[PATCH] Fix Oopsable condition in sys_close() w/ POSIX locks

From: Trond Myklebust
Date: Wed Nov 19 2003 - 14:16:46 EST

Next message: Paul Nielsen: "menuconfig Error 1"
Previous message: Sam Ravnborg: "Re: [PATCH] make 2.6 megaraid recognize intel vendor id"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Marcelo,

If 2 processes that have been created using CLONE_FILES so that they
share the same POSIX locks both call sys_close() on descriptors that
point to the same inode (but have different struct file *), they can
end up racing in the function locks_remove_posix().

This race may cause fl->fl_file to disappear while we are flushing
out pending writes in the nfs_lock() function, and so causes Oopses
when we get to nlmclnt_call() & co.

Cheers,
Trond

--- linux-2.4.22-up/fs/locks.c.orig 2002-05-30 14:07:49.000000000 -0400
+++ linux-2.4.22-up/fs/locks.c 2003-11-15 01:12:16.000000000 -0500
@@ -1747,7 +1747,14 @@
before = &inode->i_flock;
while ((fl = *before) != NULL) {
if ((fl->fl_flags & FL_POSIX) && fl->fl_owner == owner) {
+ struct file *filp = fl->fl_file;
+ /* Note: locks_unlock_delete() can sleep, and
+ * so we may race with the call to sys_close()
+ * by the thread that actually owns this filp.
+ */
+ get_file(filp);
locks_unlock_delete(before);
+ fput(filp);
before = &inode->i_flock;
continue;
}
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Paul Nielsen: "menuconfig Error 1"
Previous message: Sam Ravnborg: "Re: [PATCH] make 2.6 megaraid recognize intel vendor id"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]