[PATCH 0/1][T] CVE-2017-18216 - DoS in ocfs2

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH 0/1][T] CVE-2017-18216 - DoS in ocfs2

Tyler Hicks-2
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18216.html

 In fs/ocfs2/cluster/nodemanager.c in the Linux kernel before 4.15, local
 users can cause a denial of service (NULL pointer dereference and BUG)
 because a required mutex is not used.

Tyler


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 1/1] ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent

Tyler Hicks-2
From: alex chen <[hidden email]>

The subsystem.su_mutex is required while accessing the item->ci_parent,
otherwise, NULL pointer dereference to the item->ci_parent will be
triggered in the following situation:

add node                     delete node
sys_write
 vfs_write
  configfs_write_file
   o2nm_node_store
    o2nm_node_local_write
                             do_rmdir
                              vfs_rmdir
                               configfs_rmdir
                                mutex_lock(&subsys->su_mutex);
                                unlink_obj
                                 item->ci_group = NULL;
                                 item->ci_parent = NULL;
         to_o2nm_cluster_from_node
          node->nd_item.ci_parent->ci_parent
          BUG since of NULL pointer dereference to nd_item.ci_parent

Moreover, the o2nm_cluster also should be protected by the
subsystem.su_mutex.

[[hidden email]: v2]
  Link: http://lkml.kernel.org/r/59EEAA69.9080703@...
Link: http://lkml.kernel.org/r/59E9B36A.10700@...
Signed-off-by: Alex Chen <[hidden email]>
Reviewed-by: Jun Piao <[hidden email]>
Reviewed-by: Joseph Qi <[hidden email]>
Cc: Mark Fasheh <[hidden email]>
Cc: Joel Becker <[hidden email]>
Cc: Junxiao Bi <[hidden email]>
Signed-off-by: Andrew Morton <[hidden email]>
Signed-off-by: Linus Torvalds <[hidden email]>

CVE-2017-18216

(backported from commit 853bc26a7ea39e354b9f8889ae7ad1492ffa28d2)
Signed-off-by: Tyler Hicks <[hidden email]>
---
 fs/ocfs2/cluster/nodemanager.c | 63 ++++++++++++++++++++++++++++++++++++------
 1 file changed, 55 insertions(+), 8 deletions(-)

diff --git a/fs/ocfs2/cluster/nodemanager.c b/fs/ocfs2/cluster/nodemanager.c
index bb240647ca5f..c76302a51aed 100644
--- a/fs/ocfs2/cluster/nodemanager.c
+++ b/fs/ocfs2/cluster/nodemanager.c
@@ -41,6 +41,9 @@ char *o2nm_fence_method_desc[O2NM_FENCE_METHODS] = {
  "panic", /* O2NM_FENCE_PANIC */
 };
 
+static inline void o2nm_lock_subsystem(void);
+static inline void o2nm_unlock_subsystem(void);
+
 struct o2nm_node *o2nm_get_node_by_num(u8 node_num)
 {
  struct o2nm_node *node = NULL;
@@ -182,7 +185,10 @@ static struct o2nm_cluster *to_o2nm_cluster_from_node(struct o2nm_node *node)
 {
  /* through the first node_set .parent
  * mycluster/nodes/mynode == o2nm_cluster->o2nm_node_group->o2nm_node */
- return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent);
+ if (node->nd_item.ci_parent)
+ return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent);
+ else
+ return NULL;
 }
 
 enum {
@@ -195,7 +201,7 @@ enum {
 static ssize_t o2nm_node_num_write(struct o2nm_node *node, const char *page,
    size_t count)
 {
- struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
+ struct o2nm_cluster *cluster;
  unsigned long tmp;
  char *p = (char *)page;
 
@@ -214,6 +220,13 @@ static ssize_t o2nm_node_num_write(struct o2nm_node *node, const char *page,
     !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes))
  return -EINVAL; /* XXX */
 
+ o2nm_lock_subsystem();
+ cluster = to_o2nm_cluster_from_node(node);
+ if (!cluster) {
+ o2nm_unlock_subsystem();
+ return -EINVAL;
+ }
+
  write_lock(&cluster->cl_nodes_lock);
  if (cluster->cl_nodes[tmp])
  p = NULL;
@@ -223,6 +236,8 @@ static ssize_t o2nm_node_num_write(struct o2nm_node *node, const char *page,
  set_bit(tmp, cluster->cl_nodes_bitmap);
  }
  write_unlock(&cluster->cl_nodes_lock);
+ o2nm_unlock_subsystem();
+
  if (p == NULL)
  return -EEXIST;
 
