| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Oct 2019 20:28:52 +0200
From: Manfred Spraul <manfred@...orfullife.com>
To: kernel test robot <rong.a.chen@...el.com>
Cc: LKML <linux-kernel@...r.kernel.org>,
Davidlohr Bueso <dave@...olabs.net>,
Waiman Long <longman@...hat.com>, 1vier1@....de,
Andrew Morton <akpm@...ux-foundation.org>,
Peter Zijlstra <peterz@...radead.org>,
Jonathan Corbet <corbet@....net>, lkp@...ts.01.org,
ltp@...ts.linux.it
Subject: Re: [ipc/sem.c] 6394de3b86:
BUG:kernel_NULL_pointer_dereference,address
Hello,
On 10/21/19 10:35 AM, kernel test robot wrote:
> FYI, we noticed the following commit (built with gcc-7):
>
> commit: 6394de3b868537a90dd9128607192b0e97109f6b ("[PATCH 4/5] ipc/sem.c: Document and update memory barriers")
> url: https://github.com/0day-ci/linux/commits/Manfred-Spraul/wake_q-Cleanup-Documentation-update/20191014-055627
Yes, known issue:
> @@ -2148,9 +2176,11 @@ static long do_semtimedop(int semid, struct
> sembuf __user *tsops,
> }
>
> do {
> - WRITE_ONCE(queue.status, -EINTR);
> + /* memory ordering ensured by the lock in sem_lock() */
> + queue.status = EINTR;
> queue.sleeper = current;
>
> + /* memory ordering is ensured by the lock in sem_lock() */
> __set_current_state(TASK_INTERRUPTIBLE);
> sem_unlock(sma, locknum);
> rcu_read_unlock();
It must be "-EINTR", not "EINTR".
If there is a timeout or a spurious wakeup, then the do_semtimedop()
returns to user space without unlinking everything properly.
I was able to reproduce the issue: V1 of the series ends up with the
shown error.
V3 as now merged doesn't fail.
--
Manfred
Powered by blists - more mailing lists