Skip to content

Commit 853bc26

Browse files
alex chentorvalds
alex chen
authored andcommitted
ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent
The subsystem.su_mutex is required while accessing the item->ci_parent, otherwise, NULL pointer dereference to the item->ci_parent will be triggered in the following situation: add node delete node sys_write vfs_write configfs_write_file o2nm_node_store o2nm_node_local_write do_rmdir vfs_rmdir configfs_rmdir mutex_lock(&subsys->su_mutex); unlink_obj item->ci_group = NULL; item->ci_parent = NULL; to_o2nm_cluster_from_node node->nd_item.ci_parent->ci_parent BUG since of NULL pointer dereference to nd_item.ci_parent Moreover, the o2nm_cluster also should be protected by the subsystem.su_mutex. [alex.chen@huawei.com: v2] Link: http://lkml.kernel.org/r/59EEAA69.9080703@huawei.com Link: http://lkml.kernel.org/r/59E9B36A.10700@huawei.com Signed-off-by: Alex Chen <alex.chen@huawei.com> Reviewed-by: Jun Piao <piaojun@huawei.com> Reviewed-by: Joseph Qi <jiangqi903@gmail.com> Cc: Mark Fasheh <mfasheh@versity.com> Cc: Joel Becker <jlbec@evilplan.org> Cc: Junxiao Bi <junxiao.bi@oracle.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent 3e4c56d commit 853bc26

File tree

1 file changed

+55
-8
lines changed

1 file changed

+55
-8
lines changed

Diff for: fs/ocfs2/cluster/nodemanager.c

+55-8
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,9 @@ char *o2nm_fence_method_desc[O2NM_FENCE_METHODS] = {
4040
"panic", /* O2NM_FENCE_PANIC */
4141
};
4242

43+
static inline void o2nm_lock_subsystem(void);
44+
static inline void o2nm_unlock_subsystem(void);
45+
4346
struct o2nm_node *o2nm_get_node_by_num(u8 node_num)
4447
{
4548
struct o2nm_node *node = NULL;
@@ -181,7 +184,10 @@ static struct o2nm_cluster *to_o2nm_cluster_from_node(struct o2nm_node *node)
181184
{
182185
/* through the first node_set .parent
183186
* mycluster/nodes/mynode == o2nm_cluster->o2nm_node_group->o2nm_node */
184-
return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent);
187+
if (node->nd_item.ci_parent)
188+
return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent);
189+
else
190+
return NULL;
185191
}
186192

187193
enum {
@@ -194,7 +200,7 @@ static ssize_t o2nm_node_num_store(struct config_item *item, const char *page,
194200
size_t count)
195201
{
196202
struct o2nm_node *node = to_o2nm_node(item);
197-
struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
203+
struct o2nm_cluster *cluster;
198204
unsigned long tmp;
199205
char *p = (char *)page;
200206
int ret = 0;
@@ -214,6 +220,13 @@ static ssize_t o2nm_node_num_store(struct config_item *item, const char *page,
214220
!test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes))
215221
return -EINVAL; /* XXX */
216222

223+
o2nm_lock_subsystem();
224+
cluster = to_o2nm_cluster_from_node(node);
225+
if (!cluster) {
226+
o2nm_unlock_subsystem();
227+
return -EINVAL;
228+
}
229+
217230
write_lock(&cluster->cl_nodes_lock);
218231
if (cluster->cl_nodes[tmp])
219232
ret = -EEXIST;
@@ -226,6 +239,8 @@ static ssize_t o2nm_node_num_store(struct config_item *item, const char *page,
226239
set_bit(tmp, cluster->cl_nodes_bitmap);
227240
}
228241
write_unlock(&cluster->cl_nodes_lock);
242+
o2nm_unlock_subsystem();
243+
229244
if (ret)
230245
return ret;
231246

