www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Thomas Gleixner <tglx@linutronix.de>
	Tue, 31 Jan 2017 14:24:03 +0000 (15:24 +0100)
committer	Chuck Anderson <chuck.anderson@oracle.com>
	Fri, 6 Oct 2017 03:39:39 +0000 (20:39 -0700)
commit	5c323963628cafd83a2848c35a566f2addc09712
tree	09f784a014042b42dcac69a729b4bab61e8b0900	tree
parent	275f8cb025b32be82b2f6bb35dc15948892c5edd	commit \| diff

timerfd: Protect the might cancel mechanism proper

The handling of the might_cancel queueing is not properly protected, so
parallel operations on the file descriptor can race with each other and
lead to list corruptions or use after free.

Protect the context for these operations with a seperate lock.

The wait queue lock cannot be reused for this because that would create a
lock inversion scenario vs. the cancel lock. Replacing might_cancel with an
atomic (atomic_t or atomic bit) does not help either because it still can
race vs. the actual list operation.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: "linux-fsdevel@vger.kernel.org"
Cc: syzkaller <syzkaller@googlegroups.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1701311521430.3457@nanos
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
(cherry picked from commit 1e38da300e1e395a15048b0af1e5305bd91402f6)

Orabug: 26673877
CVE: CVE-2017-10661

Signed-off-by: Tim Tianyang Chen <tianyang.chen@oracle.com>
Reviewed-by: Jack Vogel <jack.vogel@oracle.com>