From: Manfred Spraul <manfred@colorfullife.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: "Herton R. Krzesinski" <herton@redhat.com>,
linux-kernel@vger.kernel.org, Davidlohr Bueso <dave@stgolabs.net>,
Rafael Aquini <aquini@redhat.com>, Joe Perches <joe@perches.com>,
Aristeu Rozanski <aris@redhat.com>,
djeffery@redhat.com
Subject: Re: [PATCH 1/2 v2] ipc,sem: fix use after free on IPC_RMID after a task using same semaphore set exits
Date: Tue, 11 Aug 2015 20:30:11 +0200 [thread overview]
Message-ID: <55CA3F33.9090205@colorfullife.com> (raw)
In-Reply-To: <1439313556-13923-2-git-send-email-herton@redhat.com>
On 08/11/2015 07:19 PM, Herton R. Krzesinski wrote:
> The current semaphore code allows a potential use after free: in exit_sem we may
> free the task's sem_undo_list while there is still another task looping through
> the same semaphore set and cleaning the sem_undo list at freeary function (the
> task called IPC_RMID for the same semaphore set).
>
> For example, with a test program [1] running which keeps forking a lot of processes
> (which then do a semop call with SEM_UNDO flag), and with the parent right after
> removing the semaphore set with IPC_RMID, and a kernel built with CONFIG_SLAB,
> CONFIG_SLAB_DEBUG and CONFIG_DEBUG_SPINLOCK, you can easily see something like
> the following in the kernel log:
>
>
> Signed-off-by: Herton R. Krzesinski <herton@redhat.com>
> Cc: stable@vger.kernel.org
Acked-by: Manfred Spraul <manfred@colorfullife.com>
--
Manfred
next prev parent reply other threads:[~2015-08-11 18:30 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-11 17:19 ipc,sem: fix use after free on IPC_RMID v2 Herton R. Krzesinski
2015-08-11 17:19 ` [PATCH 1/2 v2] ipc,sem: fix use after free on IPC_RMID after a task using same semaphore set exits Herton R. Krzesinski
2015-08-11 18:30 ` Manfred Spraul [this message]
2015-08-11 17:19 ` [PATCH 2/2] ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem() Herton R. Krzesinski
2015-08-11 18:31 ` Manfred Spraul
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55CA3F33.9090205@colorfullife.com \
--to=manfred@colorfullife.com \
--cc=akpm@linux-foundation.org \
--cc=aquini@redhat.com \
--cc=aris@redhat.com \
--cc=dave@stgolabs.net \
--cc=djeffery@redhat.com \
--cc=herton@redhat.com \
--cc=joe@perches.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.