| From 55acdd926f6b21a5cdba23da98a48aedf19ac9c3 Mon Sep 17 00:00:00 2001 |
| From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= <edvin.torok@citrix.com> |
| Date: Thu, 3 Aug 2017 10:30:06 +0100 |
| Subject: dlm: avoid double-free on error path in dlm_device_{register,unregister} |
| MIME-Version: 1.0 |
| Content-Type: text/plain; charset=UTF-8 |
| Content-Transfer-Encoding: 8bit |
| |
| From: Edwin Török <edvin.torok@citrix.com> |
| |
| commit 55acdd926f6b21a5cdba23da98a48aedf19ac9c3 upstream. |
| |
| Can be reproduced when running dlm_controld (tested on 4.4.x, 4.12.4): |
| # seq 1 100 | xargs -P0 -n1 dlm_tool join |
| # seq 1 100 | xargs -P0 -n1 dlm_tool leave |
| |
| misc_register fails due to duplicate sysfs entry, which causes |
| dlm_device_register to free ls->ls_device.name. |
| In dlm_device_deregister the name was freed again, causing memory |
| corruption. |
| |
| According to the comment in dlm_device_deregister the name should've been |
| set to NULL when registration fails, |
| so this patch does that. |
| |
| sysfs: cannot create duplicate filename '/dev/char/10:1' |
| ------------[ cut here ]------------ |
| warning: cpu: 1 pid: 4450 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x56/0x70 |
| modules linked in: msr rfcomm dlm ccm bnep dm_crypt uvcvideo |
| videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core videodev |
| btusb media btrtl btbcm btintel bluetooth ecdh_generic intel_rapl |
| x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm |
| snd_hda_codec_hdmi irqbypass crct10dif_pclmul crc32_pclmul |
| ghash_clmulni_intel thinkpad_acpi pcbc nvram snd_seq_midi |
| snd_seq_midi_event aesni_intel snd_hda_codec_realtek snd_hda_codec_generic |
| snd_rawmidi aes_x86_64 crypto_simd glue_helper snd_hda_intel snd_hda_codec |
| cryptd intel_cstate arc4 snd_hda_core snd_seq snd_seq_device snd_hwdep |
| iwldvm intel_rapl_perf mac80211 joydev input_leds iwlwifi serio_raw |
| cfg80211 snd_pcm shpchp snd_timer snd mac_hid mei_me lpc_ich mei soundcore |
| sunrpc parport_pc ppdev lp parport autofs4 i915 psmouse |
| e1000e ahci libahci i2c_algo_bit sdhci_pci ptp drm_kms_helper sdhci |
| pps_core syscopyarea sysfillrect sysimgblt fb_sys_fops drm wmi video |
| cpu: 1 pid: 4450 comm: dlm_test.exe not tainted 4.12.4-041204-generic |
| hardware name: lenovo 232425u/232425u, bios g2et82ww (2.02 ) 09/11/2012 |
| task: ffff96b0cbabe140 task.stack: ffffb199027d0000 |
| rip: 0010:sysfs_warn_dup+0x56/0x70 |
| rsp: 0018:ffffb199027d3c58 eflags: 00010282 |
| rax: 0000000000000038 rbx: ffff96b0e2c49158 rcx: 0000000000000006 |
| rdx: 0000000000000000 rsi: 0000000000000086 rdi: ffff96b15e24dcc0 |
| rbp: ffffb199027d3c70 r08: 0000000000000001 r09: 0000000000000721 |
| r10: ffffb199027d3c00 r11: 0000000000000721 r12: ffffb199027d3cd1 |
| r13: ffff96b1592088f0 r14: 0000000000000001 r15: ffffffffffffffef |
| fs: 00007f78069c0700(0000) gs:ffff96b15e240000(0000) |
| knlgs:0000000000000000 |
| cs: 0010 ds: 0000 es: 0000 cr0: 0000000080050033 |
| cr2: 000000178625ed28 cr3: 0000000091d3e000 cr4: 00000000001406e0 |
| call trace: |
| sysfs_do_create_link_sd.isra.2+0x9e/0xb0 |
| sysfs_create_link+0x25/0x40 |
| device_add+0x5a9/0x640 |
| device_create_groups_vargs+0xe0/0xf0 |
| device_create_with_groups+0x3f/0x60 |
| ? snprintf+0x45/0x70 |
| misc_register+0x140/0x180 |
| device_write+0x6a8/0x790 [dlm] |
| __vfs_write+0x37/0x160 |
| ? apparmor_file_permission+0x1a/0x20 |
| ? security_file_permission+0x3b/0xc0 |
| vfs_write+0xb5/0x1a0 |
| sys_write+0x55/0xc0 |
| ? sys_fcntl+0x5d/0xb0 |
| entry_syscall_64_fastpath+0x1e/0xa9 |
| rip: 0033:0x7f78083454bd |
| rsp: 002b:00007f78069bbd30 eflags: 00000293 orig_rax: 0000000000000001 |
| rax: ffffffffffffffda rbx: 0000000000000006 rcx: 00007f78083454bd |
