[PATCH 3.2 50/79] autofs4: catatonic_mode vs. notify_daemon race

From: Ben Hutchings
Date: Sun Feb 11 2018 - 00:14:06 EST

Next message: Ben Hutchings: "[PATCH 3.2 66/79] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff"
Previous message: Ben Hutchings: "[PATCH 3.2 46/79] KVM: vmx: Inject #GP on invalid PAT CR"
In reply to: Ben Hutchings: "[PATCH 3.2 46/79] KVM: vmx: Inject #GP on invalid PAT CR"
Next in thread: Ben Hutchings: "[PATCH 3.2 66/79] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

3.2.99-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@xxxxxxxxxxxxxxxxxx>

commit 8753333266be67ff3a984ac1f6566d31c260bee4 upstream.

we need to hold ->wq_mutex while we are forming the packet to send,
lest we have autofs4_catatonic_mode() setting wq->name.name to NULL
just as autofs4_notify_daemon() decides to memcpy() from it...

We do have check for catatonic mode immediately after that (under
->wq_mutex, as it ought to be) and packet won't be actually sent,
but it'll be too late for us if we oops on that memcpy() from NULL...

Fix is obvious - just extend the area covered by ->wq_mutex over
that switch and check whether it's catatonic *before* doing anything
else.

Acked-by: Ian Kent <raven@xxxxxxxxxx>
Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
---
fs/autofs4/waitq.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)

--- a/fs/autofs4/waitq.c
+++ b/fs/autofs4/waitq.c
@@ -110,6 +110,13 @@ static void autofs4_notify_daemon(struct

pkt.hdr.proto_version = sbi->version;
pkt.hdr.type = type;
+ mutex_lock(&sbi->wq_mutex);
+
+ /* Check if we have become catatonic */
+ if (sbi->catatonic) {
+ mutex_unlock(&sbi->wq_mutex);
+ return;
+ }
switch (type) {
/* Kernel protocol v4 missing and expire packets */
case autofs_ptype_missing:
@@ -163,22 +170,18 @@ static void autofs4_notify_daemon(struct
}
default:
printk("autofs4_notify_daemon: bad type %d!\n", type);
+ mutex_unlock(&sbi->wq_mutex);
return;
}

- /* Check if we have become catatonic */
- mutex_lock(&sbi->wq_mutex);
- if (!sbi->catatonic) {
- pipe = sbi->pipe;
- get_file(pipe);
- }
+ pipe = sbi->pipe;
+ get_file(pipe);
+
mutex_unlock(&sbi->wq_mutex);

- if (pipe) {
- if (autofs4_write(pipe, &pkt, pktsz))
- autofs4_catatonic_mode(sbi);
- fput(pipe);
- }
+ if (autofs4_write(pipe, &pkt, pktsz))
+ autofs4_catatonic_mode(sbi);
+ fput(pipe);
}

static int autofs4_getpath(struct autofs_sb_info *sbi,

Next message: Ben Hutchings: "[PATCH 3.2 66/79] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff"
Previous message: Ben Hutchings: "[PATCH 3.2 46/79] KVM: vmx: Inject #GP on invalid PAT CR"
In reply to: Ben Hutchings: "[PATCH 3.2 46/79] KVM: vmx: Inject #GP on invalid PAT CR"
Next in thread: Ben Hutchings: "[PATCH 3.2 66/79] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]