dlm: fix plock use-after-free (c78a87d0) · Commits · e / devices / android_kernel_oneplus_sm8150

fs/dlm/plock.c

+10 −7

Original line number	Diff line number	Diff line
		@@ -353,7 +353,7 @@ static ssize_t dev_write(struct file file, const char __user u, size_t count,
		{
		struct dlm_plock_info info;
		struct plock_op *op;
		int found = 0;
		int found = 0, do_callback = 0;

		if (count != sizeof(info))
		return -EINVAL;
		@@ -366,21 +366,24 @@ static ssize_t dev_write(struct file file, const char __user u, size_t count,

		spin_lock(&ops_lock);
		list_for_each_entry(op, &recv_list, list) {
		if (op->info.fsid == info.fsid && op->info.number == info.number &&
		if (op->info.fsid == info.fsid &&
		op->info.number == info.number &&
		op->info.owner == info.owner) {
		struct plock_xop xop = (struct plock_xop )op;
		list_del_init(&op->list);
		found = 1;
		op->done = 1;
		memcpy(&op->info, &info, sizeof(info));
		if (xop->callback)
		do_callback = 1;
		else
		op->done = 1;
		found = 1;
		break;
		}
		}
		spin_unlock(&ops_lock);

		if (found) {
		struct plock_xop *xop;
		xop = (struct plock_xop *)op;
		if (xop->callback)
		if (do_callback)
		dlm_plock_callback(op);
		else
		wake_up(&recv_wq);