi->wq_mutex); | ||
| 118 | return; | ||
| 119 | } | ||
| 113 | switch (type) { | 120 | switch (type) { |
| 114 | /* Kernel protocol v4 missing and expire packets */ | 121 | /* Kernel protocol v4 missing and expire packets */ |
| 115 | case autofs_ptype_missing: | 122 | case autofs_ptype_missing: |
| @@ -163,22 +170,18 @@ static void autofs4_notify_daemon(struct autofs_sb_info *sbi, | |||
| 163 | } | 170 | } |
| 164 | default: | 171 | default: |
| 165 | printk("autofs4_notify_daemon: bad type %d!\n", type); | 172 | printk("autofs4_notify_daemon: bad type %d!\n", type); |
| 173 | mutex_unlock(&sbi->wq_mutex); | ||
| 166 | return; | 174 | return; |
| 167 | } | 175 | } |
| 168 | 176 | ||
| 169 | /* Check if we have become catatonic */ | 177 | pipe = sbi->pipe; |
| 170 | mutex_lock(&sbi->wq_mutex); | 178 | get_file(pipe); |
| 171 | if (!sbi->catatonic) { | 179 | |
| 172 | pipe = sbi->pipe; | ||
| 173 | get_file(pipe); | ||
| 174 | } | ||
| 175 | mutex_unlock(&sbi->wq_mutex); | 180 | mutex_unlock(&sbi->wq_mutex); |
| 176 | 181 | ||
| 177 | if (pipe) { | 182 | if (autofs4_write(pipe, &pkt, pktsz)) |
| 178 | if (autofs4_write(pipe, &pkt, pktsz)) | 183 | autofs4_catatonic_mode(sbi); |
| 179 | autofs4_catatonic_mode(sbi); | 184 | fput(pipe); |
| 180 | fput(pipe); | ||
| 181 | } | ||
| 182 | } | 185 | } |
| 183 | 186 | ||
| 184 | static int autofs4_getpath(struct autofs_sb_info *sbi, | 187 | static int autofs4_getpath(struct autofs_sb_info *sbi, |