This fixes a race in shmat() between finding the msq and
actually attaching the segment, as another thread can delete shmid
underneath us if we are preempted before acquiring the kern_ipc_perm.lock.
Reported-by: Manfred Spraul <manf...@colorfullife.com>
Signed-off-by: Davidlohr Bueso <davidl...@hp.com>
---
ipc/shm.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/ipc/shm.c b/ipc/shm.c
index bc3e897..1afde7e 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -1093,6 +1093,14 @@ long do_shmat(int shmid, char __user *shmaddr, int
shmflg, ulong *raddr,
goto out_unlock;
ipc_lock_object(&shp->shm_perm);
+
+ /* have we raced with RMID? */
+ if (shp->shm_perm.deleted) {
+ err = -EIDRM;
+ ipc_unlock_object(&shp->shm_perm);
+ goto out_unlock;
+ }
+
err = security_shm_shmat(shp, shmaddr, shmflg);
if (err) {
ipc_unlock_object(&shp->shm_perm);
--
1.7.11.7
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
