diff options
| author | Manfred Spraul <manfred@colorfullife.com> | 2013-10-16 13:46:45 -0700 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-12-04 10:56:12 -0800 |
| commit | 873be93b1af2d62b6541b053f99a46771f5d9234 (patch) | |
| tree | 7597ef1d8e7aa5d822405dfe7a5ee8a5d3a9f64e /ipc/shm.c | |
| parent | 3f47cff85a8737780a5eba628cae112cd07496de (diff) | |
ipc/sem.c: synchronize semop and semctl with IPC_RMID
commit 6e224f94597842c5eb17f1fc2208d20b6f7f7d49 upstream.
After acquiring the semlock spinlock, operations must test that the
array is still valid.
- semctl() and exit_sem() would walk stale linked lists (ugly, but
should be ok: all lists are empty)
- semtimedop() would sleep forever - and if woken up due to a signal -
access memory after free.
The patch also:
- standardizes the tests for .deleted, so that all tests in one
function leave the function with the same approach.
- unconditionally tests for .deleted immediately after every call to
sem_lock - even it it means that for semctl(GETALL), .deleted will be
tested twice.
Both changes make the review simpler: After every sem_lock, there must
be a test of .deleted, followed by a goto to the cleanup code (if the
function uses "goto cleanup").
The only exception is semctl_down(): If sem_ids().rwsem is locked, then
the presence in ids->ipcs_idr is equivalent to !.deleted, thus no
additional test is required.
Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
Cc: Mike Galbraith <efault@gmx.de>
Acked-by: Davidlohr Bueso <davidlohr@hp.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'ipc/shm.c')
0 files changed, 0 insertions, 0 deletions