| rdx: 000000000000009c rsi: 00007f78069bee00 rdi: 0000000000000005 |
| rbp: 00007f77f8000a20 r08: 000000000000fcf0 r09: 0000000000000032 |
| r10: 0000000000000024 r11: 0000000000000293 r12: 00007f78069bde00 |
| r13: 00007f78069bee00 r14: 000000000000000a r15: 00007f78069bbd70 |
| code: 85 c0 48 89 c3 74 12 b9 00 10 00 00 48 89 c2 31 f6 4c 89 ef e8 2c c8 |
| ff ff 4c 89 e2 48 89 de 48 c7 c7 b0 8e 0c a8 e8 41 e8 ed ff <0f> ff 48 89 |
| df e8 00 d5 f4 ff 5b 41 5c 41 5d 5d c3 66 0f 1f 84 |
| ---[ end trace 40412246357cc9e0 ]--- |
| |
| dlm: 59f24629-ae39-44e2-9030-397ebc2eda26: leaving the lockspace group... |
| bug: unable to handle kernel null pointer dereference at 0000000000000001 |
| ip: [<ffffffff811a3b4a>] kmem_cache_alloc+0x7a/0x140 |
| pgd 0 |
| oops: 0000 [#1] smp |
| modules linked in: dlm 8021q garp mrp stp llc openvswitch nf_defrag_ipv6 |
| nf_conntrack libcrc32c iptable_filter dm_multipath crc32_pclmul dm_mod |
| aesni_intel psmouse aes_x86_64 sg ablk_helper cryptd lrw gf128mul |
| glue_helper i2c_piix4 nls_utf8 tpm_tis tpm isofs nfsd auth_rpcgss |
| oid_registry nfs_acl lockd grace sunrpc xen_wdt ip_tables x_tables autofs4 |
| hid_generic usbhid hid sr_mod cdrom sd_mod ata_generic pata_acpi 8139too |
| serio_raw ata_piix 8139cp mii uhci_hcd ehci_pci ehci_hcd libata |
| scsi_dh_rdac scsi_dh_hp_sw scsi_dh_emc scsi_dh_alua scsi_mod ipv6 |
| cpu: 0 pid: 394 comm: systemd-udevd tainted: g w 4.4.0+0 #1 |
| hardware name: xen hvm domu, bios 4.7.2-2.2 05/11/2017 |
| task: ffff880002410000 ti: ffff88000243c000 task.ti: ffff88000243c000 |
| rip: e030:[<ffffffff811a3b4a>] [<ffffffff811a3b4a>] |
| kmem_cache_alloc+0x7a/0x140 |
| rsp: e02b:ffff88000243fd90 eflags: 00010202 |
| rax: 0000000000000000 rbx: ffff8800029864d0 rcx: 000000000007b36c |
| rdx: 000000000007b36b rsi: 00000000024000c0 rdi: ffff880036801c00 |
| rbp: ffff88000243fdc0 r08: 0000000000018880 r09: 0000000000000054 |
| r10: 000000000000004a r11: ffff880034ace6c0 r12: 00000000024000c0 |
| r13: ffff880036801c00 r14: 0000000000000001 r15: ffffffff8118dcc2 |
| fs: 00007f0ab77548c0(0000) gs:ffff880036e00000(0000) knlgs:0000000000000000 |
| cs: e033 ds: 0000 es: 0000 cr0: 0000000080050033 |
| cr2: 0000000000000001 cr3: 000000000332d000 cr4: 0000000000040660 |
| stack: |
| ffffffff8118dc90 ffff8800029864d0 0000000000000000 ffff88003430b0b0 |
| ffff880034b78320 ffff88003430b0b0 ffff88000243fdf8 ffffffff8118dcc2 |
| ffff8800349c6700 ffff8800029864d0 000000000000000b 00007f0ab7754b90 |
| call trace: |
| [<ffffffff8118dc90>] ? anon_vma_fork+0x60/0x140 |
| [<ffffffff8118dcc2>] anon_vma_fork+0x92/0x140 |
| [<ffffffff8107033e>] copy_process+0xcae/0x1a80 |
| [<ffffffff8107128b>] _do_fork+0x8b/0x2d0 |
| [<ffffffff81071579>] sys_clone+0x19/0x20 |
| [<ffffffff815a30ae>] entry_syscall_64_fastpath+0x12/0x71 |
| ] code: f6 75 1c 4c 89 fa 44 89 e6 4c 89 ef e8 a7 e4 00 00 41 f7 c4 00 80 |
| 00 00 49 89 c6 74 47 eb 32 49 63 45 20 48 8d 4a 01 4d 8b 45 00 <49> 8b 1c |
| 06 4c 89 f0 65 49 0f c7 08 0f 94 c0 84 c0 74 ac 49 63 |
| rip [<ffffffff811a3b4a>] kmem_cache_alloc+0x7a/0x140 |
| rsp <ffff88000243fd90> |
| cr2: 0000000000000001 |
| --[ end trace 70cb9fd1b164a0e8 ]-- |
| |
| Signed-off-by: Edwin Török <edvin.torok@citrix.com> |
| Signed-off-by: David Teigland <teigland@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/dlm/user.c | 4 ++++ |
| 1 file changed, 4 insertions(+) |
| |
| --- a/fs/dlm/user.c |
| +++ b/fs/dlm/user.c |
| @@ -355,6 +355,10 @@ static int dlm_device_register(struct dl |
| error = misc_register(&ls->ls_device); |
| if (error) { |
| kfree(ls->ls_device.name); |
| + /* this has to be set to NULL |
| + * to avoid a double-free in dlm_device_deregister |
| + */ |
| + ls->ls_device.name = NULL; |
| } |
| fail: |
| return error; |