From: Manfred Spraul
Date: Sun Nov 23 2014 - 13:24:03 EST

On 11/21/2014 08:52 PM, Rik van Riel wrote:
When manipulating just one semaphore with semop, sem_lock only takes that
single semaphore's lock. This creates a problem during initialization of
the semaphore array, when the data structures used by sem_lock have not
been set up yet. The sma->lock is already held by newary, and we just
have to make sure everything else waits on that lock during initialization.

Luckily it is easy to make sem_lock wait on the sma->lock, by pretending
there is a complex operation in progress while the sma is being initialized.
That's not sufficient, as sma->sem_nsems is accessed before calling sem_lock(), both within find_alloc_undo() and within semtimedop().

The root problem is that sma->sem_nsems and sma->sem_base are accessed without any locks, this conflicts with the approach that sma starts to exist as not yet initialized but locked and is unlocked after the initialization is completed.

Attached is an idea. It did pass a few short tests.
What do you think?

With regards to affected kernels:
- wrong -EFBIG are possible since 3.10 (test for sma->sem_nsems moved before taking the lock)
- kernel memory corruptions with 0-sized undo buffer allocation is possible since 3.10, too.
(sem_lock before accessing sma->sem_nsems replaced with sem_obtain_object_check).