The synchronization between security_sem_xx and security_sem_free was modified without updating security/*.c. This created an use-after-free race with security/selinux/hooks.c Affected: 3.0.10, 3.0.11, current head Details: Assume a preemptible kernel that is preempted just after > isec = ipc_perms->security; in ipc_has_perm (called from selinux_sem_xx()). The call happens just with rcu_read_lock(). Now the other thread calls whatever operations are necessary to end up in sem_freeary(), which calls security_sem_free(). This ends up doing kfree(isec).
Fixed http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=53dad6d3a8e5ac1af8bacc6ac2134ae1a8b085f1