• Manfred Spraul's avatar
    ipc/sem.c: synchronize semop and semctl with IPC_RMID · 873be93b
    Manfred Spraul authored
    commit 6e224f94597842c5eb17f1fc2208d20b6f7f7d49 upstream.
    
    After acquiring the semlock spinlock, operations must test that the
    array is still valid.
    
     - semctl() and exit_sem() would walk stale linked lists (ugly, but
       should be ok: all lists are empty)
    
     - semtimedop() would sleep forever - and if woken up due to a signal -
       access memory after free.
    
    The patch also:
     - standardizes the tests for .deleted, so that all tests in one
       function leave the function with the same approach.
     - unconditionally tests for .deleted immediately after every call to
       sem_lock - even it it means that for semctl(GETALL), .deleted will be
       tested twice.
    
    Both changes make the review simpler: After every sem_lock, there must
    be a test of .deleted, followed by a goto to the cleanup code (if the
    function uses "goto cleanup").
    
    The only exception is semctl_down(): If sem_ids().rwsem is locked, then
    the presence in ids->ipcs_idr is equivalent to !.deleted, thus no
    additional test is required.
    Signed-off-by: 's avatarManfred Spraul <manfred@colorfullife.com>
    Cc: Mike Galbraith <efault@gmx.de>
    Acked-by: 's avatarDavidlohr Bueso <davidlohr@hp.com>
    Signed-off-by: 's avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: 's avatarLinus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    873be93b
sem.c 54.4 KB