[PATCH] fs/locks.c: Fix sys_flock() race

sys_flock() currently has a race which can result in a double free in the
multi-thread case.

Thread 1			Thread 2

sys_flock(file, LOCK_EX)
				sys_flock(file, LOCK_UN)

If Thread 2 removes the lock from inode->i_lock before Thread 1 tests for
list_empty(&lock->fl_link) at the end of sys_flock, then both threads will
end up calling locks_free_lock for the same lock.

Fix is to make flock_lock_file() do the same as posix_lock_file(), namely
to make a copy of the request, so that the caller can always free the lock.

This also has the side-effect of fixing up a reference problem in the
lockd handling of flock.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
Trond Myklebust 2006-03-31 02:30:55 -08:00 committed by Linus Torvalds
parent 7a2bd3f7ef
commit 993dfa8776

View File

@ -726,8 +726,9 @@ EXPORT_SYMBOL(posix_locks_deadlock);
* at the head of the list, but that's secret knowledge known only to * at the head of the list, but that's secret knowledge known only to
* flock_lock_file and posix_lock_file. * flock_lock_file and posix_lock_file.
*/ */
static int flock_lock_file(struct file *filp, struct file_lock *new_fl) static int flock_lock_file(struct file *filp, struct file_lock *request)
{ {
struct file_lock *new_fl = NULL;
struct file_lock **before; struct file_lock **before;
struct inode * inode = filp->f_dentry->d_inode; struct inode * inode = filp->f_dentry->d_inode;
int error = 0; int error = 0;
@ -742,17 +743,19 @@ static int flock_lock_file(struct file *filp, struct file_lock *new_fl)
continue; continue;
if (filp != fl->fl_file) if (filp != fl->fl_file)
continue; continue;
if (new_fl->fl_type == fl->fl_type) if (request->fl_type == fl->fl_type)
goto out; goto out;
found = 1; found = 1;
locks_delete_lock(before); locks_delete_lock(before);
break; break;
} }
unlock_kernel();
if (new_fl->fl_type == F_UNLCK) if (request->fl_type == F_UNLCK)
return 0; goto out;
new_fl = locks_alloc_lock();
if (new_fl == NULL)
goto out;
/* /*
* If a higher-priority process was blocked on the old file lock, * If a higher-priority process was blocked on the old file lock,
* give it the opportunity to lock the file. * give it the opportunity to lock the file.
@ -760,26 +763,27 @@ static int flock_lock_file(struct file *filp, struct file_lock *new_fl)
if (found) if (found)
cond_resched(); cond_resched();
lock_kernel();
for_each_lock(inode, before) { for_each_lock(inode, before) {
struct file_lock *fl = *before; struct file_lock *fl = *before;
if (IS_POSIX(fl)) if (IS_POSIX(fl))
break; break;
if (IS_LEASE(fl)) if (IS_LEASE(fl))
continue; continue;
if (!flock_locks_conflict(new_fl, fl)) if (!flock_locks_conflict(request, fl))
continue; continue;
error = -EAGAIN; error = -EAGAIN;
if (new_fl->fl_flags & FL_SLEEP) { if (request->fl_flags & FL_SLEEP)
locks_insert_block(fl, new_fl); locks_insert_block(fl, request);
}
goto out; goto out;
} }
locks_copy_lock(new_fl, request);
locks_insert_lock(&inode->i_flock, new_fl); locks_insert_lock(&inode->i_flock, new_fl);
error = 0; new_fl = NULL;
out: out:
unlock_kernel(); unlock_kernel();
if (new_fl)
locks_free_lock(new_fl);
return error; return error;
} }
@ -1560,9 +1564,7 @@ asmlinkage long sys_flock(unsigned int fd, unsigned int cmd)
error = flock_lock_file_wait(filp, lock); error = flock_lock_file_wait(filp, lock);
out_free: out_free:
if (list_empty(&lock->fl_link)) { locks_free_lock(lock);
locks_free_lock(lock);
}
out_putf: out_putf:
fput(filp); fput(filp);