android_kernel_google_msm/ipc
Hugh Dickins 353d5c30c6 mm: fix hugetlb bug due to user_shm_unlock call
2.6.30's commit 8a0bdec194 removed
user_shm_lock() calls in hugetlb_file_setup() but left the
user_shm_unlock call in shm_destroy().

In detail:
Assume that can_do_hugetlb_shm() returns true and hence user_shm_lock()
is not called in hugetlb_file_setup(). However, user_shm_unlock() is
called in any case in shm_destroy() and in the following
atomic_dec_and_lock(&up->__count) in free_uid() is executed and if
up->__count gets zero, also cleanup_user_struct() is scheduled.

Note that sched_destroy_user() is empty if CONFIG_USER_SCHED is not set.
However, the ref counter up->__count gets unexpectedly non-positive and
the corresponding structs are freed even though there are live
references to them, resulting in a kernel oops after a lots of
shmget(SHM_HUGETLB)/shmctl(IPC_RMID) cycles and CONFIG_USER_SCHED set.

Hugh changed Stefan's suggested patch: can_do_hugetlb_shm() at the
time of shm_destroy() may give a different answer from at the time
of hugetlb_file_setup().  And fixed newseg()'s no_id error path,
which has missed user_shm_unlock() ever since it came in 2.6.9.

Reported-by: Stefan Huber <shuber2@gmail.com>
Signed-off-by: Hugh Dickins <hugh.dickins@tiscali.co.uk>
Tested-by: Stefan Huber <shuber2@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-08-24 12:53:01 -07:00
..
compat.c
compat_mq.c
ipc_sysctl.c proc_sysctl: use CONFIG_PROC_SYSCTL around ipc and utsname proc_handlers 2009-04-02 19:05:01 -07:00
ipcns_notifier.c
Makefile namespaces: mqueue namespace: adapt sysctl 2009-04-07 08:31:09 -07:00
mq_sysctl.c namespaces: move get_mq() inside #ifdef CONFIG_SYSCTL 2009-04-13 15:04:29 -07:00
mqueue.c integrity: ima mq_open imbalance msg fix 2009-06-29 08:56:46 +10:00
msg.c [CVE-2009-0029] System call wrappers part 24 2009-01-14 14:15:28 +01:00
msgutil.c namespaces: ipc namespaces: implement support for posix msqueues 2009-04-07 08:31:09 -07:00
namespace.c ipcns: make free_ipc_ns() static 2009-06-18 13:03:56 -07:00
sem.c rculist: use list_entry_rcu in places where it's appropriate 2009-04-15 12:05:25 +02:00
shm.c mm: fix hugetlb bug due to user_shm_unlock call 2009-08-24 12:53:01 -07:00
util.c namespaces: mqueue ns: move mqueue_mnt into struct ipc_namespace 2009-04-07 08:31:09 -07:00
util.h ipc: unbreak 32-bit shmctl/semctl/msgctl 2009-06-21 12:48:43 -07:00