Re: [PATCH] ipc,msg: shorten critical region in msgsnd

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Manfred Spraul <manfred@colorfullife.com>
To: davidlohr.bueso@hp.com
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Rik van Riel <riel@redhat.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Sedat Dilek <sedat.dilek@gmail.com>
Subject: Re: [PATCH] ipc,msg: shorten critical region in msgsnd
Date: Thu, 12 Sep 2013 17:10:01 +0200	[thread overview]
Message-ID: <5231D949.8010408@colorfullife.com> (raw)
In-Reply-To: <5231B181.7080705@colorfullife.com>

Hi all,

On 09/12/2013 02:20 PM, Manfred Spraul wrote:
>
> And: What about the other users of obtain_object_check?
> exit_sem() is also quite long, but I didn't spot any obvious problems.
>
a) I think semtimed(), msgsnd() and msgrcv() must be fixed:
They either leak memory or tasks can sleep forever.
I haven't checked the shm code, I would expect that there are similar 
problems.

b) There are additional races at least with selinux:
security/selinux/hooks.c
- selinux_sem_semop() accesses sma->sem_perm.security->sid.
- selinux_sem_free_security() does kfree() q_perm.security.

Right now, both operations can happen in parallel -> use after free.

I think the security_xx_yy() calls within ipc/*.c must only be called:
     - after checking _perm.deleted
     - with ipc_perm.lock acquired (to prevent parallel RMID calls).

Davidlohr:
What would be your proposal?

--
     Manfred

     prev parent reply	other threads:[~2013-09-12 15:10 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-09-12 12:20 [PATCH] ipc,msg: shorten critical region in msgsnd Manfred Spraul
2013-09-12 15:10 ` Manfred Spraul [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5231D949.8010408@colorfullife.com \
    --to=manfred@colorfullife.com \
    --cc=akpm@linux-foundation.org \
    --cc=davidlohr.bueso@hp.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=riel@redhat.com \
    --cc=sedat.dilek@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.