From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alex Chen <alex.chen@huawei.com>,
Jun Piao <piaojun@huawei.com>, Joseph Qi <jiangqi903@gmail.com>,
Mark Fasheh <mfasheh@versity.com>,
Joel Becker <jlbec@evilplan.org>,
Junxiao Bi <junxiao.bi@oracle.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Salvatore Bonaccorso <carnil@debian.org>
Subject: [PATCH 4.4 07/31] ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent
Date: Fri, 20 Jul 2018 14:13:37 +0200 [thread overview]
Message-ID: <20180720121340.426342467@linuxfoundation.org> (raw)
In-Reply-To: <20180720121340.158484922@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: alex chen <alex.chen@huawei.com>
commit 853bc26a7ea39e354b9f8889ae7ad1492ffa28d2 upstream.
The subsystem.su_mutex is required while accessing the item->ci_parent,
otherwise, NULL pointer dereference to the item->ci_parent will be
triggered in the following situation:
add node delete node
sys_write
vfs_write
configfs_write_file
o2nm_node_store
o2nm_node_local_write
do_rmdir
vfs_rmdir
configfs_rmdir
mutex_lock(&subsys->su_mutex);
unlink_obj
item->ci_group = NULL;
item->ci_parent = NULL;
to_o2nm_cluster_from_node
node->nd_item.ci_parent->ci_parent
BUG since of NULL pointer dereference to nd_item.ci_parent
Moreover, the o2nm_cluster also should be protected by the
subsystem.su_mutex.
[alex.chen@huawei.com: v2]
Link: http://lkml.kernel.org/r/59EEAA69.9080703@huawei.com
Link: http://lkml.kernel.org/r/59E9B36A.10700@huawei.com
Signed-off-by: Alex Chen <alex.chen@huawei.com>
Reviewed-by: Jun Piao <piaojun@huawei.com>
Reviewed-by: Joseph Qi <jiangqi903@gmail.com>
Cc: Mark Fasheh <mfasheh@versity.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Salvatore Bonaccorso <carnil@debian.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/cluster/nodemanager.c | 63 +++++++++++++++++++++++++++++++++++------
1 file changed, 55 insertions(+), 8 deletions(-)
--- a/fs/ocfs2/cluster/nodemanager.c
+++ b/fs/ocfs2/cluster/nodemanager.c
@@ -40,6 +40,9 @@ char *o2nm_fence_method_desc[O2NM_FENCE_
"panic", /* O2NM_FENCE_PANIC */
};
+static inline void o2nm_lock_subsystem(void);
+static inline void o2nm_unlock_subsystem(void);
+
struct o2nm_node *o2nm_get_node_by_num(u8 node_num)
{
struct o2nm_node *node = NULL;
@@ -181,7 +184,10 @@ static struct o2nm_cluster *to_o2nm_clus
{
/* through the first node_set .parent
* mycluster/nodes/mynode == o2nm_cluster->o2nm_node_group->o2nm_node */
- return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent);
+ if (node->nd_item.ci_parent)
+ return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent);
+ else
+ return NULL;
}
enum {
@@ -194,7 +200,7 @@ static ssize_t o2nm_node_num_store(struc
size_t count)
{
struct o2nm_node *node = to_o2nm_node(item);
- struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
+ struct o2nm_cluster *cluster;
unsigned long tmp;
char *p = (char *)page;
int ret = 0;
@@ -214,6 +220,13 @@ static ssize_t o2nm_node_num_store(struc
!test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes))
return -EINVAL; /* XXX */
+ o2nm_lock_subsystem();
+ cluster = to_o2nm_cluster_from_node(node);
+ if (!cluster) {
+ o2nm_unlock_subsystem();
+ return -EINVAL;
+ }
+
write_lock(&cluster->cl_nodes_lock);
if (cluster->cl_nodes[tmp])
ret = -EEXIST;
@@ -226,6 +239,8 @@ static ssize_t o2nm_node_num_store(struc
set_bit(tmp, cluster->cl_nodes_bitmap);
}
write_unlock(&cluster->cl_nodes_lock);
+ o2nm_unlock_subsystem();
+
if (ret)
return ret;
@@ -269,7 +284,7 @@ static ssize_t o2nm_node_ipv4_address_st
