projects / GitHub / moto-9609 / android_kernel_motorola_exynos9610.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ec1882a)
ipc/msg.c: Fix lost wakeup in msgsnd().
authorManfred Spraul <manfred@colorfullife.com>
Tue, 3 Sep 2013 14:00:08 +0000 (16:00 +0200)
committerLinus Torvalds <torvalds@linux-foundation.org>
Tue, 3 Sep 2013 17:42:56 +0000 (10:42 -0700)
The check if the queue is full and adding current to the wait queue of
pending msgsnd() operations (ss_add()) must be atomic.

Otherwise:
 - the thread that performs msgsnd() finds a full queue and decides to
   sleep.
 - the thread that performs msgrcv() first reads all messages from the
   queue and then sleeps, because the queue is empty.
 - the msgrcv() calls do not perform any wakeups, because the msgsnd()
   task has not yet called ss_add().
 - then the msgsnd()-thread first calls ss_add() and then sleeps.

Net result: msgsnd() and msgrcv() both sleep forever.

Observed with msgctl08 from ltp with a preemptible kernel.

Fix: Call ipc_lock_object() before performing the check.

The patch also moves security_msg_queue_msgsnd() under ipc_lock_object:
 - msgctl(IPC_SET) explicitely mentions that it tries to expunge any
   pending operations that are not allowed anymore with the new
   permissions.  If security_msg_queue_msgsnd() is called without locks,
   then there might be races.
 - it makes the patch much simpler.

Reported-and-tested-by: Vineet Gupta <Vineet.Gupta1@synopsys.com>
Acked-by: Rik van Riel <riel@redhat.com>
Cc: stable@vger.kernel.org # for 3.11
Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
ipc/msg.c patch | blob | blame | history

diff --git a/ipc/msg.c b/ipc/msg.c
index 9f29d9e89bac578a33f1f5c97e41e10f0f1d6403..b65fdf1a09dd1f81b32731bfa2fcb455389ea63c 100644 (file)
--- a/ipc/msg.c
+++ b/ipc/msg.c
@@ -680,16 +680,18 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext,
                goto out_unlock1;
        }
 
+       ipc_lock_object(&msq->q_perm);
+
        for (;;) {
                struct msg_sender s;
 
                err = -EACCES;
                if (ipcperms(ns, &msq->q_perm, S_IWUGO))
-                       goto out_unlock1;
+                       goto out_unlock0;
 
                err = security_msg_queue_msgsnd(msq, msg, msgflg);
                if (err)
-                       goto out_unlock1;
+                       goto out_unlock0;
 
                if (msgsz + msq->q_cbytes <= msq->q_qbytes &&
                                1 + msq->q_qnum <= msq->q_qbytes) {
@@ -699,10 +701,9 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext,
                /* queue full, wait: */
                if (msgflg & IPC_NOWAIT) {
                        err = -EAGAIN;
-                       goto out_unlock1;
+                       goto out_unlock0;
                }
 
-               ipc_lock_object(&msq->q_perm);
                ss_add(msq, &s);
 
                if (!ipc_rcu_getref(msq)) {
@@ -730,10 +731,7 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext,
                        goto out_unlock0;
                }
 
-               ipc_unlock_object(&msq->q_perm);
        }
-
-       ipc_lock_object(&msq->q_perm);
        msq->q_lspid = task_tgid_vnr(current);
        msq->q_stime = get_seconds();