From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Konstantin Khlebnikov <k.khlebnikov@samsung.com>
Subject: [PATCH 3.4 13/13] ipc/msg: fix race around refcount
Date: Fri, 28 Mar 2014 10:32:03 -0700 [thread overview]
Message-ID: <20140328173054.817466312@linuxfoundation.org> (raw)
In-Reply-To: <20140328173053.049244535@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
[fixed differently in 6062a8dc0517bce23e3c2f7d2fea5e22411269a3 upstream.]
In older kernels (before v3.10) ipc_rcu_hdr->refcount was non-atomic int.
There was possuble double-free bug: do_msgsnd() calls ipc_rcu_putref() under
msq->q_perm->lock and RCU, while freequeue() calls it while it holds only
'rw_mutex', so there is no sinchronization between them. Two function
decrements '2' non-atomically, they both can get '0' as result.
do_msgsnd() freequeue()
msq = msg_lock_check(ns, msqid);
...
ipc_rcu_getref(msq);
msg_unlock(msq);
schedule();
(caller locks spinlock)
expunge_all(msq, -EIDRM);
ss_wakeup(&msq->q_senders, 1);
msg_rmid(ns, msq);
msg_unlock(msq);
ipc_lock_by_ptr(&msq->q_perm);
ipc_rcu_putref(msq); ipc_rcu_putref(msq);
< both may get get --(...)->refcount == 0 >
This patch locks ipc_lock and RCU around ipc_rcu_putref in freequeue.
( RCU protects memory for spin_unlock() )
Similar bugs might be in other users of ipc_rcu_putref().
In the mainline this has been fixed in v3.10 indirectly in commmit
6062a8dc0517bce23e3c2f7d2fea5e22411269a3
("ipc,sem: fine grained locking for semtimedop") by Rik van Riel.
That commit optimized locking and converted refcount into atomic.
I'm not sure that anybody should care about this bug: it's very-very unlikely
and no longer exists in actual mainline. I've found this just by looking into
the code, probably this never happens in real life.
Signed-off-by: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
---
ipc/msg.c | 2 ++
1 file changed, 2 insertions(+)
--- a/ipc/msg.c
+++ b/ipc/msg.c
@@ -296,7 +296,9 @@ static void freeque(struct ipc_namespace
}
atomic_sub(msq->q_cbytes, &ns->msg_bytes);
security_msg_queue_free(msq);
+ ipc_lock_by_ptr(&msq->q_perm);
ipc_rcu_putref(msq);
+ ipc_unlock(&msq->q_perm);
}
/*
next prev parent reply other threads:[~2014-03-28 17:30 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-28 17:31 [PATCH 3.4 00/13] 3.4.85-stable review Greg Kroah-Hartman
2014-03-28 17:31 ` [PATCH 3.4 01/13] ALSA: compress: Pass through return value of open ops callback Greg Kroah-Hartman
2014-03-28 17:31 ` [PATCH 3.4 02/13] libceph: resend all writes after the osdmap loses the full flag Greg Kroah-Hartman
2014-03-28 17:31 ` [PATCH 3.4 03/13] iwlwifi: Complete backport of "iwlwifi: always copy first 16 bytes of commands" Greg Kroah-Hartman
2014-03-28 17:31 ` [PATCH 3.4 04/13] x86: bpf_jit: support negative offsets Greg Kroah-Hartman
2014-03-28 17:31 ` [PATCH 3.4 05/13] deb-pkg: Fix cross-building linux-headers package Greg Kroah-Hartman
2014-03-28 17:31 ` [PATCH 3.4 06/13] p54: clamp properly instead of just truncating Greg Kroah-Hartman
2014-03-28 17:31 ` [PATCH 3.4 07/13] i7300_edac: Fix device reference count Greg Kroah-Hartman
2014-03-28 17:31 ` [PATCH 3.4 08/13] ARM: move outer_cache declaration out of ifdef Greg Kroah-Hartman
2014-03-28 17:31 ` [PATCH 3.4 09/13] Input: elantech - improve clickpad detection Greg Kroah-Hartman
2014-03-28 17:32 ` [PATCH 3.4 10/13] KVM: MMU: handle invalid root_hpa at __direct_map Greg Kroah-Hartman
2014-03-28 17:32 ` [PATCH 3.4 11/13] KVM: VMX: fix use after free of vmx->loaded_vmcs Greg Kroah-Hartman
2014-03-28 17:32 ` [PATCH 3.4 12/13] xhci: Fix resume issues on Renesas chips in Samsung laptops Greg Kroah-Hartman
2014-03-28 17:32 ` Greg Kroah-Hartman [this message]
2014-03-29 1:00 ` [PATCH 3.4 00/13] 3.4.85-stable review Guenter Roeck
2014-03-30 1:26 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140328173054.817466312@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=k.khlebnikov@samsung.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.