[PATCH] fs: fcntl_setlease defies lease_init assumptions

fcntl_setlease uses a struct file_lock on the stack to find the
file_lock it's actually looking for. The problem with this approach is
that lease_init will attempt to free the file_lock if the arg argument
is invalid, causing kmem_cache_free to be called with the address of the
on-stack file_lock.
After running the following test-case, it doesn't take long for an i686

machine running 2.6.16.13 to stop responding completely. 2.6.17-rc3-git12 shows similar results, although it takes a bit more activity before crashing.

Björn Steinbrink also identified a slab leak in the same piece of code, caused by the fasync_helper call which will allocate a new slab every time because it uses the wrong structure (the one on the stack) when the a lease on that file already exists.

#define _GNU_SOURCE
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>

void die(const char *msg)
{
	perror(msg);
	exit(1);
}
int main(int argc, char *argv[])
{
	int fd;
	if (argc == 1)
	{
		fprintf(stderr, "Usage: %s file\n", argv[0]);
		exit(1);
	}
	fd = open(argv[1], O_RDONLY);
	if (fd == -1)
		die("open()");
	if (fcntl(fd, F_SETLEASE, F_RDLCK) == -1)
		die("setlease(RDLCK)");
	if (fcntl(fd, F_SETLEASE, F_RDLCK) == -1)
		die("setlease(RDLCK2)");
	if (fcntl(fd, F_SETLEASE, 5) == -1)
		die("setlease(invalid)");
	close(fd);
	return 0;
}

Signed-off-by: Daniel Hokka Zakrisson <[email protected]>

---
--- a/fs/locks.c	2006-05-07 00:29:26.000000000 +0200
+++ b/fs/locks.c	2006-05-07 23:29:12.000000000 +0200
@@ -1363,6 +1363,7 @@ static int __setlease(struct file *filp,
 		goto out;

 	if (my_before != NULL) {
+		*flp = *my_before;
 		error = lease->fl_lmops->fl_change(my_before, arg);
 		goto out;
 	}
@@ -1433,7 +1434,7 @@ EXPORT_SYMBOL(setlease);
  */
 int fcntl_setlease(unsigned int fd, struct file *filp, long arg)
 {
-	struct file_lock fl, *flp = &fl;
+	struct file_lock *fl, *flp;
 	struct dentry *dentry = filp->f_dentry;
 	struct inode *inode = dentry->d_inode;
 	int error;
@@ -1446,14 +1447,15 @@ int fcntl_setlease(unsigned int fd, stru
 	if (error)
 		return error;

-	locks_init_lock(&fl);
-	error = lease_init(filp, arg, &fl);
+	error = lease_alloc(filp, arg, &fl);
 	if (error)
 		return error;
+	flp = fl;

 	lock_kernel();

 	error = __setlease(filp, arg, &flp);
+	locks_free_lock(fl);
 	if (error || arg == F_UNLCK)
 		goto out_unlock;


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: [PATCH] fs: fcntl_setlease defies lease_init assumptions
    • From: Linus Torvalds <[email protected]>

• Prev by Date: Re: XFS regression on 2.6.17 (Does not happen on 2.6.16.XX)
• Next by Date: Re: Add a "enable" sysfs attribute to the pci devices to allow userspace (Xorg) to enable devices without doing foul direct access
• Previous by thread: Re: XFS regression on 2.6.17 (Does not happen on 2.6.16.XX)
• Next by thread: Re: [PATCH] fs: fcntl_setlease defies lease_init assumptions
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]