diff options
author | Manfred Spraul <manfred@colorfullife.com> | 2013-10-16 16:46:45 -0400 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-12-04 13:56:12 -0500 |
commit | 873be93b1af2d62b6541b053f99a46771f5d9234 (patch) | |
tree | 7597ef1d8e7aa5d822405dfe7a5ee8a5d3a9f64e | |
parent | 3f47cff85a8737780a5eba628cae112cd07496de (diff) |
ipc/sem.c: synchronize semop and semctl with IPC_RMID
commit 6e224f94597842c5eb17f1fc2208d20b6f7f7d49 upstream.
After acquiring the semlock spinlock, operations must test that the
array is still valid.
- semctl() and exit_sem() would walk stale linked lists (ugly, but
should be ok: all lists are empty)
- semtimedop() would sleep forever - and if woken up due to a signal -
access memory after free.
The patch also:
- standardizes the tests for .deleted, so that all tests in one
function leave the function with the same approach.
- unconditionally tests for .deleted immediately after every call to
sem_lock - even it it means that for semctl(GETALL), .deleted will be
tested twice.
Both changes make the review simpler: After every sem_lock, there must
be a test of .deleted, followed by a goto to the cleanup code (if the
function uses "goto cleanup").
The only exception is semctl_down(): If sem_ids().rwsem is locked, then
the presence in ids->ipcs_idr is equivalent to !.deleted, thus no
additional test is required.
Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
Cc: Mike Galbraith <efault@gmx.de>
Acked-by: Davidlohr Bueso <davidlohr@hp.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | ipc/sem.c | 42 |
1 files changed, 29 insertions, 13 deletions
@@ -1282,6 +1282,12 @@ static int semctl_setval(struct ipc_namespace *ns, int semid, int semnum, | |||
1282 | 1282 | ||
1283 | sem_lock(sma, NULL, -1); | 1283 | sem_lock(sma, NULL, -1); |
1284 | 1284 | ||
1285 | if (sma->sem_perm.deleted) { | ||
1286 | sem_unlock(sma, -1); | ||
1287 | rcu_read_unlock(); | ||
1288 | return -EIDRM; | ||
1289 | } | ||
1290 | |||
1285 | curr = &sma->sem_base[semnum]; | 1291 | curr = &sma->sem_base[semnum]; |
1286 | 1292 | ||
1287 | ipc_assert_locked_object(&sma->sem_perm); | 1293 | ipc_assert_locked_object(&sma->sem_perm); |
@@ -1336,12 +1342,14 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, | |||
1336 | int i; | 1342 | int i; |
1337 | 1343 | ||
1338 | sem_lock(sma, NULL, -1); | 1344 | sem_lock(sma, NULL, -1); |
1345 | if (sma->sem_perm.deleted) { | ||
1346 | err = -EIDRM; | ||
1347 | goto out_unlock; | ||
1348 | } | ||
1339 | if(nsems > SEMMSL_FAST) { | 1349 | if(nsems > SEMMSL_FAST) { |
1340 | if (!ipc_rcu_getref(sma)) { | 1350 | if (!ipc_rcu_getref(sma)) { |
1341 | sem_unlock(sma, -1); | ||
1342 | rcu_read_unlock(); | ||
1343 | err = -EIDRM; | 1351 | err = -EIDRM; |
1344 | goto out_free; | 1352 | goto out_unlock; |
1345 | } | 1353 | } |
1346 | sem_unlock(sma, -1); | 1354 | sem_unlock(sma, -1); |
1347 | rcu_read_unlock(); | 1355 | rcu_read_unlock(); |
@@ -1354,10 +1362,8 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, | |||
1354 | rcu_read_lock(); | 1362 | rcu_read_lock(); |
1355 | sem_lock_and_putref(sma); | 1363 | sem_lock_and_putref(sma); |
1356 | if (sma->sem_perm.deleted) { | 1364 | if (sma->sem_perm.deleted) { |
1357 | sem_unlock(sma, -1); | ||
1358 | rcu_read_unlock(); | ||
1359 | err = -EIDRM; | 1365 | err = -EIDRM; |
1360 | goto out_free; | 1366 | goto out_unlock; |
1361 | } | 1367 | } |
1362 | } | 1368 | } |
