Re: [PATCH] ipc,sem block sem_lock on sma->lock during sma initialization

From: Manfred Spraul
Date: Sat Nov 22 2014 - 14:15:00 EST

On 11/21/2014 09:29 PM, Rik van Riel wrote:
Hash: SHA1

On 11/21/2014 03:09 PM, Andrew Morton wrote:
On Fri, 21 Nov 2014 14:52:26 -0500 Rik van Riel <riel@xxxxxxxxxx>

When manipulating just one semaphore with semop, sem_lock only
takes that single semaphore's lock. This creates a problem during
initialization of the semaphore array, when the data structures
used by sem_lock have not been set up yet. The sma->lock is
already held by newary, and we just have to make sure everything
else waits on that lock during initialization.

Luckily it is easy to make sem_lock wait on the sma->lock, by
pretending there is a complex operation in progress while the sma
is being initialized.

The newary function already zeroes sma->complex_count before
unlocking the sma->lock.
What are the runtime effects of the bug?

NULL pointer dereference in spin_lock from sem_lock,
if it is called before sma->sem_base has been pointed
somewhere valid.
No, this can't happen:
- sma is initialized to 0 with memset()
- sma->sem_nsems is set last.
- semtimedop() contains a "max >= sma->sem_nsems".

with sma->sem_nsems==0, this will always fail and therefore sem_lock() can't be reached.

The only misbehavior (apart from returning -EFBIG) is that find_alloc_undo() could allocate a wrong-sized undo structure.
Would cause random memory corruptions - but not NULL pointer dereference.

Which which kernel version have you seen the NULL pointer dereference?

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at