[PATCH 2/4] ipc,shm: prevent race with rmid in shmat(2)

From: Davidlohr Bueso
Date: Sun Sep 15 2013 - 23:06:03 EST

Next message: Kishon Vijay Abraham I: "Re: [PATCH 7/7] drivers: phy: renamed struct omap_control_usb tostruct omap_control_phy"
Previous message: Davidlohr Bueso: "[PATCH 1/4] ipc,shm: fix race with selinux"
In reply to: Davidlohr Bueso: "[PATCH 1/4] ipc,shm: fix race with selinux"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This fixes a race in shmat() between finding the msq and
actually attaching the segment, as another thread can delete shmid
underneath us if we are preempted before acquiring the kern_ipc_perm.lock.

Reported-by: Manfred Spraul <manfred@xxxxxxxxxxxxxxxx>
Signed-off-by: Davidlohr Bueso <davidlohr@xxxxxx>
---
ipc/shm.c | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/ipc/shm.c b/ipc/shm.c
index bc3e897..1afde7e 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -1093,6 +1093,14 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
goto out_unlock;

ipc_lock_object(&shp->shm_perm);
+
+ /* have we raced with RMID? */
+ if (shp->shm_perm.deleted) {
+ err = -EIDRM;
+ ipc_unlock_object(&shp->shm_perm);
+ goto out_unlock;
+ }
+
err = security_shm_shmat(shp, shmaddr, shmflg);
if (err) {
ipc_unlock_object(&shp->shm_perm);
--
1.7.11.7

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Kishon Vijay Abraham I: "Re: [PATCH 7/7] drivers: phy: renamed struct omap_control_usb tostruct omap_control_phy"
Previous message: Davidlohr Bueso: "[PATCH 1/4] ipc,shm: fix race with selinux"
In reply to: Davidlohr Bueso: "[PATCH 1/4] ipc,shm: fix race with selinux"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]