61351 – ipc/sem.c: Insuffcient synchronization within sem_lock

Bug 61351 - ipc/sem.c: Insuffcient synchronization within sem_lock

Summary: ipc/sem.c: Insuffcient synchronization within sem_lock

Status:	RESOLVED CODE_FIX

Alias:	None

Product:	Other
Classification:	Unclassified
Component:	Other (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	other_other

URL:	http://marc.info/?l=linux-kernel&m=13...
Keywords:

Depends on:
Blocks:	62061 62081
	Show dependency tree

Reported:	2013-09-15 10:56 UTC by Manfred Spraul
Modified:	2013-10-02 07:18 UTC (History)
CC List:	0 users

See Also:
Kernel Version:
Subsystem:
Regression:	Yes
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Manfred Spraul 2013-09-15 10:56:59 UTC

The order between testing complex_count and spin_is_locked() is the wrong way around.

This means unsynchronized read/write access to the linked lists within a semaphore array may happen, which would leak to memory corruptions.

Affected: 3.0.10, 3.0.11, current head

Details:
See the link:
http://marc.info/?l=linux-kernel&m=137919453307294

Comment 1 Manfred Spraul 2013-09-25 07:27:22 UTC

Fix is in -mm tree

http://marc.info/?l=linux-mm-commits&m=137997045831779

Comment 2 Manfred Spraul 2013-10-02 07:18:35 UTC

Fixed

5e9d527591421ccdb16acb8c23662231135d8686 ipc/sem.c: fix race in sem_lock()

Note You need to log in before you can comment on or make changes to this bug.