Re: [PATCH] ipc,sem block sem_lock on sma->lock during sma initialization
From: Manfred Spraul
Date: Sat Nov 22 2014 - 14:15:00 EST
On 11/21/2014 09:29 PM, Rik van Riel wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/21/2014 03:09 PM, Andrew Morton wrote:
On Fri, 21 Nov 2014 14:52:26 -0500 Rik van Riel <riel@xxxxxxxxxx>
wrote:
When manipulating just one semaphore with semop, sem_lock only
takes that single semaphore's lock. This creates a problem during
initialization of the semaphore array, when the data structures
used by sem_lock have not been set up yet. The sma->lock is
already held by newary, and we just have to make sure everything
else waits on that lock during initialization.
Luckily it is easy to make sem_lock wait on the sma->lock, by
pretending there is a complex operation in progress while the sma
is being initialized.
The newary function already zeroes sma->complex_count before
unlocking the sma->lock.
What are the runtime effects of the bug?
NULL pointer dereference in spin_lock from sem_lock,
if it is called before sma->sem_base has been pointed
somewhere valid.
No, this can't happen:
- sma is initialized to 0 with memset()
- sma->sem_nsems is set last.
- semtimedop() contains a "max >= sma->sem_nsems".
with sma->sem_nsems==0, this will always fail and therefore sem_lock()
can't be reached.
The only misbehavior (apart from returning -EFBIG) is that
find_alloc_undo() could allocate a wrong-sized undo structure.
Would cause random memory corruptions - but not NULL pointer dereference.
Which which kernel version have you seen the NULL pointer dereference?
--
Manfred
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/