@@ -262,7 +277,7 @@ static ssize_t o2nm_node_ipv4_address_write(struct o2nm_node *node,
     const char *page,
     size_t count)
 {
- struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
+ struct o2nm_cluster *cluster;
  int ret, i;
  struct rb_node **p, *parent;
  unsigned int octets[4];
@@ -279,6 +294,13 @@ static ssize_t o2nm_node_ipv4_address_write(struct o2nm_node *node,
  be32_add_cpu(&ipv4_addr, octets[i] << (i * 8));
  }
 
+ o2nm_lock_subsystem();
+ cluster = to_o2nm_cluster_from_node(node);
+ if (!cluster) {
+ o2nm_unlock_subsystem();
+ return -EINVAL;
+ }
+
  ret = 0;
  write_lock(&cluster->cl_nodes_lock);
  if (o2nm_node_ip_tree_lookup(cluster, ipv4_addr, &p, &parent))
@@ -288,6 +310,8 @@ static ssize_t o2nm_node_ipv4_address_write(struct o2nm_node *node,
  rb_insert_color(&node->nd_ip_node, &cluster->cl_node_ip_tree);
  }
  write_unlock(&cluster->cl_nodes_lock);
+ o2nm_unlock_subsystem();
+
  if (ret)
  return ret;
 
@@ -304,7 +328,7 @@ static ssize_t o2nm_node_local_read(struct o2nm_node *node, char *page)
 static ssize_t o2nm_node_local_write(struct o2nm_node *node, const char *page,
      size_t count)
 {
- struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
+ struct o2nm_cluster *cluster;
  unsigned long tmp;
  char *p = (char *)page;
  ssize_t ret;
@@ -322,17 +346,26 @@ static ssize_t o2nm_node_local_write(struct o2nm_node *node, const char *page,
     !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes))
  return -EINVAL; /* XXX */
 
+ o2nm_lock_subsystem();
+ cluster = to_o2nm_cluster_from_node(node);
+ if (!cluster) {
+ ret = -EINVAL;
+ goto out;
+ }
+
  /* the only failure case is trying to set a new local node
  * when a different one is already set */
  if (tmp && tmp == cluster->cl_has_local &&
-    cluster->cl_local_node != node->nd_num)
- return -EBUSY;
+    cluster->cl_local_node != node->nd_num) {
+ ret = -EBUSY;
+ goto out;
+ }
 
  /* bring up the rx thread if we're setting the new local node. */
  if (tmp && !cluster->cl_has_local) {
  ret = o2net_start_listening(node);
  if (ret)
- return ret;
+ goto out;
  }
 
  if (!tmp && cluster->cl_has_local &&
@@ -347,7 +380,11 @@ static ssize_t o2nm_node_local_write(struct o2nm_node *node, const char *page,
  cluster->cl_local_node = node->nd_num;
  }
 
- return count;
+ ret = count;
+
+out:
+ o2nm_unlock_subsystem();
+ return ret;
 }
 
 struct o2nm_node_attribute {
@@ -890,6 +927,16 @@ static struct o2nm_cluster_group o2nm_cluster_group = {
  },
 };
 
+static inline void o2nm_lock_subsystem(void)
+{
+ mutex_lock(&o2nm_cluster_group.cs_subsys.su_mutex);
+}
+
+static inline void o2nm_unlock_subsystem(void)
+{
+ mutex_unlock(&o2nm_cluster_group.cs_subsys.su_mutex);
+}
+
 int o2nm_depend_item(struct config_item *item)
 {
  return configfs_depend_item(&o2nm_cluster_group.cs_subsys, item);
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH 1/1] ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent

Stefan Bader-2
On 14.09.2018 20:54, Tyler Hicks wrote:

