diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2012-01-11 04:24:48 +0100 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2012-01-11 06:19:58 +0100 |
commit | 8753333266be67ff3a984ac1f6566d31c260bee4 (patch) | |
tree | 27a8565988791e2971d631e19c7a9a0057386668 | |
parent | autofs4: autofs4_wait() vs. autofs4_catatonic_mode() race (diff) | |
download | linux-8753333266be67ff3a984ac1f6566d31c260bee4.tar.xz linux-8753333266be67ff3a984ac1f6566d31c260bee4.zip |
autofs4: catatonic_mode vs. notify_daemon race
we need to hold ->wq_mutex while we are forming the packet to send,
lest we have autofs4_catatonic_mode() setting wq->name.name to NULL
just as autofs4_notify_daemon() decides to memcpy() from it...
We do have check for catatonic mode immediately after that (under
->wq_mutex, as it ought to be) and packet won't be actually sent,
but it'll be too late for us if we oops on that memcpy() from NULL...
Fix is obvious - just extend the area covered by ->wq_mutex over
that switch and check whether it's catatonic *before* doing anything
else.
Acked-by: Ian Kent <raven@themaw.net>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r-- | fs/autofs4/waitq.c | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c index c13273afd546..9a0256da5d56 100644 --- a/fs/autofs4/waitq.c +++ b/fs/autofs4/waitq.c @@ -110,6 +110,13 @@ static void autofs4_notify_daemon(struct autofs_sb_info *sbi, pkt.hdr.proto_version = sbi->version; pkt.hdr.type = type; + mutex_lock(&sbi->wq_mutex); + + /* Check if we have become catatonic */ + if (sbi->catatonic) { + mutex_unlock(&sbi->wq_mutex); + return; + } switch (type) { /* Kernel protocol v4 missing and expire packets */ case autofs_ptype_missing: @@ -163,22 +170,18 @@ static void autofs4_notify_daemon(struct autofs_sb_info *sbi, } default: printk("autofs4_notify_daemon: bad type %d!\n", type); + mutex_unlock(&sbi->wq_mutex); return; } - /* Check if we have become catatonic */ - mutex_lock(&sbi->wq_mutex); - if (!sbi->catatonic) { - pipe = sbi->pipe; - get_file(pipe); - } + pipe = sbi->pipe; + get_file(pipe); + mutex_unlock(&sbi->wq_mutex); - if (pipe) { - if (autofs4_write(pipe, &pkt, pktsz)) - autofs4_catatonic_mode(sbi); - fput(pipe); - } + if (autofs4_write(pipe, &pkt, pktsz)) + autofs4_catatonic_mode(sbi); + fput(pipe); } static int autofs4_getpath(struct autofs_sb_info *sbi, |