git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
	Wed, 17 Feb 2016 21:11:35 +0000 (13:11 -0800)
committer	Sasha Levin <sasha.levin@oracle.com>
	Fri, 4 Mar 2016 15:25:45 +0000 (10:25 -0500)
commit	5d0e8394db90caa6d06477f68cbdb48fe65f468d
tree	e6703b325ac3965900bdc4c3cea9cd19082cbd5a	tree
parent	6e82212c489fcdc50446bff12bd1ed5e8ef110a2	commit \| diff

ipc/shm: handle removed segments gracefully in shm_mmap()

[ Upstream commit 15db15e2f10ae12d021c9a2e9edd8a03b9238551 ]

commit 1ac0b6dec656f3f78d1c3dd216fad84cb4d0a01e upstream.

remap_file_pages(2) emulation can reach file which represents removed
IPC ID as long as a memory segment is mapped. It breaks expectations of
IPC subsystem.

Test case (rewritten to be more human readable, originally autogenerated
by syzkaller[1]):

#define _GNU_SOURCE
#include <stdlib.h>
#include <sys/ipc.h>
#include <sys/mman.h>
#include <sys/shm.h>

#define PAGE_SIZE 4096

int main()
{
int id;
void *p;

id = shmget(IPC_PRIVATE, 3 * PAGE_SIZE, 0);
p = shmat(id, NULL, 0);
shmctl(id, IPC_RMID, NULL);
remap_file_pages(p, 3 * PAGE_SIZE, 0, 7, 0);

return 0;
}

The patch changes shm_mmap() and code around shm_lock() to propagate
locking error back to caller of shm_mmap().

[1] http://github.com/google/syzkaller

Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>