size_t count)
{
struct o2nm_node *node = to_o2nm_node(item);
- struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
+ struct o2nm_cluster *cluster;
int ret, i;
struct rb_node **p, *parent;
unsigned int octets[4];
@@ -286,6 +301,13 @@ static ssize_t o2nm_node_ipv4_address_st
be32_add_cpu(&ipv4_addr, octets[i] << (i * 8));
}
+ o2nm_lock_subsystem();
+ cluster = to_o2nm_cluster_from_node(node);
+ if (!cluster) {
+ o2nm_unlock_subsystem();
+ return -EINVAL;
+ }
+
ret = 0;
write_lock(&cluster->cl_nodes_lock);
if (o2nm_node_ip_tree_lookup(cluster, ipv4_addr, &p, &parent))
@@ -298,6 +320,8 @@ static ssize_t o2nm_node_ipv4_address_st
rb_insert_color(&node->nd_ip_node, &cluster->cl_node_ip_tree);
}
write_unlock(&cluster->cl_nodes_lock);
+ o2nm_unlock_subsystem();
+
if (ret)
return ret;
@@ -315,7 +339,7 @@ static ssize_t o2nm_node_local_store(str
size_t count)
{
struct o2nm_node *node = to_o2nm_node(item);
- struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
+ struct o2nm_cluster *cluster;
unsigned long tmp;
char *p = (char *)page;
ssize_t ret;
@@ -333,17 +357,26 @@ static ssize_t o2nm_node_local_store(str
!test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes))
return -EINVAL; /* XXX */
+ o2nm_lock_subsystem();
+ cluster = to_o2nm_cluster_from_node(node);
+ if (!cluster) {
+ ret = -EINVAL;
+ goto out;
+ }
+
/* the only failure case is trying to set a new local node
* when a different one is already set */
if (tmp && tmp == cluster->cl_has_local &&
- cluster->cl_local_node != node->nd_num)
- return -EBUSY;
+ cluster->cl_local_node != node->nd_num) {
+ ret = -EBUSY;
+ goto out;
+ }
/* bring up the rx thread if we're setting the new local node. */
if (tmp && !cluster->cl_has_local) {
ret = o2net_start_listening(node);
if (ret)
- return ret;
+ goto out;
}
if (!tmp && cluster->cl_has_local &&
@@ -358,7 +391,11 @@ static ssize_t o2nm_node_local_store(str
cluster->cl_local_node = node->nd_num;
}
- return count;
+ ret = count;
+
+out:
+ o2nm_unlock_subsystem();
+ return ret;
}
CONFIGFS_ATTR(o2nm_node_, num);
@@ -750,6 +787,16 @@ static struct o2nm_cluster_group o2nm_cl
},
};
+static inline void o2nm_lock_subsystem(void)
+{
+ mutex_lock(&o2nm_cluster_group.cs_subsys.su_mutex);
+}
+
+static inline void o2nm_unlock_subsystem(void)
+{
+ mutex_unlock(&o2nm_cluster_group.cs_subsys.su_mutex);
+}
+
int o2nm_depend_item(struct config_item *item)
{
return configfs_depend_item(&o2nm_cluster_group.cs_subsys, item);
next prev parent reply other threads:[~2018-07-20 12:27 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-20 12:13 [PATCH 4.4 00/31] 4.4.143-stable review Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 01/31] compiler, clang: suppress warning for unused static inline functions Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 02/31] compiler, clang: properly override inline for clang Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 03/31] compiler, clang: always inline when CONFIG_OPTIMIZE_INLINING is disabled Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 04/31] compiler-gcc.h: Add __attribute__((gnu_inline)) to all inline declarations Greg Kroah-Hartman
2018-07-20 12:13 ` Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 05/31] x86/asm: Add _ASM_ARG* constants for argument registers to <asm/asm.h> Greg Kroah-Hartman
2018-07-20 12:13 ` Greg Kroah-Hartman
2018-07-20 12:13 ` Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 06/31] Revert "sit: reload iphdr in ipip6_rcv" Greg Kroah-Hartman
2018-07-20 12:13 ` Greg Kroah-Hartman [this message]
