Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1761167AbcLRQaD (ORCPT ); Sun, 18 Dec 2016 11:30:03 -0500 Received: from mx2.suse.de ([195.135.220.15]:46858 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754247AbcLRQaC (ORCPT ); Sun, 18 Dec 2016 11:30:02 -0500 Date: Sun, 18 Dec 2016 08:29:52 -0800 From: Davidlohr Bueso To: Dmitry Vyukov Cc: Andrew Morton , Ingo Molnar , manfred , Peter Zijlstra , fabf@skynet.be, kernel@kyup.com, LKML , syzkaller Subject: Re: ipc: BUG: sem_unlock unlocks non-locked lock Message-ID: <20161218162952.GB24788@linux-80c1.suse> References: <20161218162838.GA24788@linux-80c1.suse> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <20161218162838.GA24788@linux-80c1.suse> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 952 Lines: 30 On Sun, 18 Dec 2016, Bueso wrote: >On Fri, 16 Dec 2016, Dmitry Vyukov wrote: > >>[ BUG: bad unlock balance detected! ] >>4.9.0+ #89 Not tainted > >Thanks for the report, I can reproduce the issue as of (which I obviously >should have tested with lockdep): > >370b262c896 (ipc/sem: avoid idr tree lookup for interrupted semop) > >I need to think more about it this evening, but I believe the issue to be >the potentially bogus locknum in the unlock path, as we are calling sem_lock >without updating the variable. I'll send a patch after more testing. This >fixes it for me: > >diff --git a/ipc/sem.c b/ipc/sem.c >index e08b94851922..fba6139e7208 100644 >--- a/ipc/sem.c >+++ b/ipc/sem.c >@@ -1977,7 +1977,7 @@ SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops, > } > > rcu_read_lock(); >- sem_lock(sma, sops, nsops); >+ sem_lock(sma, sops, nsops); *sigh*, that would be: locknum = sem_lock(sma, sops, nsops);