> From: alex chen <[hidden email]>
>
> The subsystem.su_mutex is required while accessing the item->ci_parent,
> otherwise, NULL pointer dereference to the item->ci_parent will be
> triggered in the following situation:
>
> add node                     delete node
> sys_write
>  vfs_write
>   configfs_write_file
>    o2nm_node_store
>     o2nm_node_local_write
>                              do_rmdir
>                               vfs_rmdir
>                                configfs_rmdir
>                                 mutex_lock(&subsys->su_mutex);
>                                 unlink_obj
>                                  item->ci_group = NULL;
>                                  item->ci_parent = NULL;
> to_o2nm_cluster_from_node
>  node->nd_item.ci_parent->ci_parent
>  BUG since of NULL pointer dereference to nd_item.ci_parent
>
> Moreover, the o2nm_cluster also should be protected by the
> subsystem.su_mutex.
>
> [[hidden email]: v2]
>   Link: http://lkml.kernel.org/r/59EEAA69.9080703@...
> Link: http://lkml.kernel.org/r/59E9B36A.10700@...
> Signed-off-by: Alex Chen <[hidden email]>
> Reviewed-by: Jun Piao <[hidden email]>
> Reviewed-by: Joseph Qi <[hidden email]>
> Cc: Mark Fasheh <[hidden email]>
> Cc: Joel Becker <[hidden email]>
> Cc: Junxiao Bi <[hidden email]>
> Signed-off-by: Andrew Morton <[hidden email]>
> Signed-off-by: Linus Torvalds <[hidden email]>
>
> CVE-2017-18216
>
> (backported from commit 853bc26a7ea39e354b9f8889ae7ad1492ffa28d2)
> Signed-off-by: Tyler Hicks <[hidden email]>
Acked-by: Stefan Bader <[hidden email]>