2018-07-20 12:13 ` [PATCH 4.4 08/31] bcm63xx_enet: correct clock usage Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 09/31] bcm63xx_enet: do not write to random DMA channel on BCM6345 Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 10/31] crypto: crypto4xx - remove bad list_del Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 11/31] crypto: crypto4xx - fix crypto4xx_build_pdr, crypto4xx_build_sdr leak Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 12/31] atm: zatm: Fix potential Spectre v1 Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 15/31] net/mlx5: Fix incorrect raw command length parsing Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 16/31] net: sungem: fix rx checksum support Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 17/31] qed: Limit msix vectors in kdump kernel to the minimum required count Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 19/31] tcp: fix Fast Open key endianness Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 21/31] vhost_net: validate sock before trying to put its fd Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 22/31] net_sched: blackhole: tell upper qdisc about dropped packets Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 23/31] net/mlx5: Fix command interface race in polling mode Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 24/31] net: cxgb3_main: fix potential Spectre v1 Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 25/31] rtlwifi: rtl8821ae: fix firmware is not ready to run Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 26/31] MIPS: Call dump_stack() from show_regs() Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 27/31] MIPS: Use async IPIs for arch_trigger_cpumask_backtrace() Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 28/31] netfilter: ebtables: reject non-bridge targets Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 29/31] KEYS: DNS: fix parsing multiple options Greg Kroah-Hartman
2018-07-20 12:14 ` [PATCH 4.4 30/31] rds: avoid unenecessary cong_update in loop transport Greg Kroah-Hartman
2018-07-20 12:14 ` [PATCH 4.4 31/31] net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL Greg Kroah-Hartman
2018-07-20 13:34 ` [PATCH 4.4 00/31] 4.4.143-stable review Nathan Chancellor
2018-07-21 7:38 ` Naresh Kamboju
2018-07-21 13:39 ` Guenter Roeck
-- strict thread matches above, loose matches on Subject: below --
2018-07-20 12:13 [PATCH 4.4 13/31] net: dccp: avoid crash in ccid3_hc_rx_send_feedback() Greg Kroah-Hartman
2018-07-20 12:13 ` Greg Kroah-Hartman
2018-07-20 12:13 [PATCH 4.4 14/31] net: dccp: switch rx_tstamp_last_feedback to monotonic clock Greg Kroah-Hartman
2018-07-20 12:13 ` Greg Kroah-Hartman
2018-07-20 12:13 [4.4,18/31] r8152: napi hangup fix after disconnect Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 18/31] " Greg Kroah-Hartman
2018-08-24 16:38 [4.4,18/31] " Ben Hutchings
2018-08-24 16:38 ` [PATCH 4.4 18/31] " Ben Hutchings
2018-08-25 7:43 [4.4,18/31] " Jiri Slaby
2018-08-25 7:43 ` [PATCH 4.4 18/31] " Jiri Slaby
2018-09-12 18:54 [4.4,18/31] " Ben Hutchings
2018-09-12 18:54 ` [PATCH 4.4 18/31] " Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180720121340.426342467@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alex.chen@huawei.com \
--cc=carnil@debian.org \
--cc=jiangqi903@gmail.com \
--cc=jlbec@evilplan.org \
--cc=junxiao.bi@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mfasheh@versity.com \
--cc=piaojun@huawei.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.