diff options
author | Manfred Spraul <manfred@colorfullife.com> | 2013-10-16 13:46:45 -0700 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2013-10-16 21:35:52 -0700 |
commit | 6e224f94597842c5eb17f1fc2208d20b6f7f7d49 (patch) | |
tree | f2a2ed86aa847b16b0d952411aed975f3a978908 /fs/ioctl.c | |
parent | 18ccee263c7e250a57f01c9434658f11f4118a64 (diff) | |
download | op-kernel-dev-6e224f94597842c5eb17f1fc2208d20b6f7f7d49.zip op-kernel-dev-6e224f94597842c5eb17f1fc2208d20b6f7f7d49.tar.gz |
ipc/sem.c: synchronize semop and semctl with IPC_RMID
After acquiring the semlock spinlock, operations must test that the
array is still valid.
- semctl() and exit_sem() would walk stale linked lists (ugly, but
should be ok: all lists are empty)
- semtimedop() would sleep forever - and if woken up due to a signal -
access memory after free.
The patch also:
- standardizes the tests for .deleted, so that all tests in one
function leave the function with the same approach.
- unconditionally tests for .deleted immediately after every call to
sem_lock - even it it means that for semctl(GETALL), .deleted will be
tested twice.
Both changes make the review simpler: After every sem_lock, there must
be a test of .deleted, followed by a goto to the cleanup code (if the
function uses "goto cleanup").
The only exception is semctl_down(): If sem_ids().rwsem is locked, then
the presence in ids->ipcs_idr is equivalent to !.deleted, thus no
additional test is required.
Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
Cc: Mike Galbraith <efault@gmx.de>
Acked-by: Davidlohr Bueso <davidlohr@hp.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/ioctl.c')
0 files changed, 0 insertions, 0 deletions