e2652ae6bd
ipc_addid() initializes kern_ipc_perm.seq after having called idr_alloc() (within ipc_idr_alloc()). Thus a parallel semop() or msgrcv() that uses ipc_obtain_object_check() may see an uninitialized value. The patch moves the initialization of kern_ipc_perm.seq before the calls of idr_alloc(). Notes: 1) This patch has a user space visible side effect: If /proc/sys/kernel/*_next_id is used (i.e.: checkpoint/restore) and if semget()/msgget()/shmget() fails in the final step of adding the id to the rhash tree, then .._next_id is cleared. Before the patch, is remained unmodified. There is no change of the behavior after a successful ..get() call: It always clears .._next_id, there is no impact to non checkpoint/restore code as that code does not use .._next_id. 2) The patch correctly documents that after a call to ipc_idr_alloc(), the full tear-down sequence must be used. The callers of ipc_addid() do not fullfill that, i.e. more bugfixes are required. The patch is a squash of a patch from Dmitry and my own changes. Link: http://lkml.kernel.org/r/20180712185241.4017-3-manfred@colorfullife.com Reported-by: syzbot+2827ef6b3385deb07eaf@syzkaller.appspotmail.com Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Kees Cook <keescook@chromium.org> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Davidlohr Bueso <dbueso@suse.de> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Michal Hocko <mhocko@suse.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
|---|---|---|
| .. | ||
| ABI | ||
| accelerators | ||
| accounting | ||
| acpi | ||
| admin-guide | ||
| aoe | ||
| arm | ||
| arm64 | ||
| auxdisplay | ||
| backlight | ||
| block | ||
| blockdev | ||
| bpf | ||
| bus-devices | ||
| cdrom | ||
| cgroup-v1 | ||
| cma | ||
| connector | ||
| console | ||
| core-api | ||
| cpu-freq | ||
| cpuidle | ||
| crypto | ||
| dev-tools | ||
| device-mapper | ||
| devicetree | ||
| doc-guide | ||
| driver-api | ||
| driver-model | ||
| early-userspace | ||
| EDID | ||
| extcon | ||
| fault-injection | ||
| fb | ||
| features | ||
| filesystems | ||
| firmware_class | ||
| fmc | ||
| fpga | ||
| gpio | ||
| gpu | ||
| hid | ||
| hwmon | ||
| i2c | ||
| ia64 | ||
| ide | ||
| iio | ||
| infiniband | ||
| input | ||
| ioctl | ||
| isdn | ||
| kbuild | ||
| kdump | ||
| kernel-hacking | ||
| laptops | ||
| leds | ||
| lightnvm | ||
| livepatch | ||
| locking | ||
| m68k | ||
| maintainer | ||
| md | ||
| media | ||
| memory-devices | ||
| mic | ||
| mips | ||
| misc-devices | ||
| mmc | ||
| mtd | ||
| namespaces | ||
| netlabel | ||
| networking | ||
| nfc | ||
| nios2 | ||
| nvdimm | ||
| nvmem | ||
| openrisc | ||
| parisc | ||
| PCI | ||
| pcmcia | ||
| perf | ||
| phy | ||
| platform | ||
| power | ||
| powerpc | ||
| pps | ||
| process | ||
| pti | ||
| ptp | ||
| rapidio | ||
| RCU | ||
| riscv | ||
| s390 | ||
| scheduler | ||
| scsi | ||
| security | ||
| serial | ||
| sh | ||
| sound | ||
| sparc | ||
| sphinx | ||
| sphinx-static | ||
| spi | ||
| sysctl | ||
| target | ||
| thermal | ||
| timers | ||
| trace | ||
| translations | ||
| usb | ||
| userspace-api | ||
| virtual | ||
| vm | ||
| w1 | ||
| watchdog | ||
| wimax | ||
| x86 | ||
| xtensa | ||
| .gitignore | ||
| 00-INDEX | ||
| atomic_bitops.txt | ||
| atomic_t.txt | ||
| bt8xxgpio.txt | ||
| btmrvl.txt | ||
| bus-virt-phys-mapping.txt | ||
| Changes | ||
| clearing-warn-once.txt | ||
| CodingStyle | ||
| conf.py | ||
| cpu-load.txt | ||
| cputopology.txt | ||
| crc32.txt | ||
| dcdbas.txt | ||
| debugging-modules.txt | ||
| debugging-via-ohci1394.txt | ||
| dell_rbu.txt | ||
| digsig.txt | ||
| DMA-API-HOWTO.txt | ||
| DMA-API.txt | ||
| DMA-attributes.txt | ||
| DMA-ISA-LPC.txt | ||
| docutils.conf | ||
| dontdiff | ||
| efi-stub.txt | ||
| eisa.txt | ||
| flexible-arrays.txt | ||
| futex-requeue-pi.txt | ||
| gcc-plugins.txt | ||
| highuid.txt | ||
| hw_random.txt | ||
| hwspinlock.txt | ||
| index.rst | ||
| Intel-IOMMU.txt | ||
| intel_txt.txt | ||
| io-mapping.txt | ||
| io_ordering.txt | ||
| iostats.txt | ||
| IPMI.txt | ||
| IRQ-affinity.txt | ||
| IRQ-domain.txt | ||
| IRQ.txt | ||
| irqflags-tracing.txt | ||
| isa.txt | ||
| isapnp.txt | ||
| kernel-per-CPU-kthreads.txt | ||
| kobject.txt | ||
| kprobes.txt | ||
| kref.txt | ||
| ldm.txt | ||
| lockup-watchdogs.txt | ||
| logo.gif | ||
| logo.txt | ||
| lsm.txt | ||
| lzo.txt | ||
| mailbox.txt | ||
| Makefile | ||
| memory-barriers.txt | ||
| memory-hotplug.txt | ||
| men-chameleon-bus.txt | ||
| nommu-mmap.txt | ||
| ntb.txt | ||
| numastat.txt | ||
| padata.txt | ||
| parport-lowlevel.txt | ||
| percpu-rw-semaphore.txt | ||
| phy.txt | ||
| pi-futex.txt | ||
| pnp.txt | ||
| preempt-locking.txt | ||
| pwm.txt | ||
| rbtree.txt | ||
| remoteproc.txt | ||
| rfkill.txt | ||
| robust-futex-ABI.txt | ||
| robust-futexes.txt | ||
| rpmsg.txt | ||
| rtc.txt | ||
| SAK.txt | ||
| sgi-ioc4.txt | ||
| siphash.txt | ||
| SM501.txt | ||
| smsc_ece1099.txt | ||
| speculation.txt | ||
| static-keys.txt | ||
| SubmittingPatches | ||
| svga.txt | ||
| switchtec.txt | ||
| sync_file.txt | ||
| tee.txt | ||
| this_cpu_ops.txt | ||
| unaligned-memory-access.txt | ||
| vfio-mediated-device.txt | ||
| vfio.txt | ||
| video-output.txt | ||
| xillybus.txt | ||
| xz.txt | ||
| zorro.txt | ||
