From: Yiwen Jiang Date: Fri, 4 Sep 2015 22:44:37 +0000 (-0700) Subject: ocfs2: avoid access invalid address when read o2dlm debug messages X-Git-Tag: v4.1.12-92~39^2~16 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=7365cd6504067b01485945506dec93fa9863c59c;p=users%2Fjedix%2Flinux-maple.git ocfs2: avoid access invalid address when read o2dlm debug messages The following case will lead to a lockres is freed but is still in use. cat /sys/kernel/debug/o2dlm/locking_state dlm_thread lockres_seq_start -> lock dlm->track_lock -> get resA resA->refs decrease to 0, call dlm_lockres_release, and wait for "cat" unlock. Although resA->refs is already set to 0, increase resA->refs, and then unlock lock dlm->track_lock -> list_del_init() -> unlock -> free resA In such a race case, invalid address access may occurs. So we should delete list res->tracking before resA->refs decrease to 0. Signed-off-by: Yiwen Jiang Reviewed-by: Joseph Qi Cc: Joel Becker Signed-off-by: Mark Fasheh Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds (cherry picked from commit f57a22ddecd6f26040a67e2c12880f98f88b6e00) Orabug: 24939243 Signed-off-by: Junxiao Bi --- diff --git a/fs/ocfs2/dlm/dlmmaster.c b/fs/ocfs2/dlm/dlmmaster.c index 523e485a11b8..0918d3b6df72 100644 --- a/fs/ocfs2/dlm/dlmmaster.c +++ b/fs/ocfs2/dlm/dlmmaster.c @@ -795,8 +795,18 @@ lookup: dlm_lockres_grab_inflight_ref(dlm, tmpres); spin_unlock(&tmpres->spinlock); - if (res) + if (res) { + spin_lock(&dlm->track_lock); + if (!list_empty(&res->tracking)) + list_del_init(&res->tracking); + else + mlog(ML_ERROR, "Resource %.*s not " + "on the Tracking list\n", + res->lockname.len, + res->lockname.name); + spin_unlock(&dlm->track_lock); dlm_lockres_put(res); + } res = tmpres; goto leave; }