Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758235AbcLRQ2w (ORCPT ); Sun, 18 Dec 2016 11:28:52 -0500 Received: from mx2.suse.de ([195.135.220.15]:46767 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753253AbcLRQ2v (ORCPT ); Sun, 18 Dec 2016 11:28:51 -0500 Date: Sun, 18 Dec 2016 08:28:38 -0800 From: Davidlohr Bueso To: Dmitry Vyukov Cc: Andrew Morton , Ingo Molnar , manfred , Peter Zijlstra , fabf@skynet.be, kernel@kyup.com, LKML , syzkaller Subject: Re: ipc: BUG: sem_unlock unlocks non-locked lock Message-ID: <20161218162838.GA24788@linux-80c1.suse> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 912 Lines: 31 On Fri, 16 Dec 2016, Dmitry Vyukov wrote: >[ BUG: bad unlock balance detected! ] >4.9.0+ #89 Not tainted Thanks for the report, I can reproduce the issue as of (which I obviously should have tested with lockdep): 370b262c896 (ipc/sem: avoid idr tree lookup for interrupted semop) I need to think more about it this evening, but I believe the issue to be the potentially bogus locknum in the unlock path, as we are calling sem_lock without updating the variable. I'll send a patch after more testing. This fixes it for me: diff --git a/ipc/sem.c b/ipc/sem.c index e08b94851922..fba6139e7208 100644 --- a/ipc/sem.c +++ b/ipc/sem.c @@ -1977,7 +1977,7 @@ SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops, } rcu_read_lock(); - sem_lock(sma, sops, nsops); + sem_lock(sma, sops, nsops); if (!ipc_valid_object(&sma->sem_perm)) goto out_unlock_free; Thanks, Davidlohr