autofs-5.1.7 - fix inconsistent locking in parse_mount()

From: Ian Kent <raven@themaw.net>

Some map entry cache locking inconsistencies have crept in.

In parse_mount() of the sun format parser the cache read lock is too

heavily used and has too broad a scope. This has lead to some operations

that should hold the write lock being called with only the read lock.

Signed-off-by: Ian Kent <raven@themaw.net>

---

 CHANGELOG           |    1 

 lib/mounts.c        |    9 +++++++-

 modules/parse_sun.c |   53 ++++++++++++++++++++++++++++++++--------------------

 3 files changed, 42 insertions(+), 21 deletions(-)

--- autofs-5.1.4.orig/CHANGELOG

+++ autofs-5.1.4/CHANGELOG

@@ -17,6 +17,7 @@

 - fix inconsistent locking in umount_subtree_mounts().

 - fix return from umount_subtree_mounts() on offset list delete.

 - pass mapent_cache to update_offset_entry().

+- fix inconsistent locking in parse_mount().

 xx/xx/2018 autofs-5.1.5

 - fix flag file permission.

--- autofs-5.1.4.orig/lib/mounts.c

+++ autofs-5.1.4/lib/mounts.c

@@ -2485,6 +2485,12 @@ static int do_mount_autofs_offset(struct

 		else {

 			debug(ap->logopt, "ignoring \"nohide\" trigger %s",

 			      oe->key);

+			/*

+			 * Ok, so we shouldn't modify the mapent but

+			 * mount requests are blocked at a point above

+			 * this and expire only uses the mapent key or

+			 * holds the cache write lock.

+			 */

 			free(oe->mapent);

 			oe->mapent = NULL;

 		}

@@ -2628,7 +2634,8 @@ static int do_umount_offset(struct autof

 			/*

 			 * Ok, so we shouldn't modify the mapent but

 			 * mount requests are blocked at a point above

-			 * this and expire only uses the mapent key.

+			 * this and expire only uses the mapent key or

+			 * holds the cache write lock.

 			 */

 			if (oe->mapent) {

 				free(oe->mapent);

--- autofs-5.1.4.orig/modules/parse_sun.c

+++ autofs-5.1.4/modules/parse_sun.c

@@ -853,10 +853,12 @@ update_offset_entry(struct autofs_point

 			strcpy(m_mapent, loc);

 	}

+	cache_writelock(mc);

 	ret = cache_update_offset(mc, name, m_key, m_mapent, age);

 	if (!cache_set_offset_parent(mc, m_key))

 		error(ap->logopt, "failed to set offset parent");

+	cache_unlock(mc);

 	if (ret == CHE_DUPLICATE) {

 		warn(ap->logopt, MODPREFIX

@@ -1130,14 +1132,22 @@ static void cleanup_multi_triggers(struc

 	return;

 }

-static int mount_subtree(struct autofs_point *ap, struct mapent *me,

+static int mount_subtree(struct autofs_point *ap, struct mapent_cache *mc,

 			 const char *name, char *loc, char *options, void *ctxt)

 {

+	struct mapent *me;

 	struct mapent *ro;

 	char *mm_root, *mm_base, *mm_key;

 	unsigned int mm_root_len;

 	int start, ret = 0, rv;

+	cache_readlock(mc);

+	me = cache_lookup_distinct(mc, name);

+	if (!me) {

+		cache_unlock(mc);

+		return 0;

+	}

+

 	rv = 0;

 	mm_key = me->multi->key;

@@ -1182,9 +1192,12 @@ static int mount_subtree(struct autofs_p

 			rv = parse_mapent(ro->mapent,

 				options, &myoptions, &ro_loc, ap->logopt);

 			if (!rv) {

+				cache_unlock(mc);

 				warn(ap->logopt,

 				      MODPREFIX "failed to parse root offset");

-				cache_delete_offset_list(me->mc, name);

+				cache_writelock(mc);

+				cache_delete_offset_list(mc, name);

+				cache_unlock(mc);

 				return 1;

 			}

 			ro_len = 0;

@@ -1201,9 +1214,10 @@ static int mount_subtree(struct autofs_p

 		if ((ro && rv == 0) || rv <= 0) {

 			ret = mount_multi_triggers(ap, me, mm_root, start, mm_base);

 			if (ret == -1) {

+				cleanup_multi_triggers(ap, me, mm_root, start, mm_base);

+				cache_unlock(mc);

 				error(ap->logopt, MODPREFIX

 					 "failed to mount offset triggers");

-				cleanup_multi_triggers(ap, me, mm_root, start, mm_base);

 				return 1;