> ---
>  fs/ocfs2/cluster/nodemanager.c | 63 ++++++++++++++++++++++++++++++++++++------
>  1 file changed, 55 insertions(+), 8 deletions(-)
>
> diff --git a/fs/ocfs2/cluster/nodemanager.c b/fs/ocfs2/cluster/nodemanager.c
> index bb240647ca5f..c76302a51aed 100644
> --- a/fs/ocfs2/cluster/nodemanager.c
> +++ b/fs/ocfs2/cluster/nodemanager.c
> @@ -41,6 +41,9 @@ char *o2nm_fence_method_desc[O2NM_FENCE_METHODS] = {
>   "panic", /* O2NM_FENCE_PANIC */
>  };
>  
> +static inline void o2nm_lock_subsystem(void);
> +static inline void o2nm_unlock_subsystem(void);
> +
>  struct o2nm_node *o2nm_get_node_by_num(u8 node_num)
>  {
>   struct o2nm_node *node = NULL;
> @@ -182,7 +185,10 @@ static struct o2nm_cluster *to_o2nm_cluster_from_node(struct o2nm_node *node)
>  {
>   /* through the first node_set .parent
>   * mycluster/nodes/mynode == o2nm_cluster->o2nm_node_group->o2nm_node */
> - return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent);
> + if (node->nd_item.ci_parent)
> + return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent);
> + else
> + return NULL;
>  }
>  
>  enum {
> @@ -195,7 +201,7 @@ enum {
>  static ssize_t o2nm_node_num_write(struct o2nm_node *node, const char *page,
>     size_t count)
>  {
> - struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
> + struct o2nm_cluster *cluster;
>   unsigned long tmp;
>   char *p = (char *)page;
>  
> @@ -214,6 +220,13 @@ static ssize_t o2nm_node_num_write(struct o2nm_node *node, const char *page,
>      !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes))
>   return -EINVAL; /* XXX */
>  
> + o2nm_lock_subsystem();
> + cluster = to_o2nm_cluster_from_node(node);
> + if (!cluster) {
> + o2nm_unlock_subsystem();
> + return -EINVAL;
> + }
> +
>   write_lock(&cluster->cl_nodes_lock);
>   if (cluster->cl_nodes[tmp])
>   p = NULL;
> @@ -223,6 +236,8 @@ static ssize_t o2nm_node_num_write(struct o2nm_node *node, const char *page,
>   set_bit(tmp, cluster->cl_nodes_bitmap);
>   }
>   write_unlock(&cluster->cl_nodes_lock);
> + o2nm_unlock_subsystem();
> +
>   if (p == NULL)
>   return -EEXIST;
>  
> @@ -262,7 +277,7 @@ static ssize_t o2nm_node_ipv4_address_write(struct o2nm_node *node,
>      const char *page,
>      size_t count)
>  {
> - struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
> + struct o2nm_cluster *cluster;
>   int ret, i;
>   struct rb_node **p, *parent;
>   unsigned int octets[4];
> @@ -279,6 +294,13 @@ static ssize_t o2nm_node_ipv4_address_write(struct o2nm_node *node,
>   be32_add_cpu(&ipv4_addr, octets[i] << (i * 8));
>   }
>  
> + o2nm_lock_subsystem();
> + cluster = to_o2nm_cluster_from_node(node);
> + if (!cluster) {
> + o2nm_unlock_subsystem();
> + return -EINVAL;
> + }
> +
>   ret = 0;
>   write_lock(&cluster->cl_nodes_lock);
>   if (o2nm_node_ip_tree_lookup(cluster, ipv4_addr, &p, &parent))
> @@ -288,6 +310,8 @@ static ssize_t o2nm_node_ipv4_address_write(struct o2nm_node *node,
>   rb_insert_color(&node->nd_ip_node, &cluster->cl_node_ip_tree);
>   }
>   write_unlock(&cluster->cl_nodes_lock);
> + o2nm_unlock_subsystem();
> +
>   if (ret)
>   return ret;
>  
> @@ -304,7 +328,7 @@ static ssize_t o2nm_node_local_read(struct o2nm_node *node, char *page)
>  static ssize_t o2nm_node_local_write(struct o2nm_node *node, const char *page,
>       size_t count)
>  {
> - struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
> + struct o2nm_cluster *cluster;
>   unsigned long tmp;
>   char *p = (char *)page;
>   ssize_t ret;
> @@ -322,17 +346,26 @@ static ssize_t o2nm_node_local_write(struct o2nm_node *node, const char *page,
>      !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes))
>   return -EINVAL; /* XXX */
>  
> + o2nm_lock_subsystem();
> + cluster = to_o2nm_cluster_from_node(node);
> + if (!cluster) {
> + ret = -EINVAL;
> + goto out;
> + }
> +
>   /* the only failure case is trying to set a new local node
>   * when a different one is already set */
>   if (tmp && tmp == cluster->cl_has_local &&
> -    cluster->cl_local_node != node->nd_num)
> - return -EBUSY;
> +    cluster->cl_local_node != node->nd_num) {
> + ret = -EBUSY;
> + goto out;
> + }
>  
>   /* bring up the rx thread if we're setting the new local node. */
>   if (tmp && !cluster->cl_has_local) {
>   ret = o2net_start_listening(node);
>   if (ret)
> - return ret;
> + goto out;
>   }
>  
>   if (!tmp && cluster->cl_has_local &&
> @@ -347,7 +380,11 @@ static ssize_t o2nm_node_local_write(struct o2nm_node *node, const char *page,
>   cluster->cl_local_node = node->nd_num;
>   }
>  
> - return count;
> + ret = count;
> +
> +out:
> + o2nm_unlock_subsystem();
> + return ret;
>  }
>  
>  struct o2nm_node_attribute {
> @@ -890,6 +927,16 @@ static struct o2nm_cluster_group o2nm_cluster_group = {
>   },
>  };
>  
> +static inline void o2nm_lock_subsystem(void)
> +{
> + mutex_lock(&o2nm_cluster_group.cs_subsys.su_mutex);
> +}
> +
> +static inline void o2nm_unlock_subsystem(void)
> +{
> + mutex_unlock(&o2nm_cluster_group.cs_subsys.su_mutex);
> +}
> +
>  int o2nm_depend_item(struct config_item *item)
>  {
>   return configfs_depend_item(&o2nm_cluster_group.cs_subsys, item);
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH 1/1] ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent

Kleber Souza
In reply to this post by Tyler Hicks-2
On 09/14/18 20:54, Tyler Hicks wrote:

