Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 87533332 authored by Al Viro's avatar Al Viro
Browse files

autofs4: catatonic_mode vs. notify_daemon race 



we need to hold ->wq_mutex while we are forming the packet to send,
lest we have autofs4_catatonic_mode() setting wq->name.name to NULL
just as autofs4_notify_daemon() decides to memcpy() from it...

We do have check for catatonic mode immediately after that (under
->wq_mutex, as it ought to be) and packet won't be actually sent,
but it'll be too late for us if we oops on that memcpy() from NULL...

Fix is obvious - just extend the area covered by ->wq_mutex over
that switch and check whether it's catatonic *before* doing anything
else.

Acked-by: default avatarIan Kent <raven@themaw.net>
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent 4041bcdc

fs/autofs4/waitq.c

+14 −11
Original line number Diff line number Diff line
@@ -110,6 +110,13 @@ static void autofs4_notify_daemon(struct autofs_sb_info *sbi, 


	pkt.hdr.proto_version = sbi->version;

	pkt.hdr.type = type;

	mutex_lock(&sbi->wq_mutex);



	/* Check if we have become catatonic */

	if (sbi->catatonic) {

		mutex_unlock(&sbi->wq_mutex);

		return;

	}

	switch (type) {

	/* Kernel protocol v4 missing and expire packets */

	case autofs_ptype_missing:
@@ -163,23 +170,19 @@ static void autofs4_notify_daemon(struct autofs_sb_info *sbi, 
	}

	default:

		printk("autofs4_notify_daemon: bad type %d!\n", type);

		mutex_unlock(&sbi->wq_mutex);

		return;

	}



	/* Check if we have become catatonic */

	mutex_lock(&sbi->wq_mutex);

	if (!sbi->catatonic) {

	pipe = sbi->pipe;

	get_file(pipe);

	}



	mutex_unlock(&sbi->wq_mutex);



	if (pipe) {

	if (autofs4_write(pipe, &pkt, pktsz))

		autofs4_catatonic_mode(sbi);

	fput(pipe);

}

}



static int autofs4_getpath(struct autofs_sb_info *sbi,

			   struct dentry *dentry, char **name)