 			}

 		}

@@ -1219,9 +1233,10 @@ static int mount_subtree(struct autofs_p

 		if (rv == 0) {

 			ret = mount_multi_triggers(ap, me->multi, name, start, mm_base);

 			if (ret == -1) {

+				cleanup_multi_triggers(ap, me, name, start, mm_base);

+				cache_unlock(mc);

 				error(ap->logopt, MODPREFIX

 					 "failed to mount offset triggers");

-				cleanup_multi_triggers(ap, me, name, start, mm_base);

 				return 1;

 			}

 		} else if (rv < 0) {

@@ -1229,8 +1244,11 @@ static int mount_subtree(struct autofs_p

 			unsigned int mm_root_base_len = mm_root_len + strlen(mm_base) + 1;

 			if (mm_root_base_len > PATH_MAX) {

+				cache_unlock(mc);

 				warn(ap->logopt, MODPREFIX "path too long");

-				cache_delete_offset_list(me->mc, name);

+				cache_writelock(mc);

+				cache_delete_offset_list(mc, name);

+				cache_unlock(mc);

 				return 1;

 			}

@@ -1239,13 +1257,15 @@ static int mount_subtree(struct autofs_p

 			ret = mount_multi_triggers(ap, me->multi, mm_root_base, start, mm_base);

 			if (ret == -1) {

+				cleanup_multi_triggers(ap, me, mm_root, start, mm_base);

+				cache_unlock(mc);

 				error(ap->logopt, MODPREFIX

 					 "failed to mount offset triggers");

-				cleanup_multi_triggers(ap, me, mm_root, start, mm_base);

 				return 1;

 			}

 		}

 	}

+	cache_unlock(mc);

 	/* Mount for base of tree failed */

 	if (rv > 0)

@@ -1486,7 +1506,6 @@ dont_expand:

 			return 1;

 		}

-		cache_multi_writelock(me);

 		/* So we know we're the multi-mount root */

 		if (!me->multi)

 			me->multi = me;

@@ -1511,14 +1530,13 @@ dont_expand:

 			if (source->flags & MAP_FLAG_FORMAT_AMD) {

 				free(options);

 				free(pmapent);

-				cache_multi_unlock(me);

 				cache_unlock(mc);

 				pthread_setcancelstate(cur_state, NULL);

 				return 0;

 			}

 		}

-

 		age = me->age;

+		cache_unlock(mc);

 		/* It's a multi-mount; deal with it */

 		do {

@@ -1539,8 +1557,8 @@ dont_expand:

 			if (!path) {

 				warn(ap->logopt, MODPREFIX "null path or out of memory");

+				cache_writelock(mc);

 				cache_delete_offset_list(mc, name);

-				cache_multi_unlock(me);

 				cache_unlock(mc);

 				free(options);

 				free(pmapent);

@@ -1556,8 +1574,8 @@ dont_expand:

 			l = parse_mapent(p, options, &myoptions, &loc, ap->logopt);

 			if (!l) {

+				cache_writelock(mc);

 				cache_delete_offset_list(mc, name);

-				cache_multi_unlock(me);

 				cache_unlock(mc);

 				free(path);

 				free(options);

@@ -1575,8 +1593,8 @@ dont_expand:

 			if (status != CHE_OK) {

 				warn(ap->logopt, MODPREFIX "error adding multi-mount");

+				cache_writelock(mc);

 				cache_delete_offset_list(mc, name);

-				cache_multi_unlock(me);

 				cache_unlock(mc);

 				free(path);

 				free(options);

@@ -1594,10 +1612,7 @@ dont_expand:

 			free(myoptions);

 		} while (*p == '/' || (*p == '"' && *(p + 1) == '/'));

-		rv = mount_subtree(ap, me, name, NULL, options, ctxt);

-

-		cache_multi_unlock(me);

-		cache_unlock(mc);

+		rv = mount_subtree(ap, mc, name, NULL, options, ctxt);

 		free(options);

 		free(pmapent);

@@ -1618,6 +1633,7 @@ dont_expand:

 		cache_readlock(mc);

 		if (*name == '/' &&

 		   (me = cache_lookup_distinct(mc, name)) && me->multi) {

+			cache_unlock(mc);

 			loc = strdup(p);

 			if (!loc) {

 				free(options);

@@ -1626,10 +1642,7 @@ dont_expand:

 				warn(ap->logopt, MODPREFIX "out of memory");

 				return 1;

 			}

-			cache_multi_writelock(me);

-			rv = mount_subtree(ap, me, name, loc, options, ctxt);

-			cache_multi_unlock(me);

-			cache_unlock(mc);

+			rv = mount_subtree(ap, mc, name, loc, options, ctxt);

 			free(loc);

 			free(options);

 			free(pmapent);