Subject: [PATCH] fs: fcntl_setlease defies lease_init assumptions
Newsgroups: gmane.linux.kernel
Date: 2006-05-07 23:21:01 GMT (3 years, 8 weeks, 2 days, 5 hours and 5 minutes ago)
fcntl_setlease uses a struct file_lock on the stack to find the
file_lock it's actually looking for. The problem with this approach is
that lease_init will attempt to free the file_lock if the arg argument
is invalid, causing kmem_cache_free to be called with the address of the
on-stack file_lock.
After running the following test-case, it doesn't take long for an i686
machine running 2.6.16.13 to stop responding completely.
2.6.17-rc3-git12 shows similar results, although it takes a bit more
activity before crashing.
Björn Steinbrink also identified a slab leak in the same piece of code,
caused by the fasync_helper call which will allocate a new slab every
time because it uses the wrong structure (the one on the stack) when the
a lease on that file already exists.
#define _GNU_SOURCE
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
void die(const char *msg)
{
perror(msg);
exit(1);
}
int main(int argc, char *argv[])
{
int fd;
if (argc == 1)
{
fprintf(stderr, "Usage: %s file\n", argv[0]);
exit(1);
}
fd = open(argv[1], O_RDONLY);
if (fd == -1)
die("open()");
if (fcntl(fd, F_SETLEASE, F_RDLCK) == -1)
die("setlease(RDLCK)");
if (fcntl(fd, F_SETLEASE, F_RDLCK) == -1)
die("setlease(RDLCK2)");
if (fcntl(fd, F_SETLEASE, 5) == -1)
die("setlease(invalid)");
close(fd);
return 0;
}
Signed-off-by: Daniel Hokka Zakrisson <daniel <at> hozac.com>
---
--- a/fs/locks.c 2006-05-07 00:29:26.000000000 +0200
+++ b/fs/locks.c 2006-05-07 23:29:12.000000000 +0200
@@ -1363,6 +1363,7 @@ static int __setlease(struct file *filp,
goto out;
if (my_before != NULL) {
+ *flp = *my_before;
error = lease->fl_lmops->fl_change(my_before, arg);
goto out;
}
@@ -1433,7 +1434,7 @@ EXPORT_SYMBOL(setlease);
*/
int fcntl_setlease(unsigned int fd, struct file *filp, long arg)
{
- struct file_lock fl, *flp = &fl;
+ struct file_lock *fl, *flp;
struct dentry *dentry = filp->f_dentry;
struct inode *inode = dentry->d_inode;
int error;
@@ -1446,14 +1447,15 @@ int fcntl_setlease(unsigned int fd, stru
if (error)
return error;
- locks_init_lock(&fl);
- error = lease_init(filp, arg, &fl);
+ error = lease_alloc(filp, arg, &fl);
if (error)
return error;
+ flp = fl;
lock_kernel();
error = __setlease(filp, arg, &flp);
+ locks_free_lock(fl);
if (error || arg == F_UNLCK)
goto out_unlock;