• Edwin Török's avatar
    dlm: avoid double-free on error path in dlm_device_{register,unregister} · 5c23d3ed
    Edwin Török authored
    commit 55acdd92 upstream.
    
    Can be reproduced when running dlm_controld (tested on 4.4.x, 4.12.4):
     # seq 1 100 | xargs -P0 -n1 dlm_tool join
     # seq 1 100 | xargs -P0 -n1 dlm_tool leave
    
    misc_register fails due to duplicate sysfs entry, which causes
    dlm_device_register to free ls->ls_device.name.
    In dlm_device_deregister the name was freed again, causing memory
    corruption.
    
    According to the comment in dlm_device_deregister the name should've been
    set to NULL when registration fails,
    so this patch does that.
    
    sysfs: cannot create duplicate filename '/dev/char/10:1'
    ------------[ cut here ]------------
    warning: cpu: 1 pid: 4450 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x56/0x70
    modules linked in: msr rfcomm dlm ccm bnep dm_crypt uvcvideo
    videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core videodev
    btusb media btrtl btbcm btintel bluetooth ecdh_generic intel_rapl
    x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm
    snd_hda_codec_hdmi irqbypass crct10dif_pclmul crc32_pclmul
    ghash_clmulni_intel thinkpad_acpi pcbc nvram snd_seq_midi
    snd_seq_midi_event aesni_intel snd_hda_codec_realtek snd_hda_codec_generic
    snd_rawmidi aes_x86_64 crypto_simd glue_helper snd_hda_intel snd_hda_codec
    cryptd intel_cstate arc4 snd_hda_core snd_seq snd_seq_device snd_hwdep
    iwldvm intel_rapl_perf mac80211 joydev input_leds iwlwifi serio_raw
    cfg80211 snd_pcm shpchp snd_timer snd mac_hid mei_me lpc_ich mei soundcore
    sunrpc parport_pc ppdev lp parport autofs4 i915 psmouse
     e1000e ahci libahci i2c_algo_bit sdhci_pci ptp drm_kms_helper sdhci
    pps_core syscopyarea sysfillrect sysimgblt fb_sys_fops drm wmi video
    cpu: 1 pid: 4450 comm: dlm_test.exe not tainted 4.12.4-041204-generic
    hardware name: lenovo 232425u/232425u, bios g2et82ww (2.02 ) 09/11/2012
    task: ffff96b0cbabe140 task.stack: ffffb199027d0000
    rip: 0010:sysfs_warn_dup+0x56/0x70
    rsp: 0018:ffffb199027d3c58 eflags: 00010282
    rax: 0000000000000038 rbx: ffff96b0e2c49158 rcx: 0000000000000006
    rdx: 0000000000000000 rsi: 0000000000000086 rdi: ffff96b15e24dcc0
    rbp: ffffb199027d3c70 r08: 0000000000000001 r09: 0000000000000721
    r10: ffffb199027d3c00 r11: 0000000000000721 r12: ffffb199027d3cd1
    r13: ffff96b1592088f0 r14: 0000000000000001 r15: ffffffffffffffef
    fs:  00007f78069c0700(0000) gs:ffff96b15e240000(0000)
    knlgs:0000000000000000
    cs:  0010 ds: 0000 es: 0000 cr0: 0000000080050033
    cr2: 000000178625ed28 cr3: 0000000091d3e000 cr4: 00000000001406e0
    call trace:
     sysfs_do_create_link_sd.isra.2+0x9e/0xb0
     sysfs_create_link+0x25/0x40
     device_add+0x5a9/0x640
     device_create_groups_vargs+0xe0/0xf0
     device_create_with_groups+0x3f/0x60
     ? snprintf+0x45/0x70
     misc_register+0x140/0x180
     device_write+0x6a8/0x790 [dlm]
     __vfs_write+0x37/0x160
     ? apparmor_file_permission+0x1a/0x20
     ? security_file_permission+0x3b/0xc0
     vfs_write+0xb5/0x1a0
     sys_write+0x55/0xc0
     ? sys_fcntl+0x5d/0xb0
     entry_syscall_64_fastpath+0x1e/0xa9
    rip: 0033:0x7f78083454bd
    rsp: 002b:00007f78069bbd30 eflags: 00000293 orig_rax: 0000000000000001
    rax: ffffffffffffffda rbx: 0000000000000006 rcx: 00007f78083454bd
    rdx: 000000000000009c rsi: 00007f78069bee00 rdi: 0000000000000005
    rbp: 00007f77f8000a20 r08: 000000000000fcf0 r09: 0000000000000032
    r10: 0000000000000024 r11: 0000000000000293 r12: 00007f78069bde00
    r13: 00007f78069bee00 r14: 000000000000000a r15: 00007f78069bbd70
    code: 85 c0 48 89 c3 74 12 b9 00 10 00 00 48 89 c2 31 f6 4c 89 ef e8 2c c8
    ff ff 4c 89 e2 48 89 de 48 c7 c7 b0 8e 0c a8 e8 41 e8 ed ff <0f> ff 48 89
    df e8 00 d5 f4 ff 5b 41 5c 41 5d 5d c3 66 0f 1f 84
    ---[ end trace 40412246357cc9e0 ]---
    
    dlm: 59f24629-ae39-44e2-9030-397ebc2eda26: leaving the lockspace group...
    bug: unable to handle kernel null pointer dereference at 0000000000000001
    ip: [<ffffffff811a3b4a>] kmem_cache_alloc+0x7a/0x140
    pgd 0
    oops: 0000 [#1] smp
    modules linked in: dlm 8021q garp mrp stp llc openvswitch nf_defrag_ipv6
    nf_conntrack libcrc32c iptable_filter dm_multipath crc32_pclmul dm_mod
    aesni_intel psmouse aes_x86_64 sg ablk_helper cryptd lrw gf128mul
    glue_helper i2c_piix4 nls_utf8 tpm_tis tpm isofs nfsd auth_rpcgss
    oid_registry nfs_acl lockd grace sunrpc xen_wdt ip_tables x_tables autofs4
    hid_generic usbhid hid sr_mod cdrom sd_mod ata_generic pata_acpi 8139too
    serio_raw ata_piix 8139cp mii uhci_hcd ehci_pci ehci_hcd libata
    scsi_dh_rdac scsi_dh_hp_sw scsi_dh_emc scsi_dh_alua scsi_mod ipv6
    cpu: 0 pid: 394 comm: systemd-udevd tainted: g w 4.4.0+0 #1
    hardware name: xen hvm domu, bios 4.7.2-2.2 05/11/2017
    task: ffff880002410000 ti: ffff88000243c000 task.ti: ffff88000243c000
    rip: e030:[<ffffffff811a3b4a>] [<ffffffff811a3b4a>]
    kmem_cache_alloc+0x7a/0x140
    rsp: e02b:ffff88000243fd90 eflags: 00010202
    rax: 0000000000000000 rbx: ffff8800029864d0 rcx: 000000000007b36c
    rdx: 000000000007b36b rsi: 00000000024000c0 rdi: ffff880036801c00
    rbp: ffff88000243fdc0 r08: 0000000000018880 r09: 0000000000000054
    r10: 000000000000004a r11: ffff880034ace6c0 r12: 00000000024000c0
    r13: ffff880036801c00 r14: 0000000000000001 r15: ffffffff8118dcc2
    fs: 00007f0ab77548c0(0000) gs:ffff880036e00000(0000) knlgs:0000000000000000
    cs: e033 ds: 0000 es: 0000 cr0: 0000000080050033
    cr2: 0000000000000001 cr3: 000000000332d000 cr4: 0000000000040660
    stack:
    ffffffff8118dc90 ffff8800029864d0 0000000000000000 ffff88003430b0b0
    ffff880034b78320 ffff88003430b0b0 ffff88000243fdf8 ffffffff8118dcc2
    ffff8800349c6700 ffff8800029864d0 000000000000000b 00007f0ab7754b90
    call trace:
    [<ffffffff8118dc90>] ? anon_vma_fork+0x60/0x140
    [<ffffffff8118dcc2>] anon_vma_fork+0x92/0x140
    [<ffffffff8107033e>] copy_process+0xcae/0x1a80
    [<ffffffff8107128b>] _do_fork+0x8b/0x2d0
    [<ffffffff81071579>] sys_clone+0x19/0x20
    [<ffffffff815a30ae>] entry_syscall_64_fastpath+0x12/0x71
    ] code: f6 75 1c 4c 89 fa 44 89 e6 4c 89 ef e8 a7 e4 00 00 41 f7 c4 00 80
    00 00 49 89 c6 74 47 eb 32 49 63 45 20 48 8d 4a 01 4d 8b 45 00 <49> 8b 1c
    06 4c 89 f0 65 49 0f c7 08 0f 94 c0 84 c0 74 ac 49 63
    rip [<ffffffff811a3b4a>] kmem_cache_alloc+0x7a/0x140
    rsp <ffff88000243fd90>
    cr2: 0000000000000001
    --[ end trace 70cb9fd1b164a0e8 ]--
    Signed-off-by: 's avatarEdwin Török <edvin.torok@citrix.com>
    Signed-off-by: 's avatarDavid Teigland <teigland@redhat.com>
    Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    5c23d3ed
Name
Last commit
Last update
..
Kconfig Loading commit data...
Makefile Loading commit data...
ast.c Loading commit data...
ast.h Loading commit data...
config.c Loading commit data...
config.h Loading commit data...
debug_fs.c Loading commit data...
dir.c Loading commit data...
dir.h Loading commit data...
dlm_internal.h Loading commit data...
lock.c Loading commit data...
lock.h Loading commit data...
lockspace.c Loading commit data...
lockspace.h Loading commit data...
lowcomms.c Loading commit data...
lowcomms.h Loading commit data...
lvb_table.h Loading commit data...
main.c Loading commit data...
member.c Loading commit data...
member.h Loading commit data...
memory.c Loading commit data...
memory.h Loading commit data...
midcomms.c Loading commit data...
midcomms.h Loading commit data...
netlink.c Loading commit data...
plock.c Loading commit data...
rcom.c Loading commit data...
rcom.h Loading commit data...
recover.c Loading commit data...
recover.h Loading commit data...
recoverd.c Loading commit data...
recoverd.h Loading commit data...
requestqueue.c Loading commit data...
requestqueue.h Loading commit data...
user.c Loading commit data...
user.h Loading commit data...
util.c Loading commit data...
util.h Loading commit data...