> From: alex chen <[hidden email]>
>
> The subsystem.su_mutex is required while accessing the item->ci_parent,
> otherwise, NULL pointer dereference to the item->ci_parent will be
> triggered in the following situation:
>
> add node                     delete node
> sys_write
>  vfs_write
>   configfs_write_file
>    o2nm_node_store
>     o2nm_node_local_write
>                              do_rmdir
>                               vfs_rmdir
>                                configfs_rmdir
>                                 mutex_lock(&subsys->su_mutex);
>                                 unlink_obj
>                                  item->ci_group = NULL;
>                                  item->ci_parent = NULL;
> to_o2nm_cluster_from_node
>  node->nd_item.ci_parent->ci_parent
>  BUG since of NULL pointer dereference to nd_item.ci_parent
>
> Moreover, the o2nm_cluster also should be protected by the
> subsystem.su_mutex.
>
> [[hidden email]: v2]
>   Link: http://lkml.kernel.org/r/59EEAA69.9080703@...
> Link: http://lkml.kernel.org/r/59E9B36A.10700@...
> Signed-off-by: Alex Chen <[hidden email]>
> Reviewed-by: Jun Piao <[hidden email]>
> Reviewed-by: Joseph Qi <[hidden email]>
> Cc: Mark Fasheh <[hidden email]>
> Cc: Joel Becker <[hidden email]>
> Cc: Junxiao Bi <[hidden email]>
> Signed-off-by: Andrew Morton <[hidden email]>
> Signed-off-by: Linus Torvalds <[hidden email]>
>
> CVE-2017-18216
>
> (backported from commit 853bc26a7ea39e354b9f8889ae7ad1492ffa28d2)
> Signed-off-by: Tyler Hicks <[hidden email]>

Acked-by: Kleber Sacilotto de Souza <[hidden email]>

> ---
>  fs/ocfs2/cluster/nodemanager.c | 63 ++++++++++++++++++++++++++++++++++++------
>  1 file changed, 55 insertions(+), 8 deletions(-)
>
> diff --git a/fs/ocfs2/cluster/nodemanager.c b/fs/ocfs2/cluster/nodemanager.c
> index bb240647ca5f..c76302a51aed 100644
> --- a/fs/ocfs2/cluster/nodemanager.c
> +++ b/fs/ocfs2/cluster/nodemanager.c
> @@ -41,6 +41,9 @@ char *o2nm_fence_method_desc[O2NM_FENCE_METHODS] = {
>   "panic", /* O2NM_FENCE_PANIC */
>  };
>  
> +static inline void o2nm_lock_subsystem(void);
> +static inline void o2nm_unlock_subsystem(void);
> +
>  struct o2nm_node *o2nm_get_node_by_num(u8 node_num)
>  {
>   struct o2nm_node *node = NULL;
> @@ -182,7 +185,10 @@ static struct o2nm_cluster *to_o2nm_cluster_from_node(struct o2nm_node *node)
>  {
>   /* through the first node_set .parent
>   * mycluster/nodes/mynode == o2nm_cluster->o2nm_node_group->o2nm_node */
> - return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent);
> + if (node->nd_item.ci_parent)
> + return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent);
> + else
> + return NULL;
>  }
>  
>  enum {
> @@ -195,7 +201,7 @@ enum {
>  static ssize_t o2nm_node_num_write(struct o2nm_node *node, const char *page,
>     size_t count)
>  {
> - struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
> + struct o2nm_cluster *cluster;
>   unsigned long tmp;
>   char *p = (char *)page;
>  
> @@ -214,6 +220,13 @@ static ssize_t o2nm_node_num_write(struct o2nm_node *node, const char *page,
>      !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes))
>   return -EINVAL; /* XXX */
>  
> + o2nm_lock_subsystem();
> + cluster = to_o2nm_cluster_from_node(node);
> + if (!cluster) {
> + o2nm_unlock_subsystem();
> + return -EINVAL;
> + }
> +
>   write_lock(&cluster->cl_nodes_lock);
>   if (cluster->cl_nodes[tmp])
>   p = NULL;
> @@ -223,6 +236,8 @@ static ssize_t o2nm_node_num_write(struct o2nm_node *node, const char *page,
>   set_bit(tmp, cluster->cl_nodes_bitmap);
>   }
>   write_unlock(&cluster->cl_nodes_lock);
> + o2nm_unlock_subsystem();
> +
>   if (p == NULL)
>   return -EEXIST;
>  
> @@ -262,7 +277,7 @@ static ssize_t o2nm_node_ipv4_address_write(struct o2nm_node *node,
>      const char *page,
>      size_t count)
>  {
> - struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
> + struct o2nm_cluster *cluster;
>   int ret, i;
>   struct rb_node **p, *parent;
>   unsigned int octets[4];
> @@ -279,6 +294,13 @@ static ssize_t o2nm_node_ipv4_address_write(struct o2nm_node *node,
>   be32_add_cpu(&ipv4_addr, octets[i] << (i * 8));
>   }
>  
> + o2nm_lock_subsystem();
> + cluster = to_o2nm_cluster_from_node(node);
> + if (!cluster) {
> + o2nm_unlock_subsystem();
> + return -EINVAL;
> + }
> +
>   ret = 0;
>   write_lock(&cluster->cl_nodes_lock);
>   if (o2nm_node_ip_tree_lookup(cluster, ipv4_addr, &p, &parent))
> @@ -288,6 +310,8 @@ static ssize_t o2nm_node_ipv4_address_write(struct o2nm_node *node,
>   rb_insert_color(&node->nd_ip_node, &cluster->cl_node_ip_tree);
>   }
>   write_unlock(&cluster->cl_nodes_lock);
> + o2nm_unlock_subsystem();
> +
>   if (ret)
>   return ret;
>  
> @@ -304,7 +328,7 @@ static ssize_t o2nm_node_local_read(struct o2nm_node *node, char *page)
>  static ssize_t o2nm_node_local_write(struct o2nm_node *node, const char *page,
>       size_t count)
>  {
> - struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
> + struct o2nm_cluster *cluster;
>   unsigned long tmp;
>   char *p = (char *)page;
>   ssize_t ret;
> @@ -322,17 +346,26 @@ static ssize_t o2nm_node_local_write(struct o2nm_node *node, const char *page,
>      !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes))
>   return -EINVAL; /* XXX */
>  
> + o2nm_lock_subsystem();
> + cluster = to_o2nm_cluster_from_node(node);
> + if (!cluster) {
> + ret = -EINVAL;
> + goto out;
> + }
> +
>   /* the only failure case is trying to set a new local node
>   * when a different one is already set */
>   if (tmp && tmp == cluster->cl_has_local &&
> -    cluster->cl_local_node != node->nd_num)
> - return -EBUSY;
> +    cluster->cl_local_node != node->nd_num) {
> + ret = -EBUSY;
> + goto out;
> + }
>  
>   /* bring up the rx thread if we're setting the new local node. */
>   if (tmp && !cluster->cl_has_local) {
>   ret = o2net_start_listening(node);
>   if (ret)
> - return ret;
> + goto out;
>   }
>  
>   if (!tmp && cluster->cl_has_local &&
> @@ -347,7 +380,11 @@ static ssize_t o2nm_node_local_write(struct o2nm_node *node, const char *page,
>   cluster->cl_local_node = node->nd_num;
>   }
>  
> - return count;
> + ret = count;
> +
> +out:
> + o2nm_unlock_subsystem();
> + return ret;
>  }
>  
>  struct o2nm_node_attribute {
> @@ -890,6 +927,16 @@ static struct o2nm_cluster_group o2nm_cluster_group = {
>   },
>  };
>  
> +static inline void o2nm_lock_subsystem(void)
> +{
> + mutex_lock(&o2nm_cluster_group.cs_subsys.su_mutex);
> +}
> +
> +static inline void o2nm_unlock_subsystem(void)
> +{
> + mutex_unlock(&o2nm_cluster_group.cs_subsys.su_mutex);
> +}
> +
>  int o2nm_depend_item(struct config_item *item)
>  {
>   return configfs_depend_item(&o2nm_cluster_group.cs_subsys, item);
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [PATCH 0/1][T] CVE-2017-18216 - DoS in ocfs2

Stefan Bader-2
In reply to this post by Tyler Hicks-2
On 14.09.2018 20:54, Tyler Hicks wrote:
> https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18216.html
>
>  In fs/ocfs2/cluster/nodemanager.c in the Linux kernel before 4.15, local
>  users can cause a denial of service (NULL pointer dereference and BUG)
>  because a required mutex is not used.
>
> Tyler
>
>
Applied to trusty/master-next. Thanks.

-Stefan


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment