From: Davidlohr Bueso <davidlohr@hp.com>
To: Manfred Spraul <manfred@colorfullife.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Andrew Morton <akpm@linux-foundation.org>
Cc: Rik van Riel <riel@redhat.com>, Mike Galbraith <efault@gmx.de>,
        sedat.dilek@gmail.com,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Davidlohr Bueso <davidlohr@hp.com>
Subject: [PATCH 2/4] ipc,shm: prevent race with rmid in shmat(2)
Date: Sun, 15 Sep 2013 20:04:35 -0700
Message-Id: <1379300677-24188-3-git-send-email-davidlohr@hp.com>
In-Reply-To: <1379300677-24188-1-git-send-email-davidlohr@hp.com>
References: <1379300677-24188-1-git-send-email-davidlohr@hp.com>
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1124
Lines: 37

This fixes a race in shmat() between finding the msq and
actually attaching the segment, as another thread can delete shmid
underneath us if we are preempted before acquiring the kern_ipc_perm.lock.

Reported-by: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Davidlohr Bueso <davidlohr@hp.com>
---
 ipc/shm.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/ipc/shm.c b/ipc/shm.c
index bc3e897..1afde7e 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -1093,6 +1093,14 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
 		goto out_unlock;
 
 	ipc_lock_object(&shp->shm_perm);
+
+	/* have we raced with RMID? */
+	if (shp->shm_perm.deleted) {
+		err = -EIDRM;
+		ipc_unlock_object(&shp->shm_perm);
+		goto out_unlock;
+	}
+
 	err = security_shm_shmat(shp, shmaddr, shmflg);
 	if (err) {
 		ipc_unlock_object(&shp->shm_perm);
-- 
1.7.11.7

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/