[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <54722639.1040605@colorfullife.com>
Date: Sun, 23 Nov 2014 19:23:53 +0100
From: Manfred Spraul <manfred@...orfullife.com>
To: Rik van Riel <riel@...hat.com>, linux-kernel@...r.kernel.org
CC: Andrew Morton <akpm@...ux-foundation.org>,
Davidlohr Bueso <davidlohr@...com>,
Rafael Aquini <aquini@...hat.com>, 1vier1@....de
Subject: Re: [PATCH] ipc,sem block sem_lock on sma->lock during sma initialization
Hi Rik,
On 11/21/2014 08:52 PM, Rik van Riel wrote:
> When manipulating just one semaphore with semop, sem_lock only takes that
> single semaphore's lock. This creates a problem during initialization of
> the semaphore array, when the data structures used by sem_lock have not
> been set up yet. The sma->lock is already held by newary, and we just
> have to make sure everything else waits on that lock during initialization.
>
> Luckily it is easy to make sem_lock wait on the sma->lock, by pretending
> there is a complex operation in progress while the sma is being initialized.
That's not sufficient, as sma->sem_nsems is accessed before calling
sem_lock(), both within find_alloc_undo() and within semtimedop().
The root problem is that sma->sem_nsems and sma->sem_base are accessed
without any locks, this conflicts with the approach that sma starts to
exist as not yet initialized but locked and is unlocked after the
initialization is completed.
Attached is an idea. It did pass a few short tests.
What do you think?
With regards to affected kernels:
- wrong -EFBIG are possible since 3.10 (test for sma->sem_nsems moved
before taking the lock)
- kernel memory corruptions with 0-sized undo buffer allocation is
possible since 3.10, too.
(sem_lock before accessing sma->sem_nsems replaced with
sem_obtain_object_check).
--
Manfred
View attachment "0001-ipc-sem.c-Fully-initialize-sem_array-before-making-i.patch" of type "text/x-patch" (1643 bytes)
Powered by blists - more mailing lists