Commit b4dc44b3 authored by Dominique Martinet's avatar Dominique Martinet
Browse files

9p locks: fix glock.client_id leak in do_lock 

the 9p client code overwrites our glock.client_id pointing to a static
buffer by an allocated string holding the network provided value which
we do not care about; free and reset the value as appropriate.

This is almost identical to the leak in v9fs_file_getlock() fixed by
Al Viro in commit ce85dd58 ("9p: we are leaking glock.client_id
in v9fs_file_getlock()"), which was returned as an error by a coverity
false positive -- while we are here attempt to make the code slightly
more robust to future change of the net/9p/client code and hopefully
more clear to coverity that there is no problem.

Link: http://lkml.kernel.org/r/1536339057-21974-5-git-send-email-asmadeus@codewreck.org


Signed-off-by: default avatarDominique Martinet <dominique.martinet@cea.fr>
parent ef5305f1

fs/9p/vfs_file.c

+14 −2
Original line number Diff line number Diff line
@@ -208,6 +208,14 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, struct file_lock *fl) 
		if (schedule_timeout_interruptible(v9ses->session_lock_timeout)

				!= 0)

			break;

		/*

		 * p9_client_lock_dotl overwrites flock.client_id with the

		 * server message, free and reuse the client name

		 */

		if (flock.client_id != fid->clnt->name) {

			kfree(flock.client_id);

			flock.client_id = fid->clnt->name;

		}

	}



	/* map 9p status to VFS status */
@@ -239,6 +247,8 @@ out_unlock: 
		locks_lock_file_wait(filp, fl);

		fl->fl_type = fl_type;

	}

	if (flock.client_id != fid->clnt->name)

		kfree(flock.client_id);

out:

	return res;

}
@@ -273,7 +283,7 @@ static int v9fs_file_getlock(struct file *filp, struct file_lock *fl) 


	res = p9_client_getlock_dotl(fid, &glock);

	if (res < 0)

		return res;

		goto out;

	/* map 9p lock type to os lock type */

	switch (glock.type) {

	case P9_LOCK_TYPE_RDLCK:
@@ -294,6 +304,8 @@ static int v9fs_file_getlock(struct file *filp, struct file_lock *fl) 
			fl->fl_end = glock.start + glock.length - 1;

		fl->fl_pid = -glock.proc_id;

	}

out:

	if (glock.client_id != fid->clnt->name)

		kfree(glock.client_id);

	return res;

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE