From 519009f0b0fba6bbbaa80a1a0c27354bfc4582a0 Mon Sep 17 00:00:00 2001 From: Srinivas Eeda Date: Fri, 3 Oct 2014 09:29:02 +1000 Subject: [PATCH] o2dlm: fix NULL pointer dereference in o2dlm_blocking_ast_wrapper A tiny race between BAST and unlock message causes the NULL dereference. A node sends an unlock request to master and receives a response. Before processing the response it receives a BAST from the master. Since both requests are processed by different threads it creates a race. While the BAST is being processed, lock can get freed by unlock code. This patch makes bast to return immediately if lock is found but unlock is pending. The code should handle this race. We also have to fix master node to skip sending BAST after receiving unlock message. Below is the crash stack BUG: unable to handle kernel NULL pointer dereference at 0000000000000048 IP: [] o2dlm_blocking_ast_wrapper+0xd/0x16 [] dlm_do_local_bast+0x8e/0x97 [ocfs2_dlm] [] dlm_proxy_ast_handler+0x838/0x87e [ocfs2_dlm] [] o2net_process_message+0x395/0x5b8 [ocfs2_nodemanager] [] o2net_rx_until_empty+0x762/0x90d [ocfs2_nodemanager] [] worker_thread+0x14d/0x1ed Signed-off-by: Srinivas Eeda Cc: Mark Fasheh Cc: Joel Becker Signed-off-by: Andrew Morton --- fs/ocfs2/dlm/dlmast.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/fs/ocfs2/dlm/dlmast.c b/fs/ocfs2/dlm/dlmast.c index b46278f9ae446a..dbc6cee9a3317e 100644 --- a/fs/ocfs2/dlm/dlmast.c +++ b/fs/ocfs2/dlm/dlmast.c @@ -385,8 +385,13 @@ int dlm_proxy_ast_handler(struct o2net_msg *msg, u32 len, void *data, head = &res->granted; list_for_each_entry(lock, head, list) { - if (lock->ml.cookie == cookie) - goto do_ast; + /* if lock is found but unlock is pending ignore the bast */ + if (lock->ml.cookie == cookie) { + if (lock->unlock_pending) + break; + else + goto do_ast; + } } mlog(0, "Got %sast for unknown lock! cookie=%u:%llu, name=%.*s, "