LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

KSM runs into patent trouble

Tux3: the other next-generation filesystem

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

[PATCH] fs: fcntl_setlease defies lease_init assumptions

[Posted May 11, 2006 by corbet]

From:  Daniel Hokka Zakrisson <daniel-AT-hozac.com>
To:  linux-kernel-AT-vger.kernel.org
Subject:  [PATCH] fs: fcntl_setlease defies lease_init assumptions
Date:  Mon, 08 May 2006 01:21:01 +0200
Cc:  =?ISO-8859-1?Q?Bj=F6rn_Steinbrink?= <B.Steinbrink-AT-gmx.de>, greg-AT-kroah.com, matthew-AT-wil.cx, torvalds-AT-osdl.org
Archive-link:  Article, Thread 

fcntl_setlease uses a struct file_lock on the stack to find the
file_lock it's actually looking for. The problem with this approach is
that lease_init will attempt to free the file_lock if the arg argument
is invalid, causing kmem_cache_free to be called with the address of the
on-stack file_lock.
After running the following test-case, it doesn't take long for an i686
machine running 2.6.16.13 to stop responding completely. 
2.6.17-rc3-git12 shows similar results, although it takes a bit more 
activity before crashing.

Björn Steinbrink also identified a slab leak in the same piece of code, 
caused by the fasync_helper call which will allocate a new slab every 
time because it uses the wrong structure (the one on the stack) when the 
a lease on that file already exists.

#define _GNU_SOURCE
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>

void die(const char *msg)
{
	perror(msg);
	exit(1);
}
int main(int argc, char *argv[])
{
	int fd;
	if (argc == 1)
	{
		fprintf(stderr, "Usage: %s file\n", argv[0]);
		exit(1);
	}
	fd = open(argv[1], O_RDONLY);
	if (fd == -1)
		die("open()");
	if (fcntl(fd, F_SETLEASE, F_RDLCK) == -1)
		die("setlease(RDLCK)");
	if (fcntl(fd, F_SETLEASE, F_RDLCK) == -1)
		die("setlease(RDLCK2)");
	if (fcntl(fd, F_SETLEASE, 5) == -1)
		die("setlease(invalid)");
	close(fd);
	return 0;
}

Signed-off-by: Daniel Hokka Zakrisson <daniel@hozac.com>

---
--- a/fs/locks.c	2006-05-07 00:29:26.000000000 +0200
+++ b/fs/locks.c	2006-05-07 23:29:12.000000000 +0200
@@ -1363,6 +1363,7 @@ static int __setlease(struct file *filp,
  		goto out;

  	if (my_before != NULL) {
+		*flp = *my_before;
  		error = lease->fl_lmops->fl_change(my_before, arg);
  		goto out;
  	}
@@ -1433,7 +1434,7 @@ EXPORT_SYMBOL(setlease);
   */
  int fcntl_setlease(unsigned int fd, struct file *filp, long arg)
  {
-	struct file_lock fl, *flp = &fl;
+	struct file_lock *fl, *flp;
  	struct dentry *dentry = filp->f_dentry;
  	struct inode *inode = dentry->d_inode;
  	int error;
@@ -1446,14 +1447,15 @@ int fcntl_setlease(unsigned int fd, stru
  	if (error)
  		return error;

-	locks_init_lock(&fl);
-	error = lease_init(filp, arg, &fl);
+	error = lease_alloc(filp, arg, &fl);
  	if (error)
  		return error;
+	flp = fl;

  	lock_kernel();

  	error = __setlease(filp, arg, &flp);
+	locks_free_lock(fl);
  	if (error || arg == F_UNLCK)
  		goto out_unlock;
(Log in to post comments)

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds