The patch titled
Subject: ipc,sem block sem_lock on sma->lock during sma initialization
has been removed from the -mm tree. Its filename was
ipcsem-block-sem_lock-on-sma-lock-during-sma-initialization.patch
This patch was dropped because an alternative patch was merged
------------------------------------------------------
From: Rik van Riel <riel@xxxxxxxxxx>
Subject: ipc,sem block sem_lock on sma->lock during sma initialization
When manipulating just one semaphore with semop, sem_lock only takes that
single semaphore's lock. This creates a problem during initialization of
the semaphore array, when the data structures used by sem_lock have not
been set up yet. The sma->lock is already held by newary, and we just
have to make sure everything else waits on that lock during
initialization.
Luckily it is easy to make sem_lock wait on the sma->lock, by pretending
there is a complex operation in progress while the sma is being
initialized.
The newary function already zeroes sma->complex_count before unlocking the
sma->lock.
The reason the bug took almost two years to get noticed is that it takes
one task doing a semop on a semaphore in an array that is still getting
instantiated by newary (getsem) from another task. This results in a NULL
pointer dereference in spin_lock() from sem_lock().
In other words, if you try to use a semaphore array before getsem returns,
you can oops the task that calls semop.
It should not cause any damage to long-living kernel data structures.
Signed-off-by: Rik van Riel <riel@xxxxxxxxxx>
Cc: Manfred Spraul <manfred@xxxxxxxxxxxxxxxx>
Acked-by: Rafael Aquini <aquini@xxxxxxxxxx>
Cc: Davidlohr Bueso <dave@xxxxxxxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
ipc/sem.c | 3 +++
1 file changed, 3 insertions(+)
diff -puN ipc/sem.c~ipcsem-block-sem_lock-on-sma-lock-during-sma-initialization ipc/sem.c
--- a/ipc/sem.c~ipcsem-block-sem_lock-on-sma-lock-during-sma-initialization
+++ a/ipc/sem.c
@@ -507,6 +507,9 @@ static int newary(struct ipc_namespace *
return retval;
}
+ /* Ensures sem_lock waits on &sma->lock until sma is ready. */
+ sma->complex_count = 1;
+
id = ipc_addid(&sem_ids(ns), &sma->sem_perm, ns->sc_semmni);
if (id < 0) {
ipc_rcu_putref(sma, sem_rcu_free);
_
Patches currently in -mm which might be from riel@xxxxxxxxxx are
mm-do-not-overwrite-reserved-pages-counter-at-show_mem.patch
mm-introduce-single-zone-pcplists-drain.patch
mm-page_isolation-drain-single-zone-pcplists.patch
mm-cma-drain-single-zone-pcplists.patch
mm-memory_hotplug-failure-drain-single-zone-pcplists.patch
mm-compaction-pass-classzone_idx-and-alloc_flags-to-watermark-checking.patch
mm-compaction-pass-classzone_idx-and-alloc_flags-to-watermark-checking-fix.patch
mm-compaction-simplify-deferred-compaction.patch
mm-compaction-defer-only-on-compact_complete.patch
mm-compaction-always-update-cached-scanner-positions.patch
mm-compaction-always-update-cached-scanner-positions-fix.patch
mm-compaction-more-focused-lru-and-pcplists-draining.patch
mm-compaction-more-focused-lru-and-pcplists-draining-fix.patch
mm-fix-a-spelling-mistake.patch
mmfs-introduce-helpers-around-the-i_mmap_mutex.patch
mm-use-new-helper-functions-around-the-i_mmap_mutex.patch
mm-convert-i_mmap_mutex-to-rwsem.patch
mm-rmap-share-the-i_mmap_rwsem.patch
uprobes-share-the-i_mmap_rwsem.patch
mm-xip-share-the-i_mmap_rwsem.patch
mm-memory-failure-share-the-i_mmap_rwsem.patch
mm-nommu-share-the-i_mmap_rwsem.patch
mm-memoryc-share-the-i_mmap_rwsem.patch
mm-mincore-add-hwpoison-page-handle.patch
hugetlb-fix-hugepages=-entry-in-kernel-parameterstxt.patch
hugetlb-alloc_bootmem_huge_page-use-is_aligned.patch
hugetlb-hugetlb_register_all_nodes-add-__init-marker.patch
mm-page_alloc-store-updated-page-migratetype-to-avoid-misusing-stale-value.patch
mm-page_alloc-store-updated-page-migratetype-to-avoid-misusing-stale-value-fix.patch
mm-introduce-do_shared_fault-and-drop-do_fault-fix-fix.patch
do_shared_fault-check-that-mmap_sem-is-held.patch
exit-wait-cleanup-the-ptrace_reparented-checks.patch
exit-wait-cleanup-the-ptrace_reparented-checks-fix.patch
exit-wait-dont-use-zombie-real_parent.patch
exit-wait-drop-tasklist_lock-before-psig-c-accounting.patch
exit-release_task-fix-the-comment-about-group-leader-accounting.patch
exit-proc-dont-try-to-flush-proc-tgid-task-tgid.patch
linux-next.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html