forked from Minki/linux
f57a22ddec
The following case will lead to a lockres is freed but is still in use. cat /sys/kernel/debug/o2dlm/locking_state dlm_thread lockres_seq_start -> lock dlm->track_lock -> get resA resA->refs decrease to 0, call dlm_lockres_release, and wait for "cat" unlock. Although resA->refs is already set to 0, increase resA->refs, and then unlock lock dlm->track_lock -> list_del_init() -> unlock -> free resA In such a race case, invalid address access may occurs. So we should delete list res->tracking before resA->refs decrease to 0. Signed-off-by: Yiwen Jiang <jiangyiwen@huawei.com> Reviewed-by: Joseph Qi <joseph.qi@huawei.com> Cc: Joel Becker <jlbec@evilplan.org> Signed-off-by: Mark Fasheh <mfasheh@suse.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
---|---|---|
.. | ||
dlmapi.h | ||
dlmast.c | ||
dlmcommon.h | ||
dlmconvert.c | ||
dlmconvert.h | ||
dlmdebug.c | ||
dlmdebug.h | ||
dlmdomain.c | ||
dlmdomain.h | ||
dlmlock.c | ||
dlmmaster.c | ||
dlmrecovery.c | ||
dlmthread.c | ||
dlmunlock.c | ||
Makefile |