From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 28 Mar 2014 17:29:58 +0000 (-0700)
Subject: 3.4-stable patches
X-Git-Tag: v3.4.85~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f4a405a3b6dc8b93c6fdb1de40f4071722100bff;p=thirdparty%2Fkernel%2Fstable-queue.git

3.4-stable patches

added patches:
	ipc-msg-fix-race-around-refcount.patch
---

diff --git a/queue-3.4/ipc-msg-fix-race-around-refcount.patch b/queue-3.4/ipc-msg-fix-race-around-refcount.patch
new file mode 100644
index 00000000000..79bb70c837c
--- /dev/null
+++ b/queue-3.4/ipc-msg-fix-race-around-refcount.patch
@@ -0,0 +1,65 @@
+From k.khlebnikov@samsung.com  Fri Mar 28 10:23:19 2014
+From: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+Date: Wed, 26 Mar 2014 14:12:19 +0400
+Subject: ipc/msg: fix race around refcount
+To: linux-kernel@vger.kernel.org
+Cc: Andrew Morton <akpm@linux-foundation.org>, stable@vger.kernel.org
+Message-ID: <20140326101218.11221.74072.stgit@buzz>
+
+From: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+
+[fixed differently in 6062a8dc0517bce23e3c2f7d2fea5e22411269a3 upstream.]
+
+In older kernels (before v3.10) ipc_rcu_hdr->refcount was non-atomic int.
+There was possuble double-free bug: do_msgsnd() calls ipc_rcu_putref() under
+msq->q_perm->lock and RCU, while freequeue() calls it while it holds only
+'rw_mutex', so there is no sinchronization between them. Two function
+decrements '2' non-atomically, they both can get '0' as result.
+
+do_msgsnd()					freequeue()
+
+msq = msg_lock_check(ns, msqid);
+...
+ipc_rcu_getref(msq);
+msg_unlock(msq);
+schedule();
+						(caller locks spinlock)
+						expunge_all(msq, -EIDRM);
+						ss_wakeup(&msq->q_senders, 1);
+						msg_rmid(ns, msq);
+						msg_unlock(msq);
+ipc_lock_by_ptr(&msq->q_perm);
+ipc_rcu_putref(msq);				ipc_rcu_putref(msq);
+< both may get get --(...)->refcount == 0 >
+
+This patch locks ipc_lock and RCU around ipc_rcu_putref in freequeue.
+( RCU protects memory for spin_unlock() )
+
+Similar bugs might be in other users of ipc_rcu_putref().
+
+In the mainline this has been fixed in v3.10 indirectly in commmit
+6062a8dc0517bce23e3c2f7d2fea5e22411269a3
+("ipc,sem: fine grained locking for semtimedop") by Rik van Riel.
+That commit optimized locking and converted refcount into atomic.
+
+I'm not sure that anybody should care about this bug: it's very-very unlikely
+and no longer exists in actual mainline. I've found this just by looking into
+the code, probably this never happens in real life.
+
+Signed-off-by: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+---
+ ipc/msg.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/ipc/msg.c
++++ b/ipc/msg.c
+@@ -296,7 +296,9 @@ static void freeque(struct ipc_namespace
+ 	}
+ 	atomic_sub(msq->q_cbytes, &ns->msg_bytes);
+ 	security_msg_queue_free(msq);
++	ipc_lock_by_ptr(&msq->q_perm);
+ 	ipc_rcu_putref(msq);
++	ipc_unlock(&msq->q_perm);
+ }
+ 
+ /*
diff --git a/queue-3.4/series b/queue-3.4/series
index 68f3c9cc266..e3558a64332 100644
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -10,3 +10,4 @@ input-elantech-improve-clickpad-detection.patch
 kvm-mmu-handle-invalid-root_hpa-at-__direct_map.patch
 kvm-vmx-fix-use-after-free-of-vmx-loaded_vmcs.patch
 xhci-fix-resume-issues-on-renesas-chips-in-samsung-laptops.patch
+ipc-msg-fix-race-around-refcount.patch