From patchwork Tue Jul  2 08:58:31 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Xue jiufei <xuejiufei@huawei.com>
X-Patchwork-Id: 2811221
Return-Path: <ocfs2-devel-bounces@oss.oracle.com>
X-Original-To: patchwork-ocfs2-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id C96379F755
	for <patchwork-ocfs2-devel@patchwork.kernel.org>;
	Tue,  2 Jul 2013 09:04:57 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 31D4220154
	for <patchwork-ocfs2-devel@patchwork.kernel.org>;
	Tue,  2 Jul 2013 09:04:56 +0000 (UTC)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id D32DA2014A
	for <patchwork-ocfs2-devel@patchwork.kernel.org>;
	Tue,  2 Jul 2013 09:04:54 +0000 (UTC)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237])
	by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1)
	with ESMTP id r628vv5D007810
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Tue, 2 Jul 2013 08:57:58 GMT
Received: from oss.oracle.com (oss-external.oracle.com [137.254.96.51])
	by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
	r6294D2l022992
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Tue, 2 Jul 2013 09:04:13 GMT
Received: from localhost ([127.0.0.1] helo=oss.oracle.com)
	by oss.oracle.com with esmtp (Exim 4.63)
	(envelope-from <ocfs2-devel-bounces@oss.oracle.com>)
	id 1UtwVR-0007W9-6U; Tue, 02 Jul 2013 02:04:13 -0700
Received: from ucsinet22.oracle.com ([156.151.31.94])
	by oss.oracle.com with esmtp (Exim 4.63)
	(envelope-from <xuejiufei@huawei.com>) id 1UtwVB-0007Su-FF
	for ocfs2-devel@oss.oracle.com; Tue, 02 Jul 2013 02:03:57 -0700
Received: from userp1030.oracle.com (userp1030.oracle.com [156.151.31.80])
	by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
	r6293uQD000206
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <ocfs2-devel@oss.oracle.com>; Tue, 2 Jul 2013 09:03:57 GMT
Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [119.145.14.66])
	by userp1030.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1)
	with ESMTP id r6291FDt029980
	(version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=FAIL)
	for <ocfs2-devel@oss.oracle.com>; Tue, 2 Jul 2013 09:01:20 GMT
Received: from 172.24.2.119 (EHLO szxeml212-edg.china.huawei.com)
	([172.24.2.119])
	by szxrg03-dlp.huawei.com (MOS 4.4.2a-FCS FastPath queued)
	with ESMTP id ABM48557; Tue, 02 Jul 2013 16:59:07 +0800 (CST)
Received: from SZXEML406-HUB.china.huawei.com (10.82.67.93) by
	szxeml212-edg.china.huawei.com (172.24.2.181) with Microsoft SMTP
	Server (TLS) id 14.1.323.7; Tue, 2 Jul 2013 16:59:05 +0800
Received: from [127.0.0.1] (10.135.72.87) by szxeml406-hub.china.huawei.com
	(10.82.67.93) with Microsoft SMTP Server id 14.1.323.7;
	Tue, 2 Jul 2013 16:58:56 +0800
Message-ID: <51D29637.9050403@huawei.com>
Date: Tue, 2 Jul 2013 16:58:31 +0800
From: Xue jiufei <xuejiufei@huawei.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1;
	rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Andrew Morton <akpm@linux-foundation.org>
X-Originating-IP: [10.135.72.87]
X-CFilter-Loop: Reflected
X-Flow-Control-Info: class=Pass-to-MM reputation=ipRisk-All ip=119.145.14.66
	ct-class=T1 ct-vol1=0 ct-vol2=5 ct-vol3=5 ct-risk=40
	ct-spam1=39 ct-spam2=0 ct-bulk=91 rcpts=1 size=2218
X-Sendmail-CM-Score: 0.00%
X-Sendmail-CM-Analysis: v=2.1 cv=XsLDZz19 c=1 sm=1 tr=0
	a=eEmLgr2igB2wGjJK32aQww==:117 a=eEmLgr2igB2wGjJK32aQww==:17
	a=7dTNpnL_XZEA:10 a=je8okafH2F8A:10 a=RdP8FBDOW-cA:10
	a=O9dq5j03pVQA:10 a=-6GgXGw8a1AA:10 a=8nJEP1OIZ-IA:10
	a=i0EeH86SAAAA:8 a=Y5xoyRfwyzoA:10 a
	=47d9hveQ9XfPYdNFQlQA:9 a=wPNLvfGTeEIA:10 a=hPjdaMEvmhQA:10
X-Sendmail-CT-Classification: not spam
X-Sendmail-CT-RefID: str=0001.0A090207.51D2977C.00DE:SCFSTAT1612107, ss=1,
	re=-4.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0
Cc: Mark Fasheh <mfasheh@suse.com>, jiangyiwen@huawei.com,
	ocfs2-devel@oss.oracle.com
Subject: [Ocfs2-devel] [PATCH] ocfs2: Fix NULL pointer dereference when
	tranverse o2hb_all_regions
X-BeenThere: ocfs2-devel@oss.oracle.com
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: xuejiufei@huawei.com
List-Id: <ocfs2-devel.oss.oracle.com>
List-Unsubscribe: <https://oss.oracle.com/mailman/listinfo/ocfs2-devel>,
	<mailto:ocfs2-devel-request@oss.oracle.com?subject=unsubscribe>
List-Archive: <http://oss.oracle.com/pipermail/ocfs2-devel>
List-Post: <mailto:ocfs2-devel@oss.oracle.com>
List-Help: <mailto:ocfs2-devel-request@oss.oracle.com?subject=help>
List-Subscribe: <https://oss.oracle.com/mailman/listinfo/ocfs2-devel>,
	<mailto:ocfs2-devel-request@oss.oracle.com?subject=subscribe>
Sender: ocfs2-devel-bounces@oss.oracle.com
Errors-To: ocfs2-devel-bounces@oss.oracle.com
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

