[Ocfs2-devel] [PATCH] ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent

alex chen alex.chen at huawei.com
Mon Oct 23 18:45:12 PDT 2017 

Hi Joseph,

On 2017/10/23 10:59, Joseph Qi wrote:
> Hi Alex,
> 
> On 17/10/20 16:27, alex chen wrote:
>> The subsystem.su_mutex is required while accessing the item->ci_parent,
>> otherwise, NULL pointer dereference to the item->ci_parent will be
>> triggered in the following situation:
>> add node                     delete node
>> sys_write
>>  vfs_write
>>   configfs_write_file
>>    o2nm_node_store
>>     o2nm_node_local_write
>>                              do_rmdir
>>                               vfs_rmdir
>>                                configfs_rmdir
>>                                 mutex_lock(&subsys->su_mutex);
>>                                 unlink_obj
>>                                  item->ci_group = NULL;
>>                                  item->ci_parent = NULL;			
>> 	 to_o2nm_cluster_from_node
>> 	  node->nd_item.ci_parent->ci_parent
>> 	  BUG since of NULL pointer dereference to nd_item.ci_parent
>>
>> Moreover, the o2nm_cluster also should be protected by the subsystem.su_mutex.
>>
> Looks good to me. One suggestion is, we'd better add some blank lines
> for code readability.

Thanks for your suggestions, i will send the patch v2.

