diff options
author | David Teigland <teigland@redhat.com> | 2009-06-18 14:20:24 -0400 |
---|---|---|
committer | David Teigland <teigland@redhat.com> | 2009-06-18 14:42:42 -0400 |
commit | c78a87d0a1fc885dfdbe21fd5e07787691dfb068 (patch) | |
tree | 73f6056f87cd9183e04f3b9f6a4245876cf0cb23 /fs/dlm/plock.c | |
parent | a566a6b11c86147fe9fc9db7ab15f9eecca3e862 (diff) |
dlm: fix plock use-after-free
Fix a regression from the original addition of nfs lock support
586759f03e2e9031ac5589912a51a909ed53c30a. When a synchronous
(non-nfs) plock completes, the waiting thread will wake up and
free the op struct. This races with the user thread in
dev_write() which goes on to read the op's callback field to
check if the lock is async and needs a callback. This check
can happen on the freed op. The fix is to note the callback
value before the op can be freed.
Signed-off-by: David Teigland <teigland@redhat.com>
Diffstat (limited to 'fs/dlm/plock.c')
-rw-r--r-- | fs/dlm/plock.c | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/fs/dlm/plock.c b/fs/dlm/plock.c index 894a32d438d5..16f682e26c07 100644 --- a/fs/dlm/plock.c +++ b/fs/dlm/plock.c | |||
@@ -353,7 +353,7 @@ static ssize_t dev_write(struct file *file, const char __user *u, size_t count, | |||
353 | { | 353 | { |
354 | struct dlm_plock_info info; | 354 | struct dlm_plock_info info; |
355 | struct plock_op *op; | 355 | struct plock_op *op; |
356 | int found = 0; | 356 | int found = 0, do_callback = 0; |
357 | 357 | ||
358 | if (count != sizeof(info)) | 358 | if (count != sizeof(info)) |
359 | return -EINVAL; | 359 | return -EINVAL; |
@@ -366,21 +366,24 @@ static ssize_t dev_write(struct file *file, const char __user *u, size_t count, | |||
366 | 366 | ||
367 | spin_lock(&ops_lock); | 367 | spin_lock(&ops_lock); |
368 | list_for_each_entry(op, &recv_list, list) { | 368 | list_for_each_entry(op, &recv_list, list) { |
369 | if (op->info.fsid == info.fsid && op->info.number == info.number && | 369 | if (op->info.fsid == info.fsid && |
370 | op->info.number == info.number && | ||
370 | op->info.owner == info.owner) { | 371 | op->info.owner == info.owner) { |
372 | struct plock_xop *xop = (struct plock_xop *)op; | ||
371 | list_del_init(&op->list); | 373 | list_del_init(&op->list); |
372 | found = 1; | ||
373 | op->done = 1; | ||
374 | memcpy(&op->info, &info, sizeof(info)); | 374 | memcpy(&op->info, &info, sizeof(info)); |
375 | if (xop->callback) | ||
376 | do_callback = 1; | ||
377 | else | ||
378 | op->done = 1; | ||
379 | found = 1; | ||
375 | break; | 380 | break; |
376 | } | 381 | } |
377 | } | 382 | } |
378 | spin_unlock(&ops_lock); | 383 | spin_unlock(&ops_lock); |
379 | 384 | ||
380 | if (found) { | 385 | if (found) { |
381 | struct plock_xop *xop; | 386 | if (do_callback) |
382 | xop = (struct plock_xop *)op; | ||
383 | if (xop->callback) | ||
384 | dlm_plock_callback(op); | 387 | dlm_plock_callback(op); |
385 | else | 388 | else |
386 | wake_up(&recv_wq); | 389 | wake_up(&recv_wq); |