Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752627AbbHKSaS (ORCPT <rfc822;w@1wt.eu>);
	Tue, 11 Aug 2015 14:30:18 -0400
Received: from mail-wi0-f171.google.com ([209.85.212.171]:35495 "EHLO
	mail-wi0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751191AbbHKSaP (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 11 Aug 2015 14:30:15 -0400
Subject: Re: [PATCH 1/2 v2] ipc,sem: fix use after free on IPC_RMID after a
 task using same semaphore set exits
References: <1439313556-13923-1-git-send-email-herton@redhat.com>
 <1439313556-13923-2-git-send-email-herton@redhat.com>
Cc: "Herton R. Krzesinski" <herton@redhat.com>, linux-kernel@vger.kernel.org,
        Davidlohr Bueso <dave@stgolabs.net>, Rafael Aquini <aquini@redhat.com>,
        Joe Perches <joe@perches.com>, Aristeu Rozanski <aris@redhat.com>,
        djeffery@redhat.com
To: Andrew Morton <akpm@linux-foundation.org>
From: Manfred Spraul <manfred@colorfullife.com>
Message-ID: <55CA3F33.9090205@colorfullife.com>
Date: Tue, 11 Aug 2015 20:30:11 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <1439313556-13923-2-git-send-email-herton@redhat.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1123
Lines: 24

On 08/11/2015 07:19 PM, Herton R. Krzesinski wrote:
> The current semaphore code allows a potential use after free: in exit_sem we may
> free the task's sem_undo_list while there is still another task looping through
> the same semaphore set and cleaning the sem_undo list at freeary function (the
> task called IPC_RMID for the same semaphore set).
>
> For example, with a test program [1] running which keeps forking a lot of processes
> (which then do a semop call with SEM_UNDO flag), and with the parent right after
> removing the semaphore set with IPC_RMID, and a kernel built with CONFIG_SLAB,
> CONFIG_SLAB_DEBUG and CONFIG_DEBUG_SPINLOCK, you can easily see something like
> the following in the kernel log:
>
>
> Signed-off-by: Herton R. Krzesinski <herton@redhat.com>
> Cc: stable@vger.kernel.org
Acked-by: Manfred Spraul <manfred@colorfullife.com>

--
     Manfred
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/