@@ -269,7 +284,7 @@ static ssize_t o2nm_node_ipv4_address_store(struct config_item *item,
269284
size_t count)
270285
{
271286
struct o2nm_node *node = to_o2nm_node(item);
272-
struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
287+
struct o2nm_cluster *cluster;
273288
int ret, i;
274289
struct rb_node **p, *parent;
275290
unsigned int octets[4];
@@ -286,6 +301,13 @@ static ssize_t o2nm_node_ipv4_address_store(struct config_item *item,
286301
be32_add_cpu(&ipv4_addr, octets[i] << (i * 8));
287302
}
288303

304+
o2nm_lock_subsystem();
305+
cluster = to_o2nm_cluster_from_node(node);
306+
if (!cluster) {
307+
o2nm_unlock_subsystem();
308+
return -EINVAL;
309+
}
310+
289311
ret = 0;
290312
write_lock(&cluster->cl_nodes_lock);
291313
if (o2nm_node_ip_tree_lookup(cluster, ipv4_addr, &p, &parent))
@@ -298,6 +320,8 @@ static ssize_t o2nm_node_ipv4_address_store(struct config_item *item,
298320
rb_insert_color(&node->nd_ip_node, &cluster->cl_node_ip_tree);
299321
}
300322
write_unlock(&cluster->cl_nodes_lock);
323+
o2nm_unlock_subsystem();
324+
301325
if (ret)
302326
return ret;
303327

@@ -315,7 +339,7 @@ static ssize_t o2nm_node_local_store(struct config_item *item, const char *page,
315339
size_t count)
316340
{
317341
struct o2nm_node *node = to_o2nm_node(item);
318-
struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
342+
struct o2nm_cluster *cluster;
319343
unsigned long tmp;
320344
char *p = (char *)page;
321345
ssize_t ret;
@@ -333,17 +357,26 @@ static ssize_t o2nm_node_local_store(struct config_item *item, const char *page,
333357
!test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes))
334358
return -EINVAL; /* XXX */
335359

360+
o2nm_lock_subsystem();
361+
cluster = to_o2nm_cluster_from_node(node);
362+
if (!cluster) {
363+
ret = -EINVAL;
364+
goto out;
365+
}
366+
336367
/* the only failure case is trying to set a new local node
337368
* when a different one is already set */
338369
if (tmp && tmp == cluster->cl_has_local &&
339-
cluster->cl_local_node != node->nd_num)
340-
return -EBUSY;
370+
cluster->cl_local_node != node->nd_num) {
371+
ret = -EBUSY;
372+
goto out;
373+
}
341374

342375
/* bring up the rx thread if we're setting the new local node. */
343376
if (tmp && !cluster->cl_has_local) {
344377
ret = o2net_start_listening(node);
345378
if (ret)
346-
return ret;
379+
goto out;
347380
}
348381

349382
if (!tmp && cluster->cl_has_local &&
@@ -358,7 +391,11 @@ static ssize_t o2nm_node_local_store(struct config_item *item, const char *page,
358391
cluster->cl_local_node = node->nd_num;
359392
}
360393

361-
return count;
394+
ret = count;
395+
396+
out:
397+
o2nm_unlock_subsystem();
398+
return ret;
362399
}
363400

364401
CONFIGFS_ATTR(o2nm_node_, num);
@@ -738,6 +775,16 @@ static struct o2nm_cluster_group o2nm_cluster_group = {
738775
},
739776
};
740777

778+
static inline void o2nm_lock_subsystem(void)
779+
{
780+
mutex_lock(&o2nm_cluster_group.cs_subsys.su_mutex);
781+
}
782+
783+
static inline void o2nm_unlock_subsystem(void)
784+
{
785+
mutex_unlock(&o2nm_cluster_group.cs_subsys.su_mutex);
786+
}
787+
741788
int o2nm_depend_item(struct config_item *item)
742789
{
743790
return configfs_depend_item(&o2nm_cluster_group.cs_subsys, item);

0 commit comments

Comments
 (0)