/* -*- mode: c; c-basic-offset: 8; -*- * vim: noexpandtab sw=8 ts=8 sts=0: * * locks.c * * Userspace file locking support * * Copyright (C) 2007 Oracle. All rights reserved. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public * License as published by the Free Software Foundation; either * version 2 of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * * You should have received a copy of the GNU General Public * License along with this program; if not, write to the * Free Software Foundation, Inc., 59 Temple Place - Suite 330, * Boston, MA 021110-1307, USA. */ #include #include #include #include "ocfs2.h" #include "dlmglue.h" #include "file.h" #include "inode.h" #include "locks.h" static int ocfs2_do_flock(struct file *file, struct inode *inode, int cmd, struct file_lock *fl) { int ret = 0, level = 0, trylock = 0; struct ocfs2_file_private *fp = file->private_data; struct ocfs2_lock_res *lockres = &fp->fp_flock; if (fl->fl_type == F_WRLCK) level = 1; if (!IS_SETLKW(cmd)) trylock = 1; mutex_lock(&fp->fp_mutex); if (lockres->l_flags & OCFS2_LOCK_ATTACHED && lockres->l_level > LKM_NLMODE) { int old_level = 0; if (lockres->l_level == LKM_EXMODE) old_level = 1; if (level == old_level) goto out; /* * Converting an existing lock is not guaranteed to be * atomic, so we can get away with simply unlocking * here and allowing the lock code to try at the new * level. */ locks_lock_file_wait(file, &(struct file_lock) { .fl_type = F_UNLCK, .fl_flags = FL_FLOCK }); ocfs2_file_unlock(file); } ret = ocfs2_file_lock(file, level, trylock); if (ret) { if (ret == -EAGAIN && trylock) ret = -EWOULDBLOCK; else mlog_errno(ret); goto out; } ret = locks_lock_file_wait(file, fl); if (ret) ocfs2_file_unlock(file); out: mutex_unlock(&fp->fp_mutex); return ret; } static int ocfs2_do_funlock(struct file *file, int cmd, struct file_lock *fl) { int ret; struct ocfs2_file_private *fp = file->private_data; mutex_lock(&fp->fp_mutex); ocfs2_file_unlock(file); ret = locks_lock_file_wait(file, fl); mutex_unlock(&fp->fp_mutex); return ret; } /* * Overall flow of ocfs2_flock() was influenced by gfs2_flock(). */ int ocfs2_flock(struct file *file, int cmd, struct file_lock *fl) { struct inode *inode = file->f_mapping->host; struct ocfs2_super *osb = OCFS2_SB(inode->i_sb); if (!(fl->fl_flags & FL_FLOCK)) return -ENOLCK; if (__mandatory_lock(inode)) return -ENOLCK; if ((osb->s_mount_opt & OCFS2_MOUNT_LOCALFLOCKS) || ocfs2_mount_local(osb)) return locks_lock_file_wait(file, fl); if (fl->fl_type == F_UNLCK) return ocfs2_do_funlock(file, cmd, fl); else return ocfs2_do_flock(file, inode, cmd, fl); } int ocfs2_lock(struct file *file, int cmd, struct file_lock *fl) { struct inode *inode = file->f_mapping->host; struct ocfs2_super *osb = OCFS2_SB(inode->i_sb); if (!(fl->fl_flags & FL_POSIX)) return -ENOLCK; if (__mandatory_lock(inode) && fl->fl_type != F_UNLCK) return -ENOLCK; return ocfs2_plock(osb->cconn, OCFS2_I(inode)->ip_blkno, file, cmd, fl); } trl'>space:mode:
authorPeter Zijlstra <peterz@infradead.org>2017-01-26 16:39:55 +0100
committerIngo Molnar <mingo@kernel.org>2017-01-30 11:41:25 +0100
commita76a82a3e38c8d3fb6499e3dfaeb0949241ab588 (patch)
treeb5bc906278fe1ac66d75de984d26bf59b43b3ed8 /include/net/irda/irmod.h
parent566cf877a1fcb6d6dc0126b076aad062054c2637 (diff)
perf/core: Fix use-after-free bug
Dmitry reported a KASAN use-after-free on event->group_leader. It turns out there's a hole in perf_remove_from_context() due to event_function_call() not calling its function when the task associated with the event is already dead. In this case the event will have been detached from the task, but the grouping will have been retained, such that group operations might still work properly while there are live child events etc. This does however mean that we can miss a perf_group_detach() call when the group decomposes, this in turn can then lead to use-after-free. Fix it by explicitly doing the group detach if its still required. Reported-by: Dmitry Vyukov <dvyukov@google.com> Tested-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> Cc: Arnaldo Carvalho de Melo <acme@kernel.org> Cc: Arnaldo Carvalho de Melo <acme@redhat.com> Cc: Jiri Olsa <jolsa@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: stable@vger.kernel.org # v4.5+ Cc: syzkaller <syzkaller@googlegroups.com> Fixes: 63b6da39bb38 ("perf: Fix perf_event_exit_task() race") Link: http://lkml.kernel.org/r/20170126153955.GD6515@twins.programming.kicks-ass.net Signed-off-by: Ingo Molnar <mingo@kernel.org>
Diffstat (limited to 'include/net/irda/irmod.h')