diff options
author | Yiwen Jiang <jiangyiwen@huawei.com> | 2015-09-05 00:44:37 +0200 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2015-09-05 01:54:41 +0200 |
commit | f57a22ddecd6f26040a67e2c12880f98f88b6e00 (patch) | |
tree | d83dbca8f8bdd0e918addfd21f529f483734fc4e /net/core/scm.c | |
parent | ocfs2: take inode lock in ocfs2_iop_set/get_acl() (diff) | |
download | linux-f57a22ddecd6f26040a67e2c12880f98f88b6e00.tar.xz linux-f57a22ddecd6f26040a67e2c12880f98f88b6e00.zip |
ocfs2: avoid access invalid address when read o2dlm debug messages
The following case will lead to a lockres is freed but is still in use.
cat /sys/kernel/debug/o2dlm/locking_state dlm_thread
lockres_seq_start
-> lock dlm->track_lock
-> get resA
resA->refs decrease to 0,
call dlm_lockres_release,
and wait for "cat" unlock.
Although resA->refs is already set to 0,
increase resA->refs, and then unlock
lock dlm->track_lock
-> list_del_init()
-> unlock
-> free resA
In such a race case, invalid address access may occurs. So we should
delete list res->tracking before resA->refs decrease to 0.
Signed-off-by: Yiwen Jiang <jiangyiwen@huawei.com>
Reviewed-by: Joseph Qi <joseph.qi@huawei.com>
Cc: Joel Becker <jlbec@evilplan.org>
Signed-off-by: Mark Fasheh <mfasheh@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'net/core/scm.c')
0 files changed, 0 insertions, 0 deletions