There may exist NULL pointer dereference in config_item_name() when
one volume(say Volume A) unmounts while another(say Volume B) mounting.

     Volume A                          Volume B
already Mounted.
Unmounting, call
o2hb_heartbeat_group_drop_item()
  -> config_item_put(item)
  set reg(A)->item.ci_name to NULL
  in function config_item_cleanup().
                                    begin mounting, call
                                    o2hb_region_pin() and tranverse all
                                    regions. When reading 
                                    reg(A)->item.ci_name, it causes
                                    NULL pointer dereference.
call o2hb_region_release() and
del reg(A) from list.

So we should skip accessing regions that is going to release when
tranverse o2hb_all_regions.

Signed-off-by: Yiwen Jiang <jiangyiwen@huawei.com>
Signed-off-by: joyce <xuejiufei@huawei.com>
Acked-by: Joel Becker <jlbec@evilplan.org>
---
 fs/ocfs2/cluster/heartbeat.c |    9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/fs/ocfs2/cluster/heartbeat.c b/fs/ocfs2/cluster/heartbeat.c
index 42252bf..aeafe10 100644
--- a/fs/ocfs2/cluster/heartbeat.c
+++ b/fs/ocfs2/cluster/heartbeat.c
@@ -2389,6 +2389,9 @@ static int o2hb_region_pin(const char *region_uuid)
 	assert_spin_locked(&o2hb_live_lock);
 
 	list_for_each_entry(reg, &o2hb_all_regions, hr_all_item) {
+		if (reg->hr_item_dropped)
+			continue;
+
 		uuid = config_item_name(&reg->hr_item);
 
 		/* local heartbeat */
@@ -2439,6 +2442,9 @@ static void o2hb_region_unpin(const char *region_uuid)
 	assert_spin_locked(&o2hb_live_lock);
 
 	list_for_each_entry(reg, &o2hb_all_regions, hr_all_item) {
+		if (reg->hr_item_dropped)
+			continue;
+
 		uuid = config_item_name(&reg->hr_item);
 		if (region_uuid) {
 			if (strcmp(region_uuid, uuid))
@@ -2654,6 +2660,9 @@ int o2hb_get_all_regions(char *region_uuids, u8 max_regions)
 
 	p = region_uuids;
 	list_for_each_entry(reg, &o2hb_all_regions, hr_all_item) {
+		if (reg->hr_item_dropped)
+			continue;
+
 		mlog(0, "Region: %s\n", config_item_name(&reg->hr_item));
 		if (numregs < max_regions) {
 			memcpy(p, config_item_name(&reg->hr_item),