Thanks
Alex

> 
>> Signed-off-by: Alex Chen <alex.chen at huawei.com>
>> Reviewed-by: Jun Piao <piaojun at huawei.com>
>>
>> ---
>>  fs/ocfs2/cluster/nodemanager.c | 58 ++++++++++++++++++++++++++++++++++--------
>>  1 file changed, 48 insertions(+), 10 deletions(-)
>>
>> diff --git a/fs/ocfs2/cluster/nodemanager.c b/fs/ocfs2/cluster/nodemanager.c
>> index b17d180..9b1859a 100644
>> --- a/fs/ocfs2/cluster/nodemanager.c
>> +++ b/fs/ocfs2/cluster/nodemanager.c
>> @@ -39,6 +39,8 @@
>>  		"reset",	/* O2NM_FENCE_RESET */
>>  		"panic",	/* O2NM_FENCE_PANIC */
>>  };
>> +static inline void o2nm_lock_subsystem(void);
>> +static inline void o2nm_unlock_subsystem(void);
>>
>>  struct o2nm_node *o2nm_get_node_by_num(u8 node_num)
>>  {
>> @@ -181,7 +183,10 @@ static struct o2nm_cluster *to_o2nm_cluster_from_node(struct o2nm_node *node)
>>  {
>>  	/* through the first node_set .parent
>>  	 * mycluster/nodes/mynode == o2nm_cluster->o2nm_node_group->o2nm_node */
>> -	return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent);
>> +	if (node->nd_item.ci_parent)
>> +		return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent);
>> +	else
>> +		return NULL;
>>  }
>>
>>  enum {
>> @@ -194,7 +199,7 @@ static ssize_t o2nm_node_num_store(struct config_item *item, const char *page,
>>  				   size_t count)
>>  {
>>  	struct o2nm_node *node = to_o2nm_node(item);
>> -	struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
>> +	struct o2nm_cluster *cluster;
>>  	unsigned long tmp;
>>  	char *p = (char *)page;
>>  	int ret = 0;
>> @@ -213,6 +218,12 @@ static ssize_t o2nm_node_num_store(struct config_item *item, const char *page,
>>  	if (!test_bit(O2NM_NODE_ATTR_ADDRESS, &node->nd_set_attributes) ||
>>  	    !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes))
>>  		return -EINVAL; /* XXX */
> <<< A blank line here may be better.
> 
>> +	o2nm_lock_subsystem();
>> +	cluster = to_o2nm_cluster_from_node(node);
>> +	if (!cluster) {
>> +		o2nm_unlock_subsystem();
>> +		return -EINVAL;
>> +	}
>>
>>  	write_lock(&cluster->cl_nodes_lock);
>>  	if (cluster->cl_nodes[tmp])
>> @@ -226,6 +237,7 @@ static ssize_t o2nm_node_num_store(struct config_item *item, const char *page,
>>  		set_bit(tmp, cluster->cl_nodes_bitmap);
>>  	}
>>  	write_unlock(&cluster->cl_nodes_lock);
>> +	o2nm_unlock_subsystem();
>>  	if (ret)
>>  		return ret;
>>
>> @@ -269,7 +281,7 @@ static ssize_t o2nm_node_ipv4_address_store(struct config_item *item,
>>  					    size_t count)
>>  {
>>  	struct o2nm_node *node = to_o2nm_node(item);
>> -	struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
>> +	struct o2nm_cluster *cluster;
>>  	int ret, i;
>>  	struct rb_node **p, *parent;
>>  	unsigned int octets[4];
>> @@ -285,7 +297,12 @@ static ssize_t o2nm_node_ipv4_address_store(struct config_item *item,
>>  			return -ERANGE;
>>  		be32_add_cpu(&ipv4_addr, octets[i] << (i * 8));
>>  	}
>> -
> <<< Also here.
> 
>> +	o2nm_lock_subsystem();
>> +	cluster = to_o2nm_cluster_from_node(node);
>> +	if (!cluster) {
>> +		o2nm_unlock_subsystem();
>> +		return -EINVAL;
>> +	}
>>  	ret = 0;
>>  	write_lock(&cluster->cl_nodes_lock);
>>  	if (o2nm_node_ip_tree_lookup(cluster, ipv4_addr, &p, &parent))
>> @@ -298,6 +315,7 @@ static ssize_t o2nm_node_ipv4_address_store(struct config_item *item,
>>  		rb_insert_color(&node->nd_ip_node, &cluster->cl_node_ip_tree);
>>  	}
>>  	write_unlock(&cluster->cl_nodes_lock);
>> +	o2nm_unlock_subsystem();
>>  	if (ret)
>>  		return ret;
>>
>> @@ -315,7 +333,7 @@ static ssize_t o2nm_node_local_store(struct config_item *item, const char *page,
>>  				     size_t count)
>>  {
>>  	struct o2nm_node *node = to_o2nm_node(item);
>> -	struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
>> +	struct o2nm_cluster *cluster;
>>  	unsigned long tmp;
>>  	char *p = (char *)page;
>>  	ssize_t ret;
>> @@ -333,17 +351,24 @@ static ssize_t o2nm_node_local_store(struct config_item *item, const char *page,
>>  	    !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes))
>>  		return -EINVAL; /* XXX */
>>
>> +	o2nm_lock_subsystem();
>> +	cluster = to_o2nm_cluster_from_node(node);
>> +	if (!cluster) {
>> +		ret = -EINVAL;
>> +		goto out;
>> +	}
> <<< Also here.
> 
>>  	/* the only failure case is trying to set a new local node
>>  	 * when a different one is already set */
>>  	if (tmp && tmp == cluster->cl_has_local &&
>> -	    cluster->cl_local_node != node->nd_num)
>> -		return -EBUSY;
>> -
>> +	    cluster->cl_local_node != node->nd_num) {
>> +		ret = -EBUSY;
>> +		goto out;
>> +	}
> <<< Also here.
> 
>>  	/* bring up the rx thread if we're setting the new local node. */
>>  	if (tmp && !cluster->cl_has_local) {
>>  		ret = o2net_start_listening(node);
>>  		if (ret)
>> -			return ret;
>> +			goto out;
>>  	}
>>
>>  	if (!tmp && cluster->cl_has_local &&
>> @@ -357,8 +382,11 @@ static ssize_t o2nm_node_local_store(struct config_item *item, const char *page,
>>  		cluster->cl_has_local = tmp;
>>  		cluster->cl_local_node = node->nd_num;
>>  	}
>> +	ret = count;
>>
>> -	return count;
>> +out:
>> +	o2nm_unlock_subsystem();
>> +	return ret;
>>  }
>>
>>  CONFIGFS_ATTR(o2nm_node_, num);
>> @@ -738,6 +766,16 @@ static void o2nm_cluster_group_drop_item(struct config_group *group, struct conf
>>  	},
>>  };
>>
>> +static inline void o2nm_lock_subsystem(void)
>> +{
>> +	mutex_lock(&o2nm_cluster_group.cs_subsys.su_mutex);
>> +}
>> +
>> +static inline void o2nm_unlock_subsystem(void)
>> +{
>> +	mutex_unlock(&o2nm_cluster_group.cs_subsys.su_mutex);
>> +}
>> +
>>  int o2nm_depend_item(struct config_item *item)
>>  {
>>  	return configfs_depend_item(&o2nm_cluster_group.cs_subsys, item);
>>
> 
> .
>

More information about the Ocfs2-devel mailing list