summaryrefslogtreecommitdiffstats
path: root/ipc/syscall.c
diff options
context:
space:
mode:
authorKirill A. Shutemov <kirill.shutemov@linux.intel.com>2016-02-17 13:11:35 -0800
committerLinus Torvalds <torvalds@linux-foundation.org>2016-02-18 16:23:24 -0800
commit1ac0b6dec656f3f78d1c3dd216fad84cb4d0a01e (patch)
tree18e90253e636c98a801e30f022c650696f4b8926 /ipc/syscall.c
parent64f00850011b834746bab94119d1d5eb7eabb19a (diff)
downloadlinux-stable-1ac0b6dec656f3f78d1c3dd216fad84cb4d0a01e.tar.gz
linux-stable-1ac0b6dec656f3f78d1c3dd216fad84cb4d0a01e.tar.bz2
linux-stable-1ac0b6dec656f3f78d1c3dd216fad84cb4d0a01e.zip
ipc/shm: handle removed segments gracefully in shm_mmap()
remap_file_pages(2) emulation can reach file which represents removed IPC ID as long as a memory segment is mapped. It breaks expectations of IPC subsystem. Test case (rewritten to be more human readable, originally autogenerated by syzkaller[1]): #define _GNU_SOURCE #include <stdlib.h> #include <sys/ipc.h> #include <sys/mman.h> #include <sys/shm.h> #define PAGE_SIZE 4096 int main() { int id; void *p; id = shmget(IPC_PRIVATE, 3 * PAGE_SIZE, 0); p = shmat(id, NULL, 0); shmctl(id, IPC_RMID, NULL); remap_file_pages(p, 3 * PAGE_SIZE, 0, 7, 0); return 0; } The patch changes shm_mmap() and code around shm_lock() to propagate locking error back to caller of shm_mmap(). [1] http://github.com/google/syzkaller Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Reported-by: Dmitry Vyukov <dvyukov@google.com> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'ipc/syscall.c')
0 files changed, 0 insertions, 0 deletions