1363 | for (i = 0; i < sma->sem_nsems; i++) | 1369 | for (i = 0; i < sma->sem_nsems; i++) |
@@ -1375,8 +1381,8 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, | |||
1375 | struct sem_undo *un; | 1381 | struct sem_undo *un; |
1376 | 1382 | ||
1377 | if (!ipc_rcu_getref(sma)) { | 1383 | if (!ipc_rcu_getref(sma)) { |
1378 | rcu_read_unlock(); | 1384 | err = -EIDRM; |
1379 | return -EIDRM; | 1385 | goto out_rcu_wakeup; |
1380 | } | 1386 | } |
1381 | rcu_read_unlock(); | 1387 | rcu_read_unlock(); |
1382 | 1388 | ||
@@ -1404,10 +1410,8 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, | |||
1404 | rcu_read_lock(); | 1410 | rcu_read_lock(); |
1405 | sem_lock_and_putref(sma); | 1411 | sem_lock_and_putref(sma); |
1406 | if (sma->sem_perm.deleted) { | 1412 | if (sma->sem_perm.deleted) { |
1407 | sem_unlock(sma, -1); | ||
1408 | rcu_read_unlock(); | ||
1409 | err = -EIDRM; | 1413 | err = -EIDRM; |
1410 | goto out_free; | 1414 | goto out_unlock; |
1411 | } | 1415 | } |
1412 | 1416 | ||
1413 | for (i = 0; i < nsems; i++) | 1417 | for (i = 0; i < nsems; i++) |
@@ -1431,6 +1435,10 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, | |||
1431 | goto out_rcu_wakeup; | 1435 | goto out_rcu_wakeup; |
1432 | 1436 | ||
1433 | sem_lock(sma, NULL, -1); | 1437 | sem_lock(sma, NULL, -1); |
1438 | if (sma->sem_perm.deleted) { | ||
1439 | err = -EIDRM; | ||
1440 | goto out_unlock; | ||
1441 | } | ||
1434 | curr = &sma->sem_base[semnum]; | 1442 | curr = &sma->sem_base[semnum]; |
1435 | 1443 | ||
1436 | switch (cmd) { | 1444 | switch (cmd) { |
@@ -1836,6 +1844,10 @@ SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops, | |||
1836 | if (error) | 1844 | if (error) |
1837 | goto out_rcu_wakeup; | 1845 | goto out_rcu_wakeup; |
1838 | 1846 | ||
1847 | error = -EIDRM; | ||
1848 | locknum = sem_lock(sma, sops, nsops); | ||
1849 | if (sma->sem_perm.deleted) | ||
1850 | goto out_unlock_free; | ||
1839 | /* | 1851 | /* |
1840 | * semid identifiers are not unique - find_alloc_undo may have | 1852 | * semid identifiers are not unique - find_alloc_undo may have |
1841 | * allocated an undo structure, it was invalidated by an RMID | 1853 | * allocated an undo structure, it was invalidated by an RMID |
@@ -1843,8 +1855,6 @@ SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops, | |||
1843 | * This case can be detected checking un->semid. The existence of | 1855 | * This case can be detected checking un->semid. The existence of |
1844 | * "un" itself is guaranteed by rcu. | 1856 | * "un" itself is guaranteed by rcu. |
1845 | */ | 1857 | */ |
1846 | error = -EIDRM; | ||
1847 | locknum = sem_lock(sma, sops, nsops); | ||
1848 | if (un && un->semid == -1) | 1858 | if (un && un->semid == -1) |
1849 | goto out_unlock_free; | 1859 | goto out_unlock_free; |
1850 | 1860 | ||
@@ -2057,6 +2067,12 @@ void exit_sem(struct task_struct *tsk) | |||
2057 | } | 2067 | } |
2058 | 2068 | ||
2059 | sem_lock(sma, NULL, -1); | 2069 | sem_lock(sma, NULL, -1); |
2070 | /* exit_sem raced with IPC_RMID, nothing to do */ | ||
2071 | if (sma->sem_perm.deleted) { | ||
2072 | sem_unlock(sma, -1); | ||
2073 | rcu_read_unlock(); | ||
2074 | continue; | ||
2075 | } | ||
2060 | un = __lookup_undo(ulp, semid); | 2076 | un = __lookup_undo(ulp, semid); |
2061 | if (un == NULL) { | 2077 | if (un == NULL) { |
2062 | /* exit_sem raced with IPC_RMID+semget() that created | 2078 | /* exit_sem raced with IPC_